Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh

Overview

General Information

Sample Name:NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
Analysis ID:482886
MD5:b71a9e479123528ba6f7b8642b924d0e
SHA1:5aae421b9bc63d5982f5ef0e19abdfb85cb1688b
SHA256:1908c35415f99b55e81ea5dd70da0ebbd3e341cd4d2cf77a418c09235be590d5
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found inlined nop instructions (likely shell or obfuscated code)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function

Classification

Process Tree

  • System is w10x64
  • unarchiver.exe (PID: 2172 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh' MD5: DB55139D9DD29F24AE8EA8F0E5606901)
    • 7za.exe (PID: 5036 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\zdsmcxok.014' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhVirustotal: Detection: 14%Perma Link
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhReversingLabs: Detection: 39%
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 055D099Bh0_2_055D02A8
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 055D099Ah0_2_055D02A8
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_055D02A80_2_055D02A8
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_055D02990_2_055D0299
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhVirustotal: Detection: 14%
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhReversingLabs: Detection: 39%
Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\103b5ifs.cxqJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
Source: classification engineClassification label: mal48.winLZH@3/1@0/0
Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\zdsmcxok.014' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\zdsmcxok.014' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\zdsmcxok.014' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'Jump to behavior
Source: unarchiver.exe, 00000000.00000002.1332470511.0000000001B20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: unarchiver.exe, 00000000.00000002.1332470511.0000000001B20000.00000002.00020000.sdmpBinary or memory string: Progman
Source: unarchiver.exe, 00000000.00000002.1332470511.0000000001B20000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
Source: unarchiver.exe, 00000000.00000002.1332470511.0000000001B20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
Source: unarchiver.exe, 00000000.00000002.1332470511.0000000001B20000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Disable or Modify Tools1OS Credential DumpingProcess Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482886 Sample: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh Startdate: 14/09/2021 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 unarchiver.exe 5 2->6         started        process3 process4 8 7za.exe 6->8         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh14%VirustotalBrowse
NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh40%ReversingLabsWin32.Backdoor.Androm

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:482886
Start date:14.09.2021
Start time:09:50:53
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 11m 33s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:37
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winLZH@3/1@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 26
  • Number of non-executed functions: 1
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .lzh
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\103b5ifs.cxq\unarchiver.log
Process:C:\Windows\SysWOW64\unarchiver.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):164
Entropy (8bit):5.281035011969486
Encrypted:false
SSDEEP:3:t9tIoC1OUfuWDUWJRWrfj6MwkZJsmo6OKUsttIoDoF8UWWDUkh4E2J5xAIhKh+Ry:moDU1NJAbj6qsD9oDu1923fu
MD5:46A89269107BA94195D3A2A20DFFAA9A
SHA1:532B3843A26A4B771791FD3852C7655674475A08
SHA-256:2B3BB182ED50A9ED2B11634E5302EEA3DE5DD87C0ED0224F10159640950457CB
SHA-512:042A8AC300009739B2F2FA258095A128B96AE6ECE6B04E6107E75B0889A6DC5F5AD8CCBB97228DBE6C18F4BB7C45ED9B4241C3B070412302D3B3F588DACB9D61
Malicious:false
Reputation:low
Preview: 09/14/2021 9:51 AM: Unpack: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh..09/14/2021 9:51 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\zdsmcxok.014..

Static File Info

General

File type: LHa (2.x) archive data [lh5], with "NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe"
Entropy (8bit):7.983327494950816
TrID:
  • LHARC/LZARK compressed archive (6/4) 100.00%
File name:NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
File size:107136
MD5:b71a9e479123528ba6f7b8642b924d0e
SHA1:5aae421b9bc63d5982f5ef0e19abdfb85cb1688b
SHA256:1908c35415f99b55e81ea5dd70da0ebbd3e341cd4d2cf77a418c09235be590d5
SHA512:ba6f16107c9a944ca2c62b419ff29933caad97650f4482102f92c364d95d52282710a2882723785373035e79828e56f98aee69f0f280b81c9cecbe103e7dbcde
SSDEEP:3072:dVlHrjorhU1+isBSk4x1DdS3sdP2hxhBpimq:9r8U+94x1Z2s1qxPY
File Content Preview:6.-lh5-H....0....-S . NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe..^.........]..x........2.Z....R..Z*T..R....f.......P..2j.IEU..HQU$........}........=.....y...{..|.'.;.....@....#m.3<E......=.....5...e..|..k..U....x.N...%..i..B..AC.5c@i ..".......6..c...j. t.........

