Edit tour

Windows Analysis Report
QuarantineDownload.zip

Overview

General Information

Sample name:	QuarantineDownload.zip
Analysis ID:	1446512
MD5:	7f66d45027ded2a5381db437a1d145ba
SHA1:	f2c15672ed756da3115f0c7ee8ff5dd1d92ba198
SHA256:	c760acadb66a50bf863ad8401db802ec33fb0e0166fca3552f9ddd330e76c04d
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Classification

Process Tree

System is w10x64

unarchiver.exe (PID: 2604 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\QuarantineDownload.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 6504 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\qxqkxgrf.j4o" "C:\Users\user\Desktop\QuarantineDownload.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: classification engine

Classification label: clean2.winZIP@4/1@0/0

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\QuarantineDownload.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\qxqkxgrf.j4o" "C:\Users\user\Desktop\QuarantineDownload.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\qxqkxgrf.j4o" "C:\Users\user\Desktop\QuarantineDownload.zip"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: A50000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 475			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 9494			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 2696	Thread sleep count: 475 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 2696	Thread sleep time: -237500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 2696	Thread sleep count: 9494 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 2696	Thread sleep time: -4747000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_006AB1D6 GetSystemInfo,

0_2_006AB1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\qxqkxgrf.j4o" "C:\Users\user\Desktop\QuarantineDownload.zip"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446512
Start date and time:	2024-05-23 15:21:48 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QuarantineDownload.zip
Detection:	CLEAN
Classification:	clean2.winZIP@4/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 44 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:23:06	API Interceptor	4709156x Sleep call for process: unarchiver.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3273
Entropy (8bit):	5.0213315818559865
Encrypted:	false
SSDEEP:	48:5RLDGKGbKGKGpsGFfGKGp3RmGbgGCRmGCGaGKGKGmRGKGfGKGmjV1pKhPeklXDlZ:5RgoR5uRpDwPbo6n
MD5:	05FB9AC665CA883735DF2E4C24553EE8
SHA1:	80854DF5BD21523A3EEDDF51371265F43CBAEDB0
SHA-256:	7E269B5B228D4AE4A72536183301C0FA86F881553A2088448C1619F55AB1CAA4
SHA-512:	0B7B775B111B358BE33B7F43E897E51B38C1292CB85C7EF0104B4536C87E31FD08E5B6887B00B1F3750247FE337D74A53BCAFA21A96DBA1B981FF8A299366890
Malicious:	false
Reputation:	low
Preview:	05/23/2024 9:22 AM: Unpack: C:\Users\user\Desktop\QuarantineDownload.zip..05/23/2024 9:22 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\qxqkxgrf.j4o..05/23/2024 9:22 AM: Received from standard out: ..05/23/2024 9:22 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..05/23/2024 9:22 AM: Received from standard out: ..05/23/2024 9:22 AM: Received from standard out: Scanning the drive for archives:..05/23/2024 9:22 AM: Received from standard out: 1 file, 24726 bytes (25 KiB)..05/23/2024 9:22 AM: Received from standard out: ..05/23/2024 9:22 AM: Received from standard out: Extracting archive: C:\Users\user\Desktop\QuarantineDownload.zip..05/23/2024 9:22 AM: Received from standard out: --..05/23/2024 9:22 AM: Received from standard out: Path = C:\Users\user\Desktop\QuarantineDownload.zip..05/23/2024 9:22 AM: Received from standard out: Type = zip..05/23/2024 9:22 AM: Received from standard out: Physical Size = 24726..05/23/2024 9:22

Static File Info

General

File type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Entropy (8bit):	7.9923749032375975
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	QuarantineDownload.zip
File size:	24'726 bytes
MD5:	7f66d45027ded2a5381db437a1d145ba
SHA1:	f2c15672ed756da3115f0c7ee8ff5dd1d92ba198
SHA256:	c760acadb66a50bf863ad8401db802ec33fb0e0166fca3552f9ddd330e76c04d
SHA512:	7a16638bfafa0999084bba8517416d9462b649745a1a157f5e6269b02eeff8923fdc93b5ba019a3d92bec3af10ea3deb2891c6910e24e0b816c0e20842f9e169
SSDEEP:	384:/yioNDF7Q7hBr00MTOoQP0lqd7AAU24X2X0BkCZu3M3aealY74hPOzvXzgY9ah+G:KioJ52fYiX0MAAU2jj6B7E+C87O
TLSH:	8BB2D0C839D9EB14F4604138F4E1041EEFAACEED187F6D8DDBD94182B5AA6133E64135
File Content Preview:	PK..-......j.X............M...c3d50dd2-ec0f-4f3c-eb62-08dc7a368bd1/7a68b808-2a96-0f31-60c1-10917410b8f6.eml............Z_......d..=......d..~$./.R@.c9.....x......xJB.0..i...j.$.....<),...\{Ga.i.p.=1...Ol.=.%O..-...s=:.q3l*.km.......9F....?A....:[.(.-...G:

