Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report javac_2.zip

Overview

General Information

Sample Name:javac_2.zip
Analysis ID:324351
MD5:2dbf6d6fff46989a6500984749ac9042
SHA1:1d508557a49a88297f84249be7fa27444f8066e9
SHA256:902b09e410c49be6844df9c2172db8a0774e8425176baed00ad11a1ac2888c53

Most interesting Screenshot:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis

Classification

Startup

  • System is w10x64
  • unarchiver.exe (PID: 3504 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\javac_2.zip' MD5: 8B435F8731563566F3F49203BA277865)
    • 7za.exe (PID: 5108 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\qhusc5na.0zt' 'C:\Users\user\Desktop\javac_2.zip' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
      • conhost.exe (PID: 5364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 0536097Fh0_2_053602A8
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 0536097Eh0_2_053602A8
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_053602A80_2_053602A8
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_053602980_2_05360298
Source: classification engineClassification label: clean2.winZIP@4/2@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5364:120:WilError_01
Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\sdxtsgtp.2tjJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\javac_2.zip'
Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\qhusc5na.0zt' 'C:\Users\user\Desktop\javac_2.zip'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\qhusc5na.0zt' 'C:\Users\user\Desktop\javac_2.zip'Jump to behavior
Source: javac_2.zipStatic file information: File size 1601677 > 1048576
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 1396Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_014BB042 GetSystemInfo,0_2_014BB042
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\qhusc5na.0zt' 'C:\Users\user\Desktop\javac_2.zip'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Virtualization/Sandbox Evasion2OS Credential DumpingVirtualization/Sandbox Evasion2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 324351 Sample: javac_2.zip Startdate: 29/11/2020 Architecture: WINDOWS Score: 2 6 unarchiver.exe 5 2->6         started        process3 8 7za.exe 2 6->8         started        process4 10 conhost.exe 8->10         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Red Diamond
Analysis ID:324351
Start date:29.11.2020
Start time:13:28:34
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 28s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:javac_2.zip
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean2.winZIP@4/2@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 49
  • Number of non-executed functions: 1
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .zip
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log
Process:C:\Windows\SysWOW64\unarchiver.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):388
Entropy (8bit):5.2529463157768355
Encrypted:false
SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk7v:MLF20NaL329hJ5g522r0
MD5:FF3B761A021930205BEC9D7664AE9258
SHA1:1039D595C6333358D5F7EE5619FE6794E6F5FDB1
SHA-256:A3517BC4B1E6470905F9A38466318B302186496E8706F1976F1ED76F3E87AF0F
SHA-512:1E77D09CF965575EF9800B1EE8947A02D98F88DBFA267300330860757A0C7350AF857A2CB7001C49AFF1F5BD1E0AE6E90F643B27054522CADC730DD14BC3DE11
Malicious:false
Reputation:moderate, very likely benign file
Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..
C:\Users\user\AppData\Local\Temp\sdxtsgtp.2tj\unarchiver.log
Process:C:\Windows\SysWOW64\unarchiver.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1525
Entropy (8bit):5.0272434996884146
Encrypted:false
SSDEEP:24:rWmfKmiJ8miJjWI8miJ8miJUwimiJfzSmiJ8miJFTYmiJbumiJZmiJoJmiJxmiJn:q2bGhGbhGhGpDG/GhGpFGbXGkGJGMGhZ
MD5:7A9D5A30C7E44DCF1064B8A31B1EAB37
SHA1:F4C9850FEE76D7AB25A9C89721653B6809C57371
SHA-256:E663794E5F0642D2482A60A49123999694E6D5A51A7837161977E736B1402A1A
SHA-512:944C83854407CE97EDE94E64EFBFDCD0353AB14E5B74D13B2C1A32413E27A73066DB600DD1EADA0712A920D414F550300472C5D6A399B65C61956EF594B7750D
Malicious:false
Reputation:low
Preview: 11/29/2020 1:29 PM: Unpack: C:\Users\user\Desktop\javac_2.zip..11/29/2020 1:29 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\qhusc5na.0zt..11/29/2020 1:29 PM: Received from standard out: ..11/29/2020 1:29 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..11/29/2020 1:29 PM: Received from standard out: ..11/29/2020 1:29 PM: Received from standard out: Scanning the drive for archives:..11/29/2020 1:29 PM: Received from standard out: 1 file, 1601677 bytes (1565 KiB)..11/29/2020 1:29 PM: Received from standard out: ..11/29/2020 1:29 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\javac_2.zip..11/29/2020 1:29 PM: Received from standard out: --..11/29/2020 1:29 PM: Received from standard out: Path = C:\Users\user\Desktop\javac_2.zip..11/29/2020 1:29 PM: Received from standard out: Type = zip..11/29/2020 1:29 PM: Received from standard out: Physical Size = 1601677..11/29/2020 1:29 PM: Received from standard out:

Static File Info

General

File type:Zip archive data, at least v2.0 to extract
Entropy (8bit):7.999898544532421
TrID:
  • ZIP compressed archive (8000/1) 100.00%
File name:javac_2.zip
File size:1601677
MD5:2dbf6d6fff46989a6500984749ac9042
SHA1:1d508557a49a88297f84249be7fa27444f8066e9
SHA256:902b09e410c49be6844df9c2172db8a0774e8425176baed00ad11a1ac2888c53
SHA512:21312955806e95d01b7c878c7ac5be2cb4e3bfe77f2bf5bf0d3467d7646fced225bbb6aa33cbf41e7519cf1d51bd3ea87d7213a9a1d5579acc09762232844b8d
SSDEEP:49152:P/F3FkM5M69euT+c3iEpD3HIDDG0mkmLAC+aD:nJWSEuT+cyEpMLese
File Content Preview:PK........xyyQP'...o...o......javac.zip....UZ.]:..w.........:m.G<3.......%.....^..0rz.U.u..^.j...x.#.tWH...4W......^....^.q+e]|h.Vh.L..e...fi.!l.1.E..E..G..o._.kR.L.....k.V.>........x'.`............V...pIq..|Uy..]...7.b....\$..WtE!.D..A..../?^...P^.0.....