File Icon

Icon Hash:00828e8e8686b000

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: unarchiver.exe PID: 2172 Parent PID: 1576

General

Start time:09:51:55
Start date:14/09/2021
Path:C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):true
Commandline:'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Imagebase:0xe20000
File size:10240 bytes
MD5 hash:DB55139D9DD29F24AE8EA8F0E5606901
Has elevated privileges:true
Has administrator privileges:true
Programmed in:.Net C# or VB.NET
Reputation:moderate

Chronological Activities

Analysis Process: 7za.exe PID: 5036 Parent PID: 2172

General

Start time:09:51:56
Start date:14/09/2021
Path:C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):true
Commandline:'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\zdsmcxok.014' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Imagebase:0x230000
File size:289792 bytes
MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: unarchiver.exe PID: 2172 Parent PID: 1576 unarchiver.exeCOMMON

    Execution Graph

    Execution Coverage:18%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:54
    Total number of Limit Nodes:2

    Graph

    execution_graph 920 170ab70 921 170ab96 DuplicateHandle 920->921 923 170ac1b 921->923 884 170aa52 885 170aa66 CreatePipe 884->885 887 170aaaa 885->887 924 170a1f4 926 170a265 SetErrorMode 924->926 927 170a211 924->927 928 170a29f 926->928 945 170a6bb 947 170a6ee GetFileType 945->947 948 170a750 947->948 929 170a77c 931 170a7ae SetFilePointer 929->931 932 170a812 931->932 949 170a23c 950 170a25e SetErrorMode 949->950 952 170a29f 950->952 908 170a25e 909 170a2b3 908->909 910 170a28a SetErrorMode 908->910 909->910 911 170a29f 910->911 937 170a85f 938 170a88e WriteFile 937->938 940 170a8f5 938->940 953 170a600 954 170a642 FindCloseChangeNotification 953->954 956 170a67c 954->956 888 170a642 889 170a6ad 888->889 890 170a66e FindCloseChangeNotification 888->890 889->890 891 170a67c 890->891 933 170a9e2 934 170aa12 CreatePipe 933->934 936 170aaaa 934->936 957 170a504 958 170a52a CreateFileW 957->958 960 170a5b1 958->960 941 170a448 942 170a46a CreateDirectoryW 941->942 944 170a4b7 942->944 896 170a46a 897 170a490 CreateDirectoryW 896->897 899 170a4b7 897->899 900 170a52a 901 170a562 CreateFileW 900->901 903 170a5b1 901->903 912 170a7ae 914 170a7e3 SetFilePointer 912->914 915 170a812 914->915 916 170a88e 918 170a8c3 WriteFile 916->918 919 170a8f5 918->919

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_0170AB70 1 Function_017021F0 2 Function_0170AC71 3 Function_0170A972 4 Function_0170A2F2 5 Function_0170A172 6 Function_0170A1F4 7 Function_017023F4 8 Function_014B05CF 9 Function_055D0AD8 61 Function_055D0BBF 9->61 10 Function_0170A078 11 Function_014B0743 12 Function_0170AAFA 13 Function_0170A37B 14 Function_0170A77C 15 Function_0170A4FE 16 Function_0170ACE1 17 Function_014B065A 18 Function_0170A9E2 19 Function_017026E2 20 Function_01702264 21 Function_01702364 22 Function_014B025D 23 Function_055D0ACA 23->61 24 Function_0170A46A 25 Function_0170A6EE 26 Function_017020D0 27 Function_0170A3D2 28 Function_0170AA52 29 Function_014B066F 30 Function_017026D4 31 Function_0170AAD8 32 Function_01702458 33 Function_055D0070 34 Function_0170A25E 35 Function_0170A85F 36 Function_0170A2C1 37 Function_0170A642 38 Function_01702044 39 Function_0170A448 40 Function_014B05F6 41 Function_014B0074 42 Function_01702430 43 Function_01702730 44 Function_014B0708 45 Function_055D0299 45->8 45->9 45->23 45->40 68 Function_055D0C30 45->68 46 Function_055D0A18 47 Function_0170A937 48 Function_014B000C 49 Function_0170A6BB 50 Function_014B0000 51 Function_0170A23C 52 Function_0170213C 53 Function_017023BC 54 Function_0170A120 55 Function_055D0A08 56 Function_017024A8 57 Function_0170A52A 58 Function_055D0006 59 Function_0170A7AE 60 Function_0170A02E 62 Function_01702194 63 Function_014B05AF 64 Function_0170AB96 65 Function_014B05A2 66 Function_0170A09A 67 Function_0170201C 69 Function_0170AD1E 70 Function_0170A600 71 Function_014B0638 71->17 72 Function_0170A504 73 Function_014B05BF 74 Function_055D02A8 74->8 74->9 74->23 74->40 74->68 75 Function_0170A005 76 Function_0170260A 77 Function_0170A88E