File Icon


Icon Hash:	90cececece8e8eb0

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: unarchiver.exePID: 2604, Parent PID: 1028

General

Target ID:	0
Start time:	09:22:31
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\QuarantineDownload.zip"
Imagebase:	0xa0000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: 7za.exePID: 6504, Parent PID: 2604

General

Target ID:	1
Start time:	09:22:31
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\qxqkxgrf.j4o" "C:\Users\user\Desktop\QuarantineDownload.zip"
Imagebase:	0x10000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6604, Parent PID: 6504

General

Target ID:	2
Start time:	09:22:31
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: unarchiver.exePID: 2604, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	22.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.5%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 006AB1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 006AB208

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 0d244e04b40ad7389497d2ab39615bcb35368bf5eb1ebc294d920d43acd88b5e
Instruction ID: f464153f46169ddff9dcad9fc56e36081bf064d361c906034953a0e090a7fd4c
Opcode Fuzzy Hash: 0d244e04b40ad7389497d2ab39615bcb35368bf5eb1ebc294d920d43acd88b5e
Instruction Fuzzy Hash: 730178719042448FDB20DF15E9847A9FFE4EB06320F08C4AADD098F652D375A9088FA2

Function 006AB246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 006AB2F3

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a83cb068a8c82c114c8a9b33b6f054490b0f3c50430daf3524d0539d6ae50a21
Instruction ID: c25b28ed4ed72b3696a17eee975c35f300a084f9a50396ab191de622247a2cae
Opcode Fuzzy Hash: a83cb068a8c82c114c8a9b33b6f054490b0f3c50430daf3524d0539d6ae50a21
Instruction Fuzzy Hash: 5831C6724043446FEB228B65CC44FA6BFBCEF46310F0488AAE985CB562D335A909CB71

Function 006AAD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 006AADA7

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ef4b53226411bf18295a7ea8dcb1b22a7d2660327dd5bb06695f9e866de40d26
Instruction ID: 50d5cd34986de8f435238c12f1f94352d02603b335ccbf435220130a8f360a7e
Opcode Fuzzy Hash: ef4b53226411bf18295a7ea8dcb1b22a7d2660327dd5bb06695f9e866de40d26
Instruction Fuzzy Hash: CD31A4725043446FE7228B65CD44FA7BFACEF46214F0448AAE985CB652D334A909CB71

Function 006AAB76 Relevance: 1.6, APIs: 1, Instructions: 93
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 006AAC36

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 101edc329c64f30b26a7eece5e82925bb9c3d8a823c92081b94ad7852ddcf435
Instruction ID: 807e662e403af1a3b1a187b8d4ec43a95d137638169b3d80dec477e974ba98a8
Opcode Fuzzy Hash: 101edc329c64f30b26a7eece5e82925bb9c3d8a823c92081b94ad7852ddcf435
Instruction Fuzzy Hash: 8F31AF7250E3C06FD3138B318C65AA2BFB4AF47610F1A84CBD8C4DF5A3D2696819C762

Function 006AA5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 006AA67D

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a30bcbe87a0d4c52d83770792564859782532b920d6a2ebe48dc2037a68ca145
Instruction ID: e7ea2e4b59a53a71072dc2c67793766ae14c192716f554f2b1c90481dcf6e1f0
Opcode Fuzzy Hash: a30bcbe87a0d4c52d83770792564859782532b920d6a2ebe48dc2037a68ca145
Instruction Fuzzy Hash: 19316F71505340AFE721CF65DD44FA2BFE8EF06220F08889AE9858B652D375E809CB71

Function 006AA120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 006AA1C2

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 62033fd573ce84b846cd3a568d00cdc1087e0438c67c4ec71035305cbb453ae4
Instruction ID: 6c16842b3b4ac1fda33c2a30fa23dd5318e9af837cf81ce1adf5e8d09226c185
Opcode Fuzzy Hash: 62033fd573ce84b846cd3a568d00cdc1087e0438c67c4ec71035305cbb453ae4
Instruction Fuzzy Hash: 7B21D17150D3C06FD3128B258C51BA2BFB4EF47610F0985CBD8848F693D225A91AC7A2