File Icon

Icon Hash:00828e8e8686b000

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: unarchiver.exe PID: 3504 Parent PID: 5572

General

Start time:13:29:18
Start date:29/11/2020
Path:C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):true
Commandline:'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\javac_2.zip'
Imagebase:0xbb0000
File size:10240 bytes
MD5 hash:8B435F8731563566F3F49203BA277865
Has elevated privileges:true
Has administrator privileges:true
Programmed in:.Net C# or VB.NET
Reputation:moderate

Chronological Activities

Analysis Process: 7za.exe PID: 5108 Parent PID: 3504

General

Start time:13:29:18
Start date:29/11/2020
Path:C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):true
Commandline:'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\qhusc5na.0zt' 'C:\Users\user\Desktop\javac_2.zip'
Imagebase:0x1080000
File size:289792 bytes
MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: conhost.exe PID: 5364 Parent PID: 5108

General

Start time:13:29:19
Start date:29/11/2020
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6b2800000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: unarchiver.exe PID: 3504 Parent PID: 5572 unarchiver.exeCOMMON

    Execution Graph

    Execution Coverage:19.9%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:5%
    Total number of Nodes:80
    Total number of Limit Nodes:5

    Graph

    execution_graph 1340 14ba448 1342 14ba46a CreateDirectoryW 1340->1342 1343 14ba4b7 1342->1343 1275 14ba88e 1278 14ba8c3 WriteFile 1275->1278 1277 14ba8f5 1278->1277 1372 14bb70c 1373 14bb72e MessageBoxW 1372->1373 1375 14bb788 1373->1375 1344 14bb643 1345 14bb692 EnumThreadWindows 1344->1345 1347 14bb6f0 1345->1347 1279 14ba642 1280 14ba66e FindCloseChangeNotification 1279->1280 1281 14ba6ad 1279->1281 1282 14ba67c 1280->1282 1281->1280 1283 14bb042 1284 14bb06e GetSystemInfo 1283->1284 1285 14bb0a4 1283->1285 1286 14bb07c 1284->1286 1285->1284 1348 14ba2c1 1350 14ba2f2 GetFileAttributesExW 1348->1350 1351 14ba33a 1350->1351 1376 14ba600 1378 14ba60e FindCloseChangeNotification 1376->1378 1379 14ba67c 1378->1379 1380 14ba504 1383 14ba52a CreateFileW 1380->1383 1382 14ba5b1 1383->1382 1352 14ba85f 1353 14ba88e WriteFile 1352->1353 1355 14ba8f5 1353->1355 1287 14ba25e 1288 14ba28a SetErrorMode 1287->1288 1289 14ba2b3 1287->1289 1290 14ba29f 1288->1290 1289->1288 1291 14bae1e 1292 14bae4a FindClose 1291->1292 1293 14bae7c 1291->1293 1294 14bae5f 1292->1294 1293->1292 1305 14ba46a 1308 14ba490 CreateDirectoryW 1305->1308 1307 14ba4b7 1308->1307 1309 14ba52a 1310 14ba562 CreateFileW 1309->1310 1312 14ba5b1 1310->1312 1321 14ba7ae 1323 14ba7e3 SetFilePointer 1321->1323 1324 14ba812 1323->1324 1356 14ba9e2 1357 14baa52 CreatePipe 1356->1357 1359 14baaaa 1357->1359 1388 14ba120 1389 14ba172 FindNextFileW 1388->1389 1391 14ba1ca 1389->1391 1392 14bb020 1393 14bb042 GetSystemInfo 1392->1393 1395 14bb07c 1393->1395 1329 14bb466 1330 14bb4dc 1329->1330 1331 14bb4a4 DuplicateHandle 1329->1331 1330->1331 1332 14bb4b2 1331->1332 1396 14ba6bb 1397 14ba6ee GetFileType 1396->1397 1399 14ba750 1397->1399 1360 14ba77c 1361 14ba7ae SetFilePointer 1360->1361 1363 14ba812 1361->1363 1400 14ba23c 1402 14ba25e SetErrorMode 1400->1402 1403 14ba29f 1402->1403 1333 14ba172 1334 14ba1c2 FindNextFileW 1333->1334 1335 14ba1ca 1334->1335 1364 14bab70 1365 14bab96 DuplicateHandle 1364->1365 1367 14bac1b 1365->1367 1368 14badf7 1369 14bae1e FindClose 1368->1369 1371 14bae5f 1369->1371

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_014BA448 1 Function_05360E30 116 Function_05360AC0 1->116 2 Function_014BB643 3 Function_014BA642 4 Function_014BB042 5 Function_014B2044 6 Function_0148065A 7 Function_014B2458 8 Function_014BB858 9 Function_014BA85F 10 Function_014BA25E 11 Function_05360E20 11->116 12 Function_014BAA52 13 Function_014BA46A 14 Function_014BB36D 15 Function_0148066F 16 Function_014BAD6C 17 Function_014BB466 18 Function_05360C18 19 Function_014B2264 20 Function_014B2364 21 Function_05360006 22 Function_014BA37B 23 Function_014BA078 24 Function_05360A00 25 Function_014BA77C 26 Function_01480870 27 Function_014BA172 28 Function_014BA972 29 Function_014BAC71 30 Function_014BAB70 31 Function_01480708 32 Function_014BB30A 33 Function_014BB20A 34 Function_0148000C 35 Function_0148090E 36 Function_05360070 37 Function_014BB70C 38 Function_01480700 39 Function_01480001 40 Function_014BA600 41 Function_014B2006 42 Function_014BA005 43 Function_014BA504 44 Function_014BAD1E 45 Function_014BAE1E 46 Function_0148081E 47 Function_014B2310 48 Function_014BA52A 49 Function_014BB52A 50 Function_014BB429 51 Function_014BB72E 52 Function_014BA02E 53 Function_014BA120 54 Function_014BB020 55 Function_01480639 55->6 56 Function_014BB63A 57 Function_014B213C 58 Function_014BA23C 59 Function_014B2430 60 Function_014BA937 61 Function_014BB5CA 62 Function_014BAFC9 63 Function_014805C0 64 Function_014BA2C1 65 Function_05360EB8 65->116 66 Function_05360BA7 67 Function_05360EA7 67->116 68 Function_014BAAD8 69 Function_014805D0 70 Function_014BA3D2 71 Function_05360AAF 71->66 72 Function_014B20D0 73 Function_014BB2D7 74 Function_053602A8 74->18 74->69 74->71 90 Function_014805F6 74->90 74->116 75 Function_014BB4EA 76 Function_014BA6EE 77 Function_014BACE3 78 Function_014BB0E2 79 Function_014BA9E2 80 Function_014BB7E6 81 Function_05360298 81->18 81->69 81->71 81->90 81->116 82 Function_014807F8 83 Function_014BAAFA 84 Function_05360983 85 Function_014BA4FE 86 Function_014BA2F2 87 Function_014B21F0 88 Function_014BADF7 89 Function_05360B8B 91 Function_014B23F4 92 Function_014BA1F4 93 Function_014BAE8A 94 Function_014BB88E 95 Function_014BA88E 96 Function_014BAD8E 97 Function_014BAF8D 98 Function_053609F1 99 Function_014B2680 100 Function_014BB39A 101 Function_014BA09A 102 Function_014B2098 103 Function_0148049C 104 Function_0148089C 105 Function_014BB59E 106 Function_014BB692 107 Function_014BAB96 108 Function_014B2194 109 Function_05360DD2 109->116 110 Function_014BA7AE 111 Function_014807A2 112 Function_014807A6 113 Function_014BA6BB 114 Function_014BAEBE 115 Function_014BB7BE 116->66 117 Function_014BB1BD 118 Function_014B23BC 119 Function_014805B0 120 Function_014BB0B2 121 Function_014BB7B0 122 Function_014B22B4