    Executed Functions

    Function 055D02A8, Relevance: 1.7, Strings: 1, Instructions: 481COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 28 55d02a8-55d02d1 30 55d02d8-55d0377 28->30 31 55d02d3 28->31 36 55d037e-55d03a2 30->36 37 55d0379 30->37 31->30 39 55d03a8-55d03c3 36->39 40 55d0591-55d05b1 36->40 37->36 43 55d03c9-55d0579 39->43 44 55d057b-55d0589 39->44 45 55d098b-55d099d 40->45 46 55d05b7-55d05c5 40->46 54 55d058a-55d099d 43->54 44->54 53 55d09f5-55d09fe 45->53 47 55d05cc-55d05da 46->47 48 55d05c7 46->48 134 55d05e0 call 14b05cf 47->134 135 55d05e0 call 55d0ad8 47->135 136 55d05e0 call 55d0aca 47->136 137 55d05e0 call 14b05f6 47->137 48->47 54->53 57 55d05e6-55d0610 132 55d0616 call 55d0ad8 57->132 133 55d0616 call 55d0aca 57->133 63 55d061c-55d0681 72 55d0688-55d06c7 call 55d0c30 63->72 73 55d0683 63->73 82 55d06cd-55d0785 72->82 73->72 92 55d0940-55d0956 82->92 93 55d095c-55d096d 92->93 94 55d078a-55d0793 92->94 97 55d096f-55d0986 93->97 98 55d0987-55d0989 93->98 95 55d079a-55d07b3 94->95 96 55d0795 94->96 99 55d092c-55d0932 95->99 100 55d07b9-55d07ef 95->100 96->95 97->98 101 55d0939-55d093d 99->101 102 55d0934 99->102 107 55d07f5 100->107 108 55d07f1-55d07f3 100->108 101->92 102->101 109 55d07fa-55d0801 107->109 108->109 110 55d0908-55d092a 109->110 111 55d0807-55d081c 109->111 120 55d092b 110->120 112 55d0890-55d08a6 111->112 114 55d08ac-55d08bd 112->114 115 55d081e-55d0827 112->115 116 55d08bf-55d08f9 114->116 117 55d0904-55d0906 114->117 118 55d082e-55d0881 115->118 119 55d0829 115->119 130 55d08fb 116->130 131 55d0900-55d0903 116->131 117->120 128 55d088c-55d088d 118->128 129 55d0883-55d088b 118->129 119->118 120->99 128->112 129->128 130->131 131->117 132->63 133->63 134->57 135->57 136->57 137->57
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1332958900.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_55d0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID: u]?q^
    • API String ID: 0-3526293871
    • Opcode ID: b391d38fc758c81a7377af5e3f6796a922da6dcc464d2ad591ace55abb0589ee
    • Instruction ID: dbeb0fc26cafdf8f32509d08e8e2ef1c8e19e9c5e29af6dd41b482891efc5d47
    • Opcode Fuzzy Hash: b391d38fc758c81a7377af5e3f6796a922da6dcc464d2ad591ace55abb0589ee
    • Instruction Fuzzy Hash: C222F574E00218DFEB24DFA9D884B9DBBB2FB89311F1091A9D909A7394DB749D81CF11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 055D0C30, Relevance: 2.7, Strings: 2, Instructions: 156COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 55d0c30-55d0c69 1 55d0c6b 0->1 2 55d0c70-55d0cb6 0->2 1->2 5 55d0cf9-55d0d16 2->5 6 55d0cb8-55d0cf7 2->6 11 55d0d17-55d0d54 5->11 6->11 17 55d0d5c-55d0e30 11->17
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1332958900.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_55d0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID: U]?q^$e]?q^
    • API String ID: 0-2148970668
    • Opcode ID: 1754b20dee8fccd8b4d0b7488b8a9724f592bf2ac34516d514aff01065471547
    • Instruction ID: cf004cfc8c7f916fc79b1e582c60b53c66ea5d991876f1388b5739b8e7be7e5b
    • Opcode Fuzzy Hash: 1754b20dee8fccd8b4d0b7488b8a9724f592bf2ac34516d514aff01065471547
    • Instruction Fuzzy Hash: EB51C374E42219DFCB18DFB9D4809AEBBB2FF8A310F209469E405B7354DA399941CF64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170AB70, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 139 170ab70-170ac0b 144 170ac63-170ac68 139->144 145 170ac0d-170ac15 DuplicateHandle 139->145 144->145 147 170ac1b-170ac2d 145->147 148 170ac6a-170ac6f 147->148 149 170ac2f-170ac60 147->149 148->149
    APIs
    • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0170AC13
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: c2af4396c9a1d8099eddc9cbaea015387e82cc056a1d1bd7e99105417e49ef9c