Function 006AA370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,EABEC8D2,00000000,00000000,00000000,00000000), ref: 006AA40C

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e9d3dfb2638189a727cb547e02beedc35fb701c4fbefee92399126fd26762c48
Instruction ID: 13534adf99e28cd378b1c90ee954d7fc840df19b346994105a61e3850432fd7c
Opcode Fuzzy Hash: e9d3dfb2638189a727cb547e02beedc35fb701c4fbefee92399126fd26762c48
Instruction Fuzzy Hash: 6A216B75505344AFE721CF55CC84FA2BBE8EF46610F08889AE985CB692D364ED08CB62

Function 006AB276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 006AB2F3

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6a3d659a0846f9de7f604c071a35ec4fe8ef8b10f229b99d233dccaca880f7d5
Instruction ID: e53ae581208512259f9fd0f559019a1b051e2d1a29d93525b03d79fd4c88b0e4
Opcode Fuzzy Hash: 6a3d659a0846f9de7f604c071a35ec4fe8ef8b10f229b99d233dccaca880f7d5
Instruction Fuzzy Hash: EE21B272500204AFEB31DF65DD44FAABBECEF05314F04886AE9458BA51D771E9088BA1

Function 006AAD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 006AADA7

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eaec807d3f4c745bd334e42f641aa0ba72ca497cf1a8284dae6e511236102a55
Instruction ID: 57e9d87a09976eacd05e37810cc7740b94fd786467f4a8b2d12c191f7c5aa0d9
Opcode Fuzzy Hash: eaec807d3f4c745bd334e42f641aa0ba72ca497cf1a8284dae6e511236102a55
Instruction Fuzzy Hash: DF21B272500204AFEB31DF64DD44FABBBECEF05324F04886AE9458AA51D770E909CBA1

Function 006AA850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,EABEC8D2,00000000,00000000,00000000,00000000), ref: 006AA8DE

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ea2dda8f1e631e720c8297e37e4487b403a93ca042c490a9977c0bc79904c93a
Instruction ID: 3314053fb708ab135111eacf07368f5428dde5dbeb56045d1953c29960d79cd3
Opcode Fuzzy Hash: ea2dda8f1e631e720c8297e37e4487b403a93ca042c490a9977c0bc79904c93a
Instruction Fuzzy Hash: EF2195715093806FE7228B54DC44BA2BFB8EF46714F0988EAE9858B552D374AD09C771

Function 006AA933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,EABEC8D2,00000000,00000000,00000000,00000000), ref: 006AA9C1

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ac16ea9fe31cc237db39e29a0d4575168dcff5e97eb0c8cd14708d60b4f72502
Instruction ID: 32a97591074d43203424a490727b08b024f9fdf57b1aed71339be4e9e54a2d07
Opcode Fuzzy Hash: ac16ea9fe31cc237db39e29a0d4575168dcff5e97eb0c8cd14708d60b4f72502
Instruction Fuzzy Hash: 5621A3714093806FD722CF55CD44F96BFB8EF46314F08889AE9858B652C375A908CB72

Function 006AA5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 006AA67D

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d3e45df5d149ddea530675adbc8b2746a30b8c8cb42a5c066da3544bfd54d957
Instruction ID: d319ca6f1775e4ebc684e401ded4efdcc77c69181e2c67c71c8a02edf60f2ec2
Opcode Fuzzy Hash: d3e45df5d149ddea530675adbc8b2746a30b8c8cb42a5c066da3544bfd54d957
Instruction Fuzzy Hash: 08217F71504204AFEB21DF65DD45FA6FBE8EF09314F08886AE9458A751D371F808CF62

Function 006AA78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,EABEC8D2,00000000,00000000,00000000,00000000), ref: 006AA815

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ed53e2e09b06a71ed2772fd7e7b8239890b37c1dd6bb88411ff06d2ddd065ecc
Instruction ID: 3bbe785930ba9203f6c7003c944af21a7434a54faf45cb369aeef3a078712e94
Opcode Fuzzy Hash: ed53e2e09b06a71ed2772fd7e7b8239890b37c1dd6bb88411ff06d2ddd065ecc
Instruction Fuzzy Hash: EF21F3B54093806FE7228B519C40BA2BFACDF47314F0884DBE9858B693D368AD09C772