    Executed Functions

    Function 053602A8, Relevance: 3.0, Strings: 2, Instructions: 475COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 53602a8-53602d1 1 53602d3 0->1 2 53602d8-5360377 0->2 1->2 7 536037e-53603a2 2->7 8 5360379 2->8 10 5360575-5360595 7->10 11 53603a8-53603c3 7->11 8->7 16 536096f-5360981 10->16 17 536059b-53605a9 10->17 14 536055f-536056d 11->14 15 53603c9-536055d 11->15 24 536056e-5360981 14->24 15->24 23 53609d9-53609e2 16->23 18 53605b0-53605be 17->18 19 53605ab 17->19 107 53605c4 call 5360ac0 18->107 108 53605c4 call 14805d0 18->108 109 53605c4 call 5360aaf 18->109 110 53605c4 call 14805f6 18->110 19->18 24->23 28 53605ca-53605f4 102 53605fa call 5360ac0 28->102 103 53605fa call 5360aaf 28->103 34 5360600-5360665 43 5360667 34->43 44 536066c-53606b2 call 5360c18 34->44 43->44 105 53606b8 call 5360ac0 44->105 106 53606b8 call 5360aaf 44->106 55 53606be-536072c 111 5360732 call 5360ac0 55->111 112 5360732 call 5360aaf 55->112 60 5360738-5360769 62 5360924-536093a 60->62 63 5360940-5360951 62->63 64 536076e-5360777 62->64 67 5360953-536096a 63->67 68 536096b-536096d 63->68 65 536077e-5360797 64->65 66 5360779 64->66 69 5360910-5360916 65->69 70 536079d-53607d3 65->70 66->65 67->68 71 536091d-5360921 69->71 72 5360918 69->72 77 53607d5-53607d7 70->77 78 53607d9 70->78 71->62 72->71 79 53607de-53607e5 77->79 78->79 80 53608ec-5360901 79->80 81 53607eb-5360800 79->81 113 5360907 call 5360ac0 80->113 114 5360907 call 5360aaf 80->114 82 5360874-536088a 81->82 84 5360802-536080b 82->84 85 5360890-53608a1 82->85 88 5360812-5360865 84->88 89 536080d 84->89 86 53608a3-53608dd 85->86 87 53608e8-53608ea 85->87 100 53608e4-53608e7 86->100 101 53608df 86->101 91 536090f 87->91 98 5360867-536086f 88->98 99 5360870-5360871 88->99 89->88 90 536090d-536090e 90->91 91->69 98->99 99->82 100->87 101->100 102->34 103->34 105->55 106->55 107->28 108->28 109->28 110->28 111->60 112->60 113->90 114->90
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.205344036.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5360000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID: :@:r$X1ar
    • API String ID: 0-3821969665
    • Opcode ID: 01482b55078a9e29d9f714408f669957d1e29462a1a3fa1a6a86e3e1a5c5fd8f
    • Instruction ID: 682c26600e1c35b5e3541bc0a71f10afe8ea759f1ac5e0a8858a5dc198a3fbfc
    • Opcode Fuzzy Hash: 01482b55078a9e29d9f714408f669957d1e29462a1a3fa1a6a86e3e1a5c5fd8f
    • Instruction Fuzzy Hash: 5522C774E00218DFDB14DFAAD898B9DBBB2FB89301F10D1AAD809A7255DB349D85CF50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BB042, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • GetSystemInfo.KERNELBASE(?), ref: 014BB074
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: InfoSystem
    • String ID:
    • API String ID: 31276548-0
    • Opcode ID: 3d48498e7a54bab4c22832b863967c2a9b4d0058fb53c0f9cc43773248c4e3c3
    • Instruction ID: bc98f5b024b3e1b3acbbe58aab82fc12f71caa1cab166e480d5ebdd389504581
    • Opcode Fuzzy Hash: 3d48498e7a54bab4c22832b863967c2a9b4d0058fb53c0f9cc43773248c4e3c3
    • Instruction Fuzzy Hash: BC01A2B0804244DFDB10CF29D8857A6FFE4DF44620F18C4ABDE498F252D2B5A405CB72
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BB0B2, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 115 14bb0b2-14bb157 120 14bb159-14bb161 DuplicateHandle 115->120 121 14bb1af-14bb1b4 115->121 122 14bb167-14bb179 120->122 121->120 124 14bb17b-14bb1ac 122->124 125 14bb1b6-14bb1bb 122->125 125->124
    APIs
    • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 014BB15F
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: 8d3dc8caeea2651adb9015946d6701951df4945dc8d24e36c0d3d3b94cb86a49
    • Instruction ID: 10ce77ec29e53ecc8eb8b301456e22849ca26f0d76eeafb2f357afefeb44a440
    • Opcode Fuzzy Hash: 8d3dc8caeea2651adb9015946d6701951df4945dc8d24e36c0d3d3b94cb86a49
    • Instruction Fuzzy Hash: 0B31A172504344AFEB228F65DC45FA6BFACEF46710F04859AE985CB162D224A819CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BAB70, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 129 14bab70-14bac0b 134 14bac0d-14bac15 DuplicateHandle 129->134 135 14bac63-14bac68 129->135 136 14bac1b-14bac2d 134->136 135->134 138 14bac6a-14bac6f 136->138 139 14bac2f-14bac60 136->139 138->139
    APIs
    • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 014BAC13
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: f0daa2052f490eac82c2f4f818b11e45ef5e5aadb43b765e23023ff09eaf3fb1
    • Instruction ID: f81fbe88c31006984af57dd18b07384fe6cbd9a1d59f116a9b25357d5480102d
    • Opcode Fuzzy Hash: f0daa2052f490eac82c2f4f818b11e45ef5e5aadb43b765e23023ff09eaf3fb1
    • Instruction Fuzzy Hash: 1A31B572504344AFEB228B65DC44F67BFBCEF46710F0488ABF985DB152D264A415CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA504, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 143 14ba504-14ba582 147 14ba587-14ba593 143->147 148 14ba584 143->148 149 14ba598-14ba5a1 147->149 150 14ba595 147->150 148->147 151 14ba5a3-14ba5c7 CreateFileW 149->151 152 14ba5f2-14ba5f7 149->152 150->149 155 14ba5f9-14ba5fe 151->155 156 14ba5c9-14ba5ef 151->156 152->151 155->156
    APIs
    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 014BA5A9
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 32772c4eb1b3ab2414ad12569a4d6144eb10df11f5ddaa93283302dc0da8389c
    • Instruction ID: 0ae317af29d25cb9a7131a0034edc5c4f047f718aa05eb58ea7bc00e43aef5c0
    • Opcode Fuzzy Hash: 32772c4eb1b3ab2414ad12569a4d6144eb10df11f5ddaa93283302dc0da8389c
    • Instruction Fuzzy Hash: A73190B1504384AFE722CF65CC84FA6BFE8EF45610F18849EE9858B252D375E905CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA9E2, Relevance: 1.6, APIs: 1, Instructions: 91pipeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 159 14ba9e2-14baa4f 160 14baa52-14baaa4 CreatePipe 159->160 162 14baaaa-14baad3 160->162
    APIs
    • CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 014BAAA2
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: CreatePipe
    • String ID:
    • API String ID: 2719314638-0