    • Instruction ID: 0ef8b9f5b3aea97a2e9f70e9d2c4a97461b951fa14ea8bc730d67537eb51103e
    • Opcode Fuzzy Hash: c2af4396c9a1d8099eddc9cbaea015387e82cc056a1d1bd7e99105417e49ef9c
    • Instruction Fuzzy Hash: FA31C771504344AFEB128B65DC84F67BFECEF05310F0888AAF985DB152D324A419DB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A9E2, Relevance: 1.6, APIs: 1, Instructions: 95pipeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 153 170a9e2-170aa10 154 170aa12-170aa64 153->154 155 170aa66-170aad3 CreatePipe 153->155 154->155
    APIs
    • CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 0170AAA2
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: CreatePipe
    • String ID:
    • API String ID: 2719314638-0
    • Opcode ID: b3a3189474cd89775d31453cc14f998cdc2833d79aac17478db761d5a95470e0
    • Instruction ID: 4312396b02d55fc2526ac02322f11b9fc47de6be7cfc52f0fa4e3a5d40780968
    • Opcode Fuzzy Hash: b3a3189474cd89775d31453cc14f998cdc2833d79aac17478db761d5a95470e0
    • Instruction Fuzzy Hash: CD31AC6640E3C06FD3038B358C61A65BFB4AF47610F1E84DBD8C4CF1A3D269A919C762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A504, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 160 170a504-170a582 164 170a584 160->164 165 170a587-170a593 160->165 164->165 166 170a595 165->166 167 170a598-170a5a1 165->167 166->167 168 170a5f2-170a5f7 167->168 169 170a5a3-170a5c7 CreateFileW 167->169 168->169 172 170a5f9-170a5fe 169->172 173 170a5c9-170a5ef 169->173 172->173
    APIs
    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0170A5A9
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 8586c900942ae59a0c04c7422fd5303e3a3faaeedc500a40d55d84d607a44ce0
    • Instruction ID: d2869f7d45fe2c67c0affab4969d160c0e6cc75c7173978395928addda006d58
    • Opcode Fuzzy Hash: 8586c900942ae59a0c04c7422fd5303e3a3faaeedc500a40d55d84d607a44ce0
    • Instruction Fuzzy Hash: 31316171504380AFE722CF69DC44F66FFE8EF05210F1884AAE9859B252D375E405CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170AB96, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 176 170ab96-170ac0b 180 170ac63-170ac68 176->180 181 170ac0d-170ac15 DuplicateHandle 176->181 180->181 183 170ac1b-170ac2d 181->183 184 170ac6a-170ac6f 183->184 185 170ac2f-170ac60 183->185 184->185
    APIs
    • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0170AC13
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: 71084b66fc676b2926574b3ccd6cb0e3f553fcb12e593d5e602af0549b55e8de
    • Instruction ID: 14e92dce0c61ca4139d0ae954fe593259589aae598ee4425bc389ddd40dcbad0
    • Opcode Fuzzy Hash: 71084b66fc676b2926574b3ccd6cb0e3f553fcb12e593d5e602af0549b55e8de
    • Instruction Fuzzy Hash: 4B219072500304AFEB22DF69DC84F6BFBECEF04310F14886AE9859B151D670A5149BB1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A77C, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 189 170a77c-170a802 193 170a804-170a824 SetFilePointer 189->193 194 170a846-170a84b 189->194 197 170a826-170a843 193->197 198 170a84d-170a852 193->198 194->193 198->197
    APIs
    • SetFilePointer.KERNELBASE(?,00000E2C,7209E34F,00000000,00000000,00000000,00000000), ref: 0170A80A
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: FilePointer
    • String ID:
    • API String ID: 973152223-0
    • Opcode ID: d8fc3eacc9ed802a7c7b849ebcc32a463c171b5b4bee11460643e0d6bd4d864e
    • Instruction ID: fb977ce557b6fedb3c9b11e986db504b241ffaf5f69eb44cbbe6abc4fd9dd482
    • Opcode Fuzzy Hash: d8fc3eacc9ed802a7c7b849ebcc32a463c171b5b4bee11460643e0d6bd4d864e
    • Instruction Fuzzy Hash: 5021A171508380AFEB138B64DC84F66BFB8EF46710F0884EAED849F193D264A909D771