Function 006AA6D4 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 006AA748

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 380ee0f33a07f4d77d1103ad44bc7a3894c362915fb7f80ffbddedf49d8ee0d9
Instruction ID: 020f44187adb3337c30e89e2498f8d7dcc82ea14e2c25bb9c63394afc2684ca7
Opcode Fuzzy Hash: 380ee0f33a07f4d77d1103ad44bc7a3894c362915fb7f80ffbddedf49d8ee0d9
Instruction Fuzzy Hash: 602192B59093C05FD7128B25DC95652BFB8EF17320F0984DBDD858F6A3D2649908CB62

Function 006AAA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 006AAA8B

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 6e09715487ad70ddbe62f2a2deb8119dfa5cfc8c7c085eb5d50e49450eb63327
Instruction ID: eaa084074140104c2dbe6ba5a43ccf8e2c932a67ac977f12175269b4df4a1e5d
Opcode Fuzzy Hash: 6e09715487ad70ddbe62f2a2deb8119dfa5cfc8c7c085eb5d50e49450eb63327
Instruction Fuzzy Hash: BF21AF715083C45FDB12CB69DC55B92BFE8AF07314F0984EAE984CB253D324E909CB62

Function 006AA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,EABEC8D2,00000000,00000000,00000000,00000000), ref: 006AA40C

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9fc40aa969b64b9bebf8d1861efdd00545fe0b89b6cc5473e6698d70c7440b58
Instruction ID: bcaa102ff44dc0c27560aaba5d1c5d52f552c160a9ee81a91b2282e66a3e9a6c
Opcode Fuzzy Hash: 9fc40aa969b64b9bebf8d1861efdd00545fe0b89b6cc5473e6698d70c7440b58
Instruction Fuzzy Hash: 5C215E755002049FEB30DE55CD84BA6BBECEF09710F04846AE946CB651D764ED09CA72

Function 006AA962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,EABEC8D2,00000000,00000000,00000000,00000000), ref: 006AA9C1

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fae5171a5fc3d1757d59a5e5913df87ae967395be6ce052723f9d051e493258a
Instruction ID: ed397501cfa849aa82a9b15f6ef5edf410ebf3c3d6b453d69b26e3e463a9bddc
Opcode Fuzzy Hash: fae5171a5fc3d1757d59a5e5913df87ae967395be6ce052723f9d051e493258a
Instruction Fuzzy Hash: 6411B671500204AFE721DF55DD44BA6FBE8EF05314F04886BE9458AA51D374A948CBB2

Function 006AA882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,EABEC8D2,00000000,00000000,00000000,00000000), ref: 006AA8DE

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 48836b40dae0bebc53fbbb77e218aa18387c721391db13c95cd5402d79e6440e
Instruction ID: 5e6d1ffb1e8314a84e4c471c580f932926e7743d9ea6561ee9a491d1962642bb
Opcode Fuzzy Hash: 48836b40dae0bebc53fbbb77e218aa18387c721391db13c95cd5402d79e6440e
Instruction Fuzzy Hash: 3811C172504304AFEB21DF94DD44BA6FBE8EF45324F14886AE9458BA41D374A909CBB2

Function 006AA2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 006AA30C

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 34f60634462aa125661395aee0b95234be39c0651729b2d2433063339dcd4325
Instruction ID: 0b5d295df39f9ceafad28ea8355bb0694cb1e9ffdec4688777cba030250c35ce
Opcode Fuzzy Hash: 34f60634462aa125661395aee0b95234be39c0651729b2d2433063339dcd4325
Instruction Fuzzy Hash: B5119E758093C09FDB228B25DC54A92BFB4DF17220F0A80DBD9858F263D265AD08CB72

Function 006AA7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,EABEC8D2,00000000,00000000,00000000,00000000), ref: 006AA815

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 21da0ab33c420f24382d43603ca7a350f341935d5883432fb20e529657c9d4e7
Instruction ID: b92b6cf37112b9d004bae9c0c58f9d1b61baa853e5238949c633f3de80f33a41
Opcode Fuzzy Hash: 21da0ab33c420f24382d43603ca7a350f341935d5883432fb20e529657c9d4e7
Instruction Fuzzy Hash: 00010071504300AEE720DB45DD84BA6BBECDF05724F04C4A6EE058BB81D378AD09CAB6