    • Opcode ID: c57f1e2f9a954fe290dddd66bf09e07a2b5ceeb849615d52730c68d5760deb1c
    • Instruction ID: 7ac8eedae0cc5b7a83e087c7aa6c1ceee7d226a850d79759527332aeb95e4053
    • Opcode Fuzzy Hash: c57f1e2f9a954fe290dddd66bf09e07a2b5ceeb849615d52730c68d5760deb1c
    • Instruction Fuzzy Hash: 6C318F6640E3C46FD3138B718C61A55BFB4AF87610F1D84CBD8C48F2A3D2686919C7A6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA120, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 164 14ba120-14ba1f3 FindNextFileW
    APIs
    • FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 014BA1C2
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: FileFindNext
    • String ID:
    • API String ID: 2029273394-0
    • Opcode ID: 9419fc3b7bcf02716b1e8568c8d90ea335c3e3663755c187342b3b46c380586e
    • Instruction ID: 4173de17a71a5b7c023a201a1121c3c22447211067fc1580234617640b52ac72
    • Opcode Fuzzy Hash: 9419fc3b7bcf02716b1e8568c8d90ea335c3e3663755c187342b3b46c380586e
    • Instruction Fuzzy Hash: 5721A67140D3C06FD7128B758C51B62BFB4EF87610F1985DBDD848F193D225A919C7A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BB0E2, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 182 14bb0e2-14bb157 186 14bb159-14bb161 DuplicateHandle 182->186 187 14bb1af-14bb1b4 182->187 188 14bb167-14bb179 186->188 187->186 190 14bb17b-14bb1ac 188->190 191 14bb1b6-14bb1bb 188->191 191->190
    APIs
    • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 014BB15F
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: 08fc80290f4ee0aa4bb50156711f293c671e7a7fb581230c77686fdaa700015c
    • Instruction ID: c02df4455178ab3ce5426dcfe08743b77fb58f4c3bde3265eb6cd3880ca0bec3
    • Opcode Fuzzy Hash: 08fc80290f4ee0aa4bb50156711f293c671e7a7fb581230c77686fdaa700015c
    • Instruction Fuzzy Hash: 0B21BD72500204AFEB219F69DC85FABFBACEF44720F14896BEE459B251D670A4098B71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BAB96, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 169 14bab96-14bac0b 173 14bac0d-14bac15 DuplicateHandle 169->173 174 14bac63-14bac68 169->174 175 14bac1b-14bac2d 173->175 174->173 177 14bac6a-14bac6f 175->177 178 14bac2f-14bac60 175->178 177->178
    APIs
    • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 014BAC13
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: 5c9f0d48284022befe2a7557b78ce3a9b95bb0a3aa8ffa404acb956ea34251cc
    • Instruction ID: 2cc3651442ada575f6c603dc130a15d818a7b75fb66c273ab0e85e8210234d45
    • Opcode Fuzzy Hash: 5c9f0d48284022befe2a7557b78ce3a9b95bb0a3aa8ffa404acb956ea34251cc
    • Instruction Fuzzy Hash: 9F21B272500304AFEB21DF68DC85FABFBACEF44710F14886BEE459B251D670A4098BB1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA77C, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 195 14ba77c-14ba802 199 14ba846-14ba84b 195->199 200 14ba804-14ba824 SetFilePointer 195->200 199->200 203 14ba84d-14ba852 200->203 204 14ba826-14ba843 200->204 203->204
    APIs
    • SetFilePointer.KERNELBASE(?,00000E2C,0C95492C,00000000,00000000,00000000,00000000), ref: 014BA80A
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: FilePointer
    • String ID:
    • API String ID: 973152223-0
    • Opcode ID: 9e3d3bfad027b86150c8fa248394d011d66e92b29f7fc88d3410bd59bed2fa87
    • Instruction ID: 2a54b5b81dfd6a40967333263b483329924372fe97c170784e816816e3ae7369
    • Opcode Fuzzy Hash: 9e3d3bfad027b86150c8fa248394d011d66e92b29f7fc88d3410bd59bed2fa87
    • Instruction Fuzzy Hash: E0219071408380AFE7128B64DC80FA6BFB8EF46710F1884ABED849B253C264A809C771
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA85F, Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 207 14ba85f-14ba8e5 211 14ba929-14ba92e 207->211 212 14ba8e7-14ba907 WriteFile 207->212 211->212 215 14ba909-14ba926 212->215 216 14ba930-14ba935 212->216 216->215
    APIs
    • WriteFile.KERNELBASE(?,00000E2C,0C95492C,00000000,00000000,00000000,00000000), ref: 014BA8ED
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: 77dd3715bb7cf89b3185eb34250fcd57da970b37855158dd65afc135f09eec9e
    • Instruction ID: d2fdde53f7aaba1d6cff82f01d6487adaf9641c5465622b3c6287767ff7c2b5a
    • Opcode Fuzzy Hash: 77dd3715bb7cf89b3185eb34250fcd57da970b37855158dd65afc135f09eec9e
    • Instruction Fuzzy Hash: 34218171409380AFDB228F65DC45F97BFB8EF46710F18849BEA849F262C275A409CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA52A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 219 14ba52a-14ba582 222 14ba587-14ba593 219->222 223 14ba584 219->223 224 14ba598-14ba5a1 222->224 225 14ba595 222->225 223->222 226 14ba5a3-14ba5ab CreateFileW 224->226 227 14ba5f2-14ba5f7 224->227 225->224 228 14ba5b1-14ba5c7 226->228 227->226 230 14ba5f9-14ba5fe 228->230 231 14ba5c9-14ba5ef 228->231 230->231
    APIs
    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 014BA5A9
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: c02bc5b5203d155e15a2d8c538fdc618c7936744a26ba0a1a5b737abf3f82b27
    • Instruction ID: 6444de2d5f9436e2d5203cdec7598042c13a5722537066c00e82c039fca55067
    • Opcode Fuzzy Hash: c02bc5b5203d155e15a2d8c538fdc618c7936744a26ba0a1a5b737abf3f82b27
    • Instruction Fuzzy Hash: B0219AB1500604AFEB21DF69CC85FA6FBE8EF08610F24846AEA858B252D371E505CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BB643, Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 234 14bb643-14bb68f 235 14bb692-14bb6ea EnumThreadWindows 234->235 237 14bb6f0-14bb706 235->237
    APIs
    • EnumThreadWindows.USER32(?,00000E2C,?,?), ref: 014BB6E2
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: EnumThreadWindows
    • String ID:
    • API String ID: 2941952884-0
    • Opcode ID: 98a34f87b4f212f7e79eba298a8bea05e5e3dfb01c10ca9466eaac38b11a7a68
    • Instruction ID: 5a6abcb8c0889e6ddd461eae7603c7a86e9a383275e87f85f42fe6c68abcc9f5
    • Opcode Fuzzy Hash: 98a34f87b4f212f7e79eba298a8bea05e5e3dfb01c10ca9466eaac38b11a7a68
    • Instruction Fuzzy Hash: 3821627150E3C06FD3139B258C55A22BFB4EF87610F0A81DBD8848B593D264A919C7B2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA6BB, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 238 14ba6bb-14ba739 242 14ba73b-14ba74e GetFileType 238->242 243 14ba76e-14ba773 238->243 244 14ba750-14ba76d 242->244 245 14ba775-14ba77a 242->245 243->242 245->244