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A85F, Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 201 170a85f-170a8e5 205 170a8e7-170a907 WriteFile 201->205 206 170a929-170a92e 201->206 209 170a930-170a935 205->209 210 170a909-170a926 205->210 206->205 209->210
    APIs
    • WriteFile.KERNELBASE(?,00000E2C,7209E34F,00000000,00000000,00000000,00000000), ref: 0170A8ED
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: e7d6f2debd4efcd0ab081e8bc19a718c82bc05c8d7c298cfcc9fe72cf2da35a3
    • Instruction ID: 97b2ce64bede4e63b7b2cee59e3467276a00e8ba1b43d09b8491fc34558a0b1a
    • Opcode Fuzzy Hash: e7d6f2debd4efcd0ab081e8bc19a718c82bc05c8d7c298cfcc9fe72cf2da35a3
    • Instruction Fuzzy Hash: 33218171509380AFDB228F65DC84F96FFB8EF06710F08849AEA849F152D365A409DB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A52A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 213 170a52a-170a582 216 170a584 213->216 217 170a587-170a593 213->217 216->217 218 170a595 217->218 219 170a598-170a5a1 217->219 218->219 220 170a5f2-170a5f7 219->220 221 170a5a3-170a5ab CreateFileW 219->221 220->221 222 170a5b1-170a5c7 221->222 224 170a5f9-170a5fe 222->224 225 170a5c9-170a5ef 222->225 224->225
    APIs
    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0170A5A9
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 39423fd5801eb5177a74f6c72e4a5b32f630d407f46f6b4315407a2752ce7492
    • Instruction ID: 2371c3636d3e23d2e80ad893eec22905f719644b1e3fc91cecc04523da867b3e
    • Opcode Fuzzy Hash: 39423fd5801eb5177a74f6c72e4a5b32f630d407f46f6b4315407a2752ce7492
    • Instruction Fuzzy Hash: 54217F75500740AFEB22DF69D884B66FBE8FF08310F188469E9859B292D771E404CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A6BB, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 228 170a6bb-170a739 232 170a73b-170a74e GetFileType 228->232 233 170a76e-170a773 228->233 234 170a750-170a76d 232->234 235 170a775-170a77a 232->235 233->232 235->234
    APIs
    • GetFileType.KERNELBASE(?,00000E2C,7209E34F,00000000,00000000,00000000,00000000), ref: 0170A741
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: FileType
    • String ID:
    • API String ID: 3081899298-0
    • Opcode ID: 505d20aff5a983a3fb7dc0112dc14e41bff615b928caf731c163c5aeb2450342
    • Instruction ID: 8e3be2822fd703ffb2069169a4c39ae3cae5ee1061f923176df06d7f12ddd6da
    • Opcode Fuzzy Hash: 505d20aff5a983a3fb7dc0112dc14e41bff615b928caf731c163c5aeb2450342
    • Instruction Fuzzy Hash: A621D5B54083806FE7138B65DC80BA6BFB8EF46710F0880DBED859F193D264A909D771
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A600, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 239 170a600-170a66c 241 170a6ad-170a6b2 239->241 242 170a66e-170a676 FindCloseChangeNotification 239->242 241->242 244 170a67c-170a68e 242->244 245 170a690-170a6ac 244->245 246 170a6b4-170a6b9 244->246 246->245
    APIs
    • FindCloseChangeNotification.KERNELBASE(?), ref: 0170A674
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: ChangeCloseFindNotification
    • String ID:
    • API String ID: 2591292051-0
    • Opcode ID: 67f5df1a499e5392db0d5a9d2fa6ee712e7ef953cf2a06674e5c392fe205833f
    • Instruction ID: 65c20f6d50612f3728c70c80dafa4c4f77632875b64ab04e4fbca19e3297f9b2
    • Opcode Fuzzy Hash: 67f5df1a499e5392db0d5a9d2fa6ee712e7ef953cf2a06674e5c392fe205833f
    • Instruction Fuzzy Hash: 2C21A4B55097C09FD7138B29DC94792BFB4EF52720F0880EBDC858F5A3D2649908C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A448, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 248 170a448-170a48e 250 170a490 248->250 251 170a493-170a499 248->251 250->251 252 170a49b 251->252 253 170a49e-170a4a7 251->253 252->253 254 170a4e8-170a4ed 253->254 255 170a4a9-170a4c9 CreateDirectoryW 253->255 254->255 258 170a4cb-170a4e7 255->258 259 170a4ef-170a4f4 255->259 259->258
    APIs