Function 006AAA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 006AAA8B

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 03ad32099f12146e9593948b50d6efd472df6c4bc19e7cd231de6f6e799e5659
Instruction ID: 2b20b3e6bd1562f35aa42ec6797e587f6d1d1948bb76f74f8f2ee631bc5c90bd
Opcode Fuzzy Hash: 03ad32099f12146e9593948b50d6efd472df6c4bc19e7cd231de6f6e799e5659
Instruction Fuzzy Hash: 261130716042459FEB10DF59D984796BBD8AB05310F08C4AADE45CB741E774E904CF62

Function 006AB1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 006AB208

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: eac2332c3b436122b5ec951bc48f2a7001b859285814dfe0288656bc112703bf
Instruction ID: eaa013e670da69f049cc231bde7b85d95557ad770c4413d6b5f7a3b18a0a2a91
Opcode Fuzzy Hash: eac2332c3b436122b5ec951bc48f2a7001b859285814dfe0288656bc112703bf
Instruction Fuzzy Hash: 52119A715093809FDB128F25DC84B56FFA8DF46220F0884EAED858F252D275A908CB62

Function 006AAF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 006AAFE4

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: b6ae9624c2abcc9150302054aedf06817d98cd39768716c8f49d5b6f7b26e650
Instruction ID: 4e8a5c984fe50846a7b97a1a6279992bf3ffe65ea84a1f5b7f429a6fbe741174
Opcode Fuzzy Hash: b6ae9624c2abcc9150302054aedf06817d98cd39768716c8f49d5b6f7b26e650
Instruction Fuzzy Hash: 01119E715093C09FD7128B25DC45A52BFF8EF06220F0984DAE9858B663D374AC08DB61

Function 006AABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 006AAC36

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 603c4f931ca4e3d36685fb08aa38219ce8f7d5c27d2823e48e1e3a18cfc28212
Instruction ID: 828295b0a2482d5cb9b8b1627b7991bc74cfa3b13f9f6a17c87837771b1b29c5
Opcode Fuzzy Hash: 603c4f931ca4e3d36685fb08aa38219ce8f7d5c27d2823e48e1e3a18cfc28212
Instruction Fuzzy Hash: 0F01B171600201ABD310DF16CD45B66FBE8FB88B20F14856AED089BB41D731F915CBE1

Function 006AA172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 006AA1C2

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 3968806d941c116a757f29a0fd2af3adda227a30587dbc477bb2d034c1a9bf75
Instruction ID: f9f91fa20ae392499656cab0141853e58c7a1fc20ae9674e74d04c3de1630c2c
Opcode Fuzzy Hash: 3968806d941c116a757f29a0fd2af3adda227a30587dbc477bb2d034c1a9bf75
Instruction Fuzzy Hash: 3401B171600201ABD310DF16CD45B66FBE8EB88A20F14856AED089BB41D735F915CBE1

Function 006AA716 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 006AA748

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a36e8ac15e8b7a30203d86f5e7d863440502cc8ad70c079cf5b0efef57b2f2f7
Instruction ID: e4888cdf3048e167efe9e3b9a4ab95b12df10b3e3f9ec3f1e124927885172b59
Opcode Fuzzy Hash: a36e8ac15e8b7a30203d86f5e7d863440502cc8ad70c079cf5b0efef57b2f2f7
Instruction Fuzzy Hash: 15015A79A042448FDB209F59D9857A6BBE8DB05320F18C4AADD098B752D375E848CEA2

Function 006AAFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 006AAFE4

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 80a0a6c2b5871a0134bdeea2bb48fa9fbd39878eb1ecc763c35be1bd7ce2d17e
Instruction ID: f8e12c55426e858ae39187d50c6414d0a66db270f0e26a4f08fb1a0a1e03828f
Opcode Fuzzy Hash: 80a0a6c2b5871a0134bdeea2bb48fa9fbd39878eb1ecc763c35be1bd7ce2d17e
Instruction Fuzzy Hash: B201AD755042448FDB249F19E9847A6FFE4EF05324F08C0AADD058BB52D375EC48DEA2

Function 006AA2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 006AA30C

Memory Dump Source

Source File: 00000000.00000002.4433769971.00000000006AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8c477b942c8eb9bd08fc99de292f77f377ebfc42662aa8eedaf0b12c54e907ad
Instruction ID: dee1a5eb7116bb17053e96a7645e99bf0e4a97bd362bc4675d6a2ce3691409c2
Opcode Fuzzy Hash: 8c477b942c8eb9bd08fc99de292f77f377ebfc42662aa8eedaf0b12c54e907ad
Instruction Fuzzy Hash: 3EF0AF359042448FDB209F06D984765FFE4EF15720F08C0AADD498B752D375E808CFA2