    APIs
    • GetFileType.KERNELBASE(?,00000E2C,0C95492C,00000000,00000000,00000000,00000000), ref: 014BA741
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: FileType
    • String ID:
    • API String ID: 3081899298-0
    • Opcode ID: 5f69075bf80203c258161c274df079bdc10df6763fe3cbd3cd7dcfec8f5ef900
    • Instruction ID: 0d55f2ccc09e1e1af06f7b43ca6f4db2178e69885f1fa0ce66aa2894779c8084
    • Opcode Fuzzy Hash: 5f69075bf80203c258161c274df079bdc10df6763fe3cbd3cd7dcfec8f5ef900
    • Instruction Fuzzy Hash: 5621D5B54083806FE7128B25DC81FA6BFB8DF47710F1880DBED849B253D264A909C771
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA600, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 249 14ba600-14ba60c 250 14ba60e-14ba625 249->250 251 14ba626-14ba66c 249->251 250->251 253 14ba66e-14ba676 FindCloseChangeNotification 251->253 254 14ba6ad-14ba6b2 251->254 255 14ba67c-14ba68e 253->255 254->253 257 14ba690-14ba6ac 255->257 258 14ba6b4-14ba6b9 255->258 258->257
    APIs
    • FindCloseChangeNotification.KERNELBASE(?), ref: 014BA674
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: ChangeCloseFindNotification
    • String ID:
    • API String ID: 2591292051-0
    • Opcode ID: e9254a73ae5798586a672f6a7340b68d357be84bbfb25167af6ea09c7bd5b9b0
    • Instruction ID: be56fbca58ae7cc571c00125f243d17557182b57371c0216c3ba2b3265415b3a
    • Opcode Fuzzy Hash: e9254a73ae5798586a672f6a7340b68d357be84bbfb25167af6ea09c7bd5b9b0
    • Instruction Fuzzy Hash: D9219DB54093C0AFD7138B299C95692BFB4AF43220F1980DBDD858B2A3D2699908C772
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA2C1, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 260 14ba2c1-14ba31c 262 14ba31e 260->262 263 14ba321-14ba32a 260->263 262->263 264 14ba36d-14ba372 263->264 265 14ba32c-14ba334 GetFileAttributesExW 263->265 264->265 267 14ba33a-14ba34c 265->267 268 14ba34e-14ba36a 267->268 269 14ba374-14ba379 267->269 269->268
    APIs
    • GetFileAttributesExW.KERNELBASE(?,?,?), ref: 014BA332
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID:
    • API String ID: 3188754299-0
    • Opcode ID: 7521e93c94178685b12c179282d9446f575fbfd7d16467a043b5c8f1d1f72978
    • Instruction ID: 843627953349f3411b914e97d1fef1efab9bf01ac772a61b2530442a7a3f27f4
    • Opcode Fuzzy Hash: 7521e93c94178685b12c179282d9446f575fbfd7d16467a043b5c8f1d1f72978
    • Instruction Fuzzy Hash: 5E21C3B1509380AFE7128F25DC40B52BFB8EF46610F0884DBED44CB263D275A808CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BB429, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014BB4AA
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: 2a942edc40fdad5a369d3a78d3651825117a016f52300242fdbb684d786e1e14
    • Instruction ID: 93980ae481545b6e4d7c1e70be442f4cc29aee25ec6263404939a2ef1fbe206b
    • Opcode Fuzzy Hash: 2a942edc40fdad5a369d3a78d3651825117a016f52300242fdbb684d786e1e14
    • Instruction Fuzzy Hash: BE2180724093C0AFDB238F64DC54A52BFB4EF4A214F0C85DAED858B163D279A918DB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA448, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • CreateDirectoryW.KERNELBASE(?,?), ref: 014BA4AF
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: CreateDirectory
    • String ID:
    • API String ID: 4241100979-0
    • Opcode ID: 3075a98e1bab31580b223889bb11901c4ef0974e55720f0bd7916a6fcd823a53
    • Instruction ID: e550dfa385787e77c21d040d6b30318733bc17191b23e7214142ff52cdc9f260
    • Opcode Fuzzy Hash: 3075a98e1bab31580b223889bb11901c4ef0974e55720f0bd7916a6fcd823a53
    • Instruction Fuzzy Hash: 8211A2715053809FD715CF29DC85B96BFE8EF46220F1884AAED45CB262D278E804CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA88E, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
    Download Yara Rule
    APIs
    • WriteFile.KERNELBASE(?,00000E2C,0C95492C,00000000,00000000,00000000,00000000), ref: 014BA8ED
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: 7a2232dd3d4319cf47cb0b660519f76721dbed94611b5ba12a5a406d82f51a20
    • Instruction ID: a8061064bbfac08284895092e7543467f24713f915bbe8a369f43dac512d87fe
    • Opcode Fuzzy Hash: 7a2232dd3d4319cf47cb0b660519f76721dbed94611b5ba12a5a406d82f51a20
    • Instruction Fuzzy Hash: DA11BF71400204EFEB21CF65DC81FABFFA8EF44720F14886BEE459B251C274A4098BB1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BB70C, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxW.USER32(?,?,?,?), ref: 014BB779
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: Message
    • String ID:
    • API String ID: 2030045667-0
    • Opcode ID: de9a961b00b362cfffae3ee255b8b363b54ffecef11acac2a9328232452b5363
    • Instruction ID: d221b2b6577b0826db6e191750a27c747aafb1c91ed14df18cb229cdb252722e
    • Opcode Fuzzy Hash: de9a961b00b362cfffae3ee255b8b363b54ffecef11acac2a9328232452b5363
    • Instruction Fuzzy Hash: 381190B5504384AFE7218F19DC85B63FFB8EF55620F08849AED848B263D271E808CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA7AE, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNELBASE(?,00000E2C,0C95492C,00000000,00000000,00000000,00000000), ref: 014BA80A
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: FilePointer
    • String ID:
    • API String ID: 973152223-0
    • Opcode ID: 095ceed43290e583be6c00be602728d5742d33131e014dae410765c49c56ec82
    • Instruction ID: 9b84208966b803c3f446696e7ef6377cf78e8b1f7a1365f160b9347535ec4c7b
    • Opcode Fuzzy Hash: 095ceed43290e583be6c00be602728d5742d33131e014dae410765c49c56ec82
    • Instruction Fuzzy Hash: 4711C171400200AFEB21DF68DC81FA7FFA8EF44720F14846BEE499B251C674A4098BB1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA46A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • CreateDirectoryW.KERNELBASE(?,?), ref: 014BA4AF
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: CreateDirectory
    • String ID:
    • API String ID: 4241100979-0
    • Opcode ID: 6364f31a7cc250d8fbdf22b0b4830a24bd1627b08fc43efba0b26a42ab793cae