    • CreateDirectoryW.KERNELBASE(?,?), ref: 0170A4AF
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: CreateDirectory
    • String ID:
    • API String ID: 4241100979-0
    • Opcode ID: 1c1451011295036ab737068be6d5e790ccaa7c27be679ddc7c158da94772c1aa
    • Instruction ID: fa6587d2d01c20990d388f95256e5be45ab242bde43da2769ec1d3a58373c856
    • Opcode Fuzzy Hash: 1c1451011295036ab737068be6d5e790ccaa7c27be679ddc7c158da94772c1aa
    • Instruction Fuzzy Hash: B41184755053809FD712CF29DC89B56FFE8EF06220F0980AAED45CF292D274E808CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A88E, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 261 170a88e-170a8e5 264 170a8e7-170a8ef WriteFile 261->264 265 170a929-170a92e 261->265 267 170a8f5-170a907 264->267 265->264 268 170a930-170a935 267->268 269 170a909-170a926 267->269 268->269
    APIs
    • WriteFile.KERNELBASE(?,00000E2C,7209E34F,00000000,00000000,00000000,00000000), ref: 0170A8ED
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: eb5363632780d61f8aafaf3ed11026b2f6d4b474b352d2529b5fe631b2f3af93
    • Instruction ID: a4ed8effe0374af12c9d563823fd42d594fdda4ce0e36795468dc45f74aef0ec
    • Opcode Fuzzy Hash: eb5363632780d61f8aafaf3ed11026b2f6d4b474b352d2529b5fe631b2f3af93
    • Instruction Fuzzy Hash: 25118275504304EFEB22CF59DC84F56FBE8EF44710F14846AEE459B192D774A4049B71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A7AE, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 272 170a7ae-170a802 275 170a804-170a80c SetFilePointer 272->275 276 170a846-170a84b 272->276 278 170a812-170a824 275->278 276->275 279 170a826-170a843 278->279 280 170a84d-170a852 278->280 280->279
    APIs
    • SetFilePointer.KERNELBASE(?,00000E2C,7209E34F,00000000,00000000,00000000,00000000), ref: 0170A80A
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: FilePointer
    • String ID:
    • API String ID: 973152223-0
    • Opcode ID: b6b64e3b6f29abd5ba283f361a0571a65588def1928463d44c23465e5a4271da
    • Instruction ID: a292ed538259f4dccfbc7e46de6fabd136b0e075c2301493be0bcae7b2562939
    • Opcode Fuzzy Hash: b6b64e3b6f29abd5ba283f361a0571a65588def1928463d44c23465e5a4271da
    • Instruction Fuzzy Hash: BC11C471500300AFEB22CF58DC84F66FBE8EF44710F14C46AEE459B181D774A5048B71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A1F4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 283 170a1f4-170a20f 284 170a211-170a226 283->284 285 170a265-170a288 283->285 286 170a230-170a23a 284->286 287 170a228-170a22b 284->287 288 170a2b3-170a2b8 285->288 289 170a28a-170a29d SetErrorMode 285->289 287->286 288->289 290 170a2ba-170a2bf 289->290 291 170a29f-170a2b2 289->291 290->291
    APIs
    • SetErrorMode.KERNELBASE(?), ref: 0170A290
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: ErrorMode
    • String ID:
    • API String ID: 2340568224-0
    • Opcode ID: 4c876ded9458008201f6bc57eb51dac8edbe360d725d95edf2f3f2eac7893743
    • Instruction ID: 75bf73d1ce361293d35642922be3b9f6e81b45b7661b08f485b3a5964c46abb9
    • Opcode Fuzzy Hash: 4c876ded9458008201f6bc57eb51dac8edbe360d725d95edf2f3f2eac7893743
    • Instruction Fuzzy Hash: FC11073550D3C08FD7138B259894350BFB0AF47220F1D80EBC9848F2A3C26A9949DB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A46A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • CreateDirectoryW.KERNELBASE(?,?), ref: 0170A4AF
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: CreateDirectory
    • String ID:
    • API String ID: 4241100979-0
    • Opcode ID: 5fde474d28c1fa9a38f1bb84b1c2a0394f898abd4d6a798e658a780af2b3575a
    • Instruction ID: 269f4c6e17c679c38a70bfc1a76096304c25683d9d8766b4f1932de009258a4b
    • Opcode Fuzzy Hash: 5fde474d28c1fa9a38f1bb84b1c2a0394f898abd4d6a798e658a780af2b3575a
    • Instruction Fuzzy Hash: 3D115E756003418FEB11CF2DD889B66FBD8EF04620F08C4AAED49CB682E274E404CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A6EE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • GetFileType.KERNELBASE(?,00000E2C,7209E34F,00000000,00000000,00000000,00000000), ref: 0170A741
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: FileType
    • String ID:
    • API String ID: 3081899298-0
    • Opcode ID: e894863d10405639d5578c71d94cc5870ccc831c3f989f803d23fa88e3a01e9f
    • Instruction ID: 59477922dc5196742fb1c51b1a7e0c72eede720ace355aab4f990cc9a2a74f74
    • Opcode Fuzzy Hash: e894863d10405639d5578c71d94cc5870ccc831c3f989f803d23fa88e3a01e9f
    • Instruction Fuzzy Hash: 0B01D2B1904304AEE721CB29DC85B6AFBE8DF44720F18D09AEE459B281D674A4048AB1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A23C, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNELBASE(?), ref: 0170A290
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: ErrorMode
    • String ID:
    • API String ID: 2340568224-0
    • Opcode ID: 140e1fb565296d255ad05b4fc6cc26f535097b0bc1ac78582da5c89755c30580
    • Instruction ID: 1a6391362b342a49ff82c129f1470b794487776cc08df9bee2fde9d8438b0ca2
    • Opcode Fuzzy Hash: 140e1fb565296d255ad05b4fc6cc26f535097b0bc1ac78582da5c89755c30580
    • Instruction Fuzzy Hash: 331112755093849FD7128B15DC44B62FFB4DF46624F0880DAED858F253D265A908DB72
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170AA52, Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON
    Download Yara Rule
    APIs
    • CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 0170AAA2
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: CreatePipe
    • String ID:
    • API String ID: 2719314638-0
    • Opcode ID: ffbf0ad49ea4ef6d7ee658bc74c3b481e7ff7dca6abb7d0fb990116822d8da6c
    • Instruction ID: 293b34325192a852a25bee9bc41477d4c6ed6559f87e56ac024cfd8d0ff4686c
    • Opcode Fuzzy Hash: ffbf0ad49ea4ef6d7ee658bc74c3b481e7ff7dca6abb7d0fb990116822d8da6c
    • Instruction Fuzzy Hash: 3A01B172900200ABD310DF1ADC85B26FBE8FB88B20F14812AED088B645E631F915CBE5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A642, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • FindCloseChangeNotification.KERNELBASE(?), ref: 0170A674
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: ChangeCloseFindNotification
    • String ID:
    • API String ID: 2591292051-0
    • Opcode ID: f963f682acd98c0d6f6a1386278207fe126e6e90129ea725274437189431c486
    • Instruction ID: 71c716db7905f963d4ea2eb000e3d288f3a5cbfccd803d84a409f72be56cf8eb
    • Opcode Fuzzy Hash: f963f682acd98c0d6f6a1386278207fe126e6e90129ea725274437189431c486
    • Instruction Fuzzy Hash: BD018F75914340DFDB128F29DC84766FFE4EF84720F08C0AADD498F696D675A444CE61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0170A25E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNELBASE(?), ref: 0170A290
    Memory Dump Source
    • Source File: 00000000.00000002.1332132054.000000000170A000.00000040.00000001.sdmp, Offset: 0170A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170a000_unarchiver.jbxd
    Similarity
    • API ID: ErrorMode
    • String ID:
    • API String ID: 2340568224-0
    • Opcode ID: e41371d71de040e20b30067c674b22a1beed046b25df16fbdde0920025c7f4c3
    • Instruction ID: e45bafedf8396250e5fd9f7b9f618da82107608233950e523b472d71c2e94e17
    • Opcode Fuzzy Hash: e41371d71de040e20b30067c674b22a1beed046b25df16fbdde0920025c7f4c3
    • Instruction Fuzzy Hash: 78F08C75918344CFDB128F19D884765FFE4EF88720F08C0AADD494B296D276A408CEA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 055D0AD8, Relevance: .1, Instructions: 71COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1332958900.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_55d0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a89a310ef52eb62a43f744c37c04551e2efdfa1ba6cd78a432d3e024bc55c2bc