    • Instruction ID: 07933a2afa007c4fe1a86eae4fd248a3726b0f0beeab770e69d3261cb74e0c39
    • Opcode Fuzzy Hash: 6364f31a7cc250d8fbdf22b0b4830a24bd1627b08fc43efba0b26a42ab793cae
    • Instruction Fuzzy Hash: 13118E716002009FEB10CF29D9897A6FBD8EF44620F18C4BBDD09CB252E678E405CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA6EE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • GetFileType.KERNELBASE(?,00000E2C,0C95492C,00000000,00000000,00000000,00000000), ref: 014BA741
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: FileType
    • String ID:
    • API String ID: 3081899298-0
    • Opcode ID: 3ac942d3e693ae3b9aadf54835100b491976c2b26744dddaf893e7e9c547bbe6
    • Instruction ID: c5996c261089a53b57e5dc67006ca294063be13193c2bb3bea5bdbbb67e3d2bd
    • Opcode Fuzzy Hash: 3ac942d3e693ae3b9aadf54835100b491976c2b26744dddaf893e7e9c547bbe6
    • Instruction Fuzzy Hash: 3E01D271504604AEE720DB29DC85FA7FFA8DF45720F2480A7EE459B352D6B4E4098BB1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BADF7, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: CloseFind
    • String ID:
    • API String ID: 1863332320-0
    • Opcode ID: 85ea1edf7b7184ebaf26862fbe5d79eb0c9549bb6b39391f67aa8e403d671efb
    • Instruction ID: 9c1d8213549a1161facd4d890620bc4cb2812298dbb5d9edd646c01e356d6c3d
    • Opcode Fuzzy Hash: 85ea1edf7b7184ebaf26862fbe5d79eb0c9549bb6b39391f67aa8e403d671efb
    • Instruction Fuzzy Hash: 82117075549384AFD7128B29DC85A52FFF4EF46220F0984DBED858B263C275A848CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BB020, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • GetSystemInfo.KERNELBASE(?), ref: 014BB074
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: InfoSystem
    • String ID:
    • API String ID: 31276548-0
    • Opcode ID: 0d0ed889496a78f0fa641b6f1ed780bae0692da80ed1612b297eee4c6e412f6f
    • Instruction ID: ad6e5645ba937dc619bd389232c62612161f5f983c10bb01605cdebf3697927b
    • Opcode Fuzzy Hash: 0d0ed889496a78f0fa641b6f1ed780bae0692da80ed1612b297eee4c6e412f6f
    • Instruction Fuzzy Hash: D0115EB1409384AFDB12CF25DC85B56BFA4DF46220F1884EBED848F253D275A948CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA2F2, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNELBASE(?,?,?), ref: 014BA332
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID:
    • API String ID: 3188754299-0
    • Opcode ID: bdcb59770f1253dba49ba45cee73447cc0673dd3b8627bd9da05c3083ebb8d2f
    • Instruction ID: 6e472c2c0a4805041c570cc1a5e89554f2949081264020c01b95af7b885afb8b
    • Opcode Fuzzy Hash: bdcb59770f1253dba49ba45cee73447cc0673dd3b8627bd9da05c3083ebb8d2f
    • Instruction Fuzzy Hash: E8016D715056009FDB10CF69D885796FFE4EF44620F2894ABDD498B262D6B5E404CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA23C, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNELBASE(?), ref: 014BA290
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: ErrorMode
    • String ID:
    • API String ID: 2340568224-0
    • Opcode ID: 9b3eb4230498210df04fa636fb3452e5d450b57eac1dbfacba616141ea651e8a
    • Instruction ID: 0af0f4acdb44b1d0bc7b1511d3024878c5780fdcfdd1f5fbf4b1acfad4e8c374
    • Opcode Fuzzy Hash: 9b3eb4230498210df04fa636fb3452e5d450b57eac1dbfacba616141ea651e8a
    • Instruction Fuzzy Hash: 55116171409384AFD7128B15DC84B62FFB4DF46624F1880DBED858B263D275A908CBB2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BAA52, Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON
    Download Yara Rule
    APIs
    • CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 014BAAA2
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: CreatePipe
    • String ID:
    • API String ID: 2719314638-0
    • Opcode ID: b6b78d44dca2ed4d0be6fb114e9c6937a7ef31b1779b33b51eb432a6878d8bdb
    • Instruction ID: 5f350b33b36d96f3ac399698e297a41c6f714f2e926f0bd4ad35de1e1c476191
    • Opcode Fuzzy Hash: b6b78d44dca2ed4d0be6fb114e9c6937a7ef31b1779b33b51eb432a6878d8bdb
    • Instruction Fuzzy Hash: D8017172540600ABD750DF16DC86F26FBA8FBC8B20F14856AED089B741E371B915CBE5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA172, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
    Download Yara Rule
    APIs
    • FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 014BA1C2
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: FileFindNext
    • String ID:
    • API String ID: 2029273394-0
    • Opcode ID: 2f85a0e3e7770f2f2dc2ed8a6c36a8c174615d1e573d6613683c291f4e04ae78
    • Instruction ID: 81215cd3f7be47ab0df2298af002b9374f2cc8b2216028993e8f451314a5a66b
    • Opcode Fuzzy Hash: 2f85a0e3e7770f2f2dc2ed8a6c36a8c174615d1e573d6613683c291f4e04ae78
    • Instruction Fuzzy Hash: E7017171540600ABD710DF16DC86B26FBA8FBC8A20F14856AED089B741E375B915CBE5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BB72E, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxW.USER32(?,?,?,?), ref: 014BB779
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: Message
    • String ID:
    • API String ID: 2030045667-0
    • Opcode ID: fc84af92059998daa80debff0c0b41ce2160fdf3272f1c636b416735a9bed3f3
    • Instruction ID: a23369dbc6304ea28fcf21dc678bbf255cafb7594e18396d98588dac2ea98473
    • Opcode Fuzzy Hash: fc84af92059998daa80debff0c0b41ce2160fdf3272f1c636b416735a9bed3f3
    • Instruction Fuzzy Hash: A5014C75600604DFEB20DF2AD885B67FFE8EF14620F08849ADD498B366D275E449CA71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BB466, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014BB4AA
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: 37aa65a4baeef8f30e3653fb34b91e08ae696f13ae8e7de57665fea1a5ef488d
    • Instruction ID: d9ce4256b82cd4ce20230c32b0ae3893814ea541e6bcdf7b1a689076046119f2
    • Opcode Fuzzy Hash: 37aa65a4baeef8f30e3653fb34b91e08ae696f13ae8e7de57665fea1a5ef488d
    • Instruction Fuzzy Hash: F2015B31400600AFDB228F55D984B56FFE0FF48720F18C9AADE494A622C275A419DB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA642, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • FindCloseChangeNotification.KERNELBASE(?), ref: 014BA674