    • Instruction ID: b5eeb33de8fc1260c49a622e07e4ff504cf2979306ee4d165c29ff423d812d95
    • Opcode Fuzzy Hash: a89a310ef52eb62a43f744c37c04551e2efdfa1ba6cd78a432d3e024bc55c2bc
    • Instruction Fuzzy Hash: 16211435E05208DFEB14DFA8D4846EEFBB6FB89315F10952AD500B3290DA746D46CFA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014B05CF, Relevance: .0, Instructions: 44COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1332023932.00000000014B0000.00000040.00000040.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14b0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 55a019205bc52bee38e3c4fe7bc8dfc19e4b2e3f1a2f9cdc17e153d53b070c27
    • Instruction ID: 6de0ecc48860b41b7cbfb2c2e58946de15751af3610cc997f0205b88bebe0a0b
    • Opcode Fuzzy Hash: 55a019205bc52bee38e3c4fe7bc8dfc19e4b2e3f1a2f9cdc17e153d53b070c27
    • Instruction Fuzzy Hash: 2D018BB65093805FD7128F16EC45862FFA8EB46620709C49BEC498B612D225B908DB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 055D0BBF, Relevance: .0, Instructions: 41COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1332958900.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_55d0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 91db5173a57b42c96e8cd1fb9d37ad320dc75790f17b5d777fe5d4a53b4c1a60
    • Instruction ID: 1ba79341bea7826d724c8b67da94712ec722e52263bf1a235efd41b4415682da
    • Opcode Fuzzy Hash: 91db5173a57b42c96e8cd1fb9d37ad320dc75790f17b5d777fe5d4a53b4c1a60
    • Instruction Fuzzy Hash: 9C015675D092099FCB14DFA8C4449AEFFF1BF45300F1088AAC449A3391E6306A04DBA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 014B05F6, Relevance: .0, Instructions: 27COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1332023932.00000000014B0000.00000040.00000040.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_14b0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9175c70a2a594d1ce225293a44a7094423a23b89f2868b108174c7c0e6e6b109
    • Instruction ID: 6f528032560861ff7f6415ab3703539267801c2191cf37415eb44e15a6b3635b
    • Opcode Fuzzy Hash: 9175c70a2a594d1ce225293a44a7094423a23b89f2868b108174c7c0e6e6b109
    • Instruction Fuzzy Hash: DEE092B66046004BD650CF0AEC81452F7D8EB84A30718C47FDC4D8B711E235B504CFA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 017023F4, Relevance: .0, Instructions: 15COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1332122374.0000000001702000.00000040.00000001.sdmp, Offset: 01702000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1702000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fef7f5d0d332b2b0f240c2849c0f78ccc6f101953fc14f007fd87bd4229d59cb
    • Instruction ID: f4d9e86e641a317550704af9703bc505317876d0d46ab0107c0c1f9ac4a0f7aa
    • Opcode Fuzzy Hash: fef7f5d0d332b2b0f240c2849c0f78ccc6f101953fc14f007fd87bd4229d59cb
    • Instruction Fuzzy Hash: B8D05E7A305B818FE3278A1CC1A8B957FE4EF51B04F5744F9E8008B7A3C368D981D200
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 055D0299, Relevance: 1.5, Strings: 1, Instructions: 205COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1332958900.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_55d0000_unarchiver.jbxd
    Similarity
    • API ID:
    • String ID: u]?q^
    • API String ID: 0-3526293871
    • Opcode ID: 5f80175c4f78da9e9f265c076889e8a00546d24be04b109cf52f0d58e81d9b5f
    • Instruction ID: b6bbc1e9b02675fa063d90372d3b9086edd7d6587b5efc48a4281df34866676d
    • Opcode Fuzzy Hash: 5f80175c4f78da9e9f265c076889e8a00546d24be04b109cf52f0d58e81d9b5f
    • Instruction Fuzzy Hash: 6D911975D00214EFEB24DFA9E844A9DBBB3FB8D311F10D0A9EA09A72A4DB745941CF11
    Uniqueness

    Uniqueness Score: -1.00%