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: ChangeCloseFindNotification
    • String ID:
    • API String ID: 2591292051-0
    • Opcode ID: c938aba4130202cf394fb0c2c3fff584b6431a9bc32cac8c05dbc8f79c18ddc7
    • Instruction ID: 0a585d72c2e86a05c34bcce63fcb3c216f0fd4bc2763eaa91e0f927d12a277d5
    • Opcode Fuzzy Hash: c938aba4130202cf394fb0c2c3fff584b6431a9bc32cac8c05dbc8f79c18ddc7
    • Instruction Fuzzy Hash: A9018FB19042409FDB11CF29D8857A6FFA4EF84620F18C4ABDD498B352D6B5A848CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BB692, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
    Download Yara Rule
    APIs
    • EnumThreadWindows.USER32(?,00000E2C,?,?), ref: 014BB6E2
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: EnumThreadWindows
    • String ID:
    • API String ID: 2941952884-0
    • Opcode ID: 7b166b5a35d0570a9a2e0d995ad4b2ca9a28d5b0ee46bdf7502cdb1a57c62e0f
    • Instruction ID: 622ed336b156bf47071881045c69b032796ebe93d00721733db6153fb1d45206
    • Opcode Fuzzy Hash: 7b166b5a35d0570a9a2e0d995ad4b2ca9a28d5b0ee46bdf7502cdb1a57c62e0f
    • Instruction Fuzzy Hash: B301AD72600600ABD250DF16DC82F26FBA8FBC8B20F14811AED084B741E371F916CBE6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BAE1E, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: CloseFind
    • String ID:
    • API String ID: 1863332320-0
    • Opcode ID: f5f9fff891fb0087ac2d613648740e6bd8a16034d486b568d03558f27be085ec
    • Instruction ID: c7e5492cfe739de9f6427824ac2c1a16d10dfda1e8064cc1440c46b19149a8fe
    • Opcode Fuzzy Hash: f5f9fff891fb0087ac2d613648740e6bd8a16034d486b568d03558f27be085ec
    • Instruction Fuzzy Hash: 7F01D1755406409FDB108F19D8857A6FFA4DF04630F18C0ABDD098B362D6B5A448CBB2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014BA25E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNELBASE(?), ref: 014BA290
    Memory Dump Source
    • Source File: 00000000.00000002.204648619.00000000014BA000.00000040.00000001.sdmp, Offset: 014BA000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14ba000_unarchiver.jbxd
    Similarity
    • API ID: ErrorMode
    • String ID:
    • API String ID: 2340568224-0
    • Opcode ID: 691812d9f2addc71bffa641b3edd17508cb40c1f2a909fe875d7c458125ee304
    • Instruction ID: 966636d42101ae91635d673f9b6eff7d0ed2f303b8ba56141c8ea180e8d61bf3
    • Opcode Fuzzy Hash: 691812d9f2addc71bffa641b3edd17508cb40c1f2a909fe875d7c458125ee304
    • Instruction Fuzzy Hash: 5FF08C359046449FDB14CF59D8857A2FFA0EF08720F68C0ABDD494B322D2B6A448CEB2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05360C18, Relevance: .2, Instructions: 154COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.205344036.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5360000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 74388ed75cf9ca73e4d1013ab4261354f8cb49b9cef52657d7fbd9e710628346
    • Instruction ID: 1b771e090f2fd85ecdf84a5e4ccbaacafaade02210f38607ec9abba5b2813f8c
    • Opcode Fuzzy Hash: 74388ed75cf9ca73e4d1013ab4261354f8cb49b9cef52657d7fbd9e710628346
    • Instruction Fuzzy Hash: 7651D874E42208DFCB19DFB9D490AAEBBB2FF8A300F209469D405B7350DB399941CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05360AAF, Relevance: .1, Instructions: 79COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.205344036.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5360000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b6c35351adb6a7400e48147c1ee1ec34e5f04b14dd0b3955f7e91be88cf83bf7
    • Instruction ID: 8701956c4743b53bb662fa0c68e979670966590a385ad6e5f37d49d7b753f569
    • Opcode Fuzzy Hash: b6c35351adb6a7400e48147c1ee1ec34e5f04b14dd0b3955f7e91be88cf83bf7
    • Instruction Fuzzy Hash: 13212775D01208DFCB54CFA6E8896EEBBB6FB89314F20852AD805B3254DB745D46CF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05360AC0, Relevance: .1, Instructions: 71COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.205344036.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5360000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5eed47135dd6b485b33c065f63bf2364de23cf6bf23b6a02d52fe28c2151f136
    • Instruction ID: 4ffce604bdccd57857f06d6647508cd78b756f53c52199c7a1ab767b66ff979d
    • Opcode Fuzzy Hash: 5eed47135dd6b485b33c065f63bf2364de23cf6bf23b6a02d52fe28c2151f136
    • Instruction Fuzzy Hash: F1211475D011089FCB04DFA6E8496EEBBB6EB89304F20852AD901B3254DB74AE46CF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014807F8, Relevance: .0, Instructions: 49COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.204639214.0000000001480000.00000040.00000040.sdmp, Offset: 01480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1480000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6a620da4cb894f4bab5b6f6658672c1a6debeb12978cc1650151b28612705449
    • Instruction ID: 79dae3dd7f5508cfc3086ad8ab8a079947c65fbf268e8eeb468edbf6a6cd7d74
    • Opcode Fuzzy Hash: 6a620da4cb894f4bab5b6f6658672c1a6debeb12978cc1650151b28612705449
    • Instruction Fuzzy Hash: 5301B1B24093406FD701DB14AC41D96BBFCEF86920B08C56EFD4887201E265A9148BB2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014805D0, Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.204639214.0000000001480000.00000040.00000040.sdmp, Offset: 01480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1480000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3d1ceb2fd2cf7139df7b4391963376a01adae7cb7ac94c54e3353b4780e35288
    • Instruction ID: 23a530c948bf568a1d68b706ac5ad232fafd7604b6f95986006b8704c423742c
    • Opcode Fuzzy Hash: 3d1ceb2fd2cf7139df7b4391963376a01adae7cb7ac94c54e3353b4780e35288
    • Instruction Fuzzy Hash: E801D6B25097806FD7128B16EC40863FFBCEF86670749C09FED498B612D265A908CBB1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05360E20, Relevance: .0, Instructions: 45COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.205344036.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5360000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 444bc1ae1e7406c9382e77fc3ba0af1e34f735c142c4609b26dfe5ba675a5da6
    • Instruction ID: fc90423398d65d14501da1ea722c916f24882e55f2d2b7d3a06c26b74c625423
    • Opcode Fuzzy Hash: 444bc1ae1e7406c9382e77fc3ba0af1e34f735c142c4609b26dfe5ba675a5da6
    • Instruction Fuzzy Hash: 9801E274C01219DFCB18DFA9C44A7AEBBB1BF45301F2099A9C405B7390D7B99A84CF95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05360EA7, Relevance: .0, Instructions: 44COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.205344036.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5360000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e9c897bd729463b3d4c09b44db2bf6877f39abba5a0f30d8e42ad452c4a35bf7
    • Instruction ID: c4f2a3e7d548c9f8b8e08ba5fe9a572f6b98160d2c176d14795889b74307a9e8
    • Opcode Fuzzy Hash: e9c897bd729463b3d4c09b44db2bf6877f39abba5a0f30d8e42ad452c4a35bf7
    • Instruction Fuzzy Hash: C401D075C02249DFCB08EFA9C549BAEBBB1BF01304F2095AE8415B7280D7799A84CF94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05360E30, Relevance: .0, Instructions: 39COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.205344036.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5360000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c1f7d890af3d9119f592adb447918601726aa5cdd1444b2c7d806c454b0ebf69
    • Instruction ID: e69a235fb24195fab2cba8e2f6b8ffb501940bd9856c00130f37f2287e96dab7
    • Opcode Fuzzy Hash: c1f7d890af3d9119f592adb447918601726aa5cdd1444b2c7d806c454b0ebf69
    • Instruction Fuzzy Hash: CC01D274D02259DFCB08EFB9C449BAEBBB1BB45301F2099ADC41573280D7B89A84CF94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05360EB8, Relevance: .0, Instructions: 39COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.205344036.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5360000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b7b4584d9cc4fb0fcbabda3c08efc433abc18d118459c5f5cf7f8a36d61e30d7
    • Instruction ID: 1101bd4afd91295e7bd86521a5f9feb2c7182104aa56f856a21392c412b3b7f1
    • Opcode Fuzzy Hash: b7b4584d9cc4fb0fcbabda3c08efc433abc18d118459c5f5cf7f8a36d61e30d7
    • Instruction Fuzzy Hash: 4E01D274D02209DFCB08EFB9C549BAEBBB1BB45301F2099ADC41577280D7B89A84CF94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05360BA7, Relevance: .0, Instructions: 36COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.205344036.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5360000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3e07b2c5ecf452a464708e2e7e402eaa6ca7b0cc1dfddfe8576d392239bf8cf6
    • Instruction ID: 8a9b0a09f2d8ca43835158c889dd8c4bc755b86714512b231bce07ea4fbaefab
    • Opcode Fuzzy Hash: 3e07b2c5ecf452a464708e2e7e402eaa6ca7b0cc1dfddfe8576d392239bf8cf6
    • Instruction Fuzzy Hash: DA0137B4D09209DBCB48EFA9C545AAEBBF1EF85300F2094AAC409B7355DB759A01CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0148081E, Relevance: .0, Instructions: 34COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.204639214.0000000001480000.00000040.00000040.sdmp, Offset: 01480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1480000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1f969ee5aa8e27b1e29752f46725d56496a43315ed6c28c2c92a17eb557715a8
    • Instruction ID: 3155359ebba50512507217985c041a01c6a63d210620d99ac677ade6300b32a2
    • Opcode Fuzzy Hash: 1f969ee5aa8e27b1e29752f46725d56496a43315ed6c28c2c92a17eb557715a8
    • Instruction Fuzzy Hash: 66F08CB2945204ABD240DF15ED428A6F7ECDFC4921B18C52EFC088B301E276AA148AF6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014805F6, Relevance: .0, Instructions: 27COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.204639214.0000000001480000.00000040.00000040.sdmp, Offset: 01480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1480000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0b2b0fdedad72ecaf781b36735eee9cd18cc07d3780813a5d3310b28cdd7408a
    • Instruction ID: def958366c87fa5fe21822234662719bb374e690c17930362a1ca8af5726c2bc
    • Opcode Fuzzy Hash: 0b2b0fdedad72ecaf781b36735eee9cd18cc07d3780813a5d3310b28cdd7408a
    • Instruction Fuzzy Hash: EBE092B66446008BD650DF0BEC42452FBE8EB88A30B18C07FDC0D8B701E175B504CFA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014B23F4, Relevance: .0, Instructions: 15COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.204645804.00000000014B2000.00000040.00000001.sdmp, Offset: 014B2000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14b2000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d97969fa272f092908942a94a0f36e09f24ac6fac7d9ac59e7f4a7dd4dec2678
    • Instruction ID: b95e83c923988ff9a85bdba6636a4273c64706f0eb4ff264577effb2bcca90c3
    • Opcode Fuzzy Hash: d97969fa272f092908942a94a0f36e09f24ac6fac7d9ac59e7f4a7dd4dec2678
    • Instruction Fuzzy Hash: 03D05B752156914FD3168A1CC1A4FD53FA4EF51B05F4644FEE8008B773C368E591D110
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014B23BC, Relevance: .0, Instructions: 14COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.204645804.00000000014B2000.00000040.00000001.sdmp, Offset: 014B2000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14b2000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9029eb9ffffceac112cdebe7e5d7b1bfd039293e1f53db621008ae47f0a518c8
    • Instruction ID: cfc6ce0e79bb572f06a51a02998b9855c54c3f3576d0c39068bcd1aabda63a52
    • Opcode Fuzzy Hash: 9029eb9ffffceac112cdebe7e5d7b1bfd039293e1f53db621008ae47f0a518c8
    • Instruction Fuzzy Hash: 25D05E342012818BD715DB1CC5D4F9A3BD4AB41B00F0654E9AD00CB772C3B4E8C1D610
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 05360298, Relevance: .2, Instructions: 198COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.205344036.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5360000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9d451ac8132c0937680a2c73de1806498579eac52eea689ad3ba3675e32f3ff5
    • Instruction ID: ce8d679130a52064f35f0f49c522d19fa5068014403f1b58c9dea3594bc6a6fa
    • Opcode Fuzzy Hash: 9d451ac8132c0937680a2c73de1806498579eac52eea689ad3ba3675e32f3ff5
    • Instruction Fuzzy Hash: E581DD75E10604DFDB58DFAAE848A9DBBB3FB8D301F10C1A9D809A7268DB345985CF50
    Uniqueness

    Uniqueness Score: -1.00%