Function 00D00C99 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

[Md, xrefs: 00D00D43, 00D00D48

Memory Dump Source

Source File: 00000000.00000002.4434153055.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_unarchiver.jbxd

Similarity

API ID:
String ID: [Md
API String ID: 0-1153324078
Opcode ID: 91d4149b6cc2e4b098837247b261d452f061fea2edf6f51d1e7b96a55b948ded
Instruction ID: a8138bf9626fbf876bc785b8123f9bad7cbe44426a5c915f4797d4938efab3fc
Opcode Fuzzy Hash: 91d4149b6cc2e4b098837247b261d452f061fea2edf6f51d1e7b96a55b948ded
Instruction Fuzzy Hash: 7021F230B002558FC715EB3985517AEBFEB9FC5204B54882CD486DB385DB3AED028BA6

Function 00D00CA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

[Md, xrefs: 00D00D43, 00D00D48

Memory Dump Source

Source File: 00000000.00000002.4434153055.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_unarchiver.jbxd

Similarity

API ID:
String ID: [Md
API String ID: 0-1153324078
Opcode ID: 3298fd5762869a0ce19c6afb2253fad927fa4a61f49fe6d6d6b053f97db0c41c
Instruction ID: 084828e21a55aea735a10c5d26888518148d28b1eccf02f145775c44bd813cb4
Opcode Fuzzy Hash: 3298fd5762869a0ce19c6afb2253fad927fa4a61f49fe6d6d6b053f97db0c41c
Instruction Fuzzy Hash: C621F830B002058FC714EB3985517AFBBEB5BC5208B54883CC086D7745DF79ED068BA6

Function 00D002C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4434153055.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6846470e64ebfc5615bb31f4440e2b4ea799da354217ca92a730f3a64748416e
Instruction ID: 59c31d19a6713062f63e44eef93269164f3fb95cfde4603a3c111544857fd8a4
Opcode Fuzzy Hash: 6846470e64ebfc5615bb31f4440e2b4ea799da354217ca92a730f3a64748416e
Instruction Fuzzy Hash: A2B17C34740114DFC754EB65E958B5E7BB3EF88342B64C528D9069B3AADB389C40CBA0

Function 00D00799 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4434153055.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2fe0ea103b4bbb87d8db9fc4b77e858589520f3bbaf021f5e87a891fdbac01
Instruction ID: 6f80221c4e08c71d8cf290f051dc92331dde65fea813aff65e4a14882e43adc8
Opcode Fuzzy Hash: 0e2fe0ea103b4bbb87d8db9fc4b77e858589520f3bbaf021f5e87a891fdbac01
Instruction Fuzzy Hash: 7FA19D30B002018BDB14AB78D955B7E77E3EF88309F248429D90A977A5DF789D42CBA1

Function 00D00BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4434153055.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec87feb762aafb059b2f9a0cb1595d5c7a0ef170584465985b2d0c2f9bd4698
Instruction ID: 1a334f975e797c6e90adaba527df735e10acd151728d60928289c4073e5b0e25
Opcode Fuzzy Hash: 1ec87feb762aafb059b2f9a0cb1595d5c7a0ef170584465985b2d0c2f9bd4698
Instruction Fuzzy Hash: 14119132B10118AFCB049BB8D845DDF7BF6BB88314B244579E605E7275DF39980587D1

Function 00D205E1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4434166502.0000000000D20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e56e57a195f845b030a0e581640febd0f75c410bd50567e6343852dbf689405
Instruction ID: 2d175d3ba6b62ef718fd4adf30c4fa3fb5069a1d6e50be76949d3c3a4ec87a97
Opcode Fuzzy Hash: 8e56e57a195f845b030a0e581640febd0f75c410bd50567e6343852dbf689405
Instruction Fuzzy Hash: 6A01DBB55093805FC7118F059C40872FFE8DB86230709C4AFE8498BA52D229AC09C771

Function 00D2082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4434166502.0000000000D20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f284f475d5b3312e0633148f0b0a6fcdf6e3f95eb21d7b4033e85cf6711a5e5
Instruction ID: fe9e767cecb418092afd85ff75c74253c34c7849d4545ef069eb039ef7864773
Opcode Fuzzy Hash: 5f284f475d5b3312e0633148f0b0a6fcdf6e3f95eb21d7b4033e85cf6711a5e5
Instruction Fuzzy Hash: 0FF082B2855204AB9340DF05ED45866FBECDF94521F04C57AEC488BB04E37ABD198BF6

Function 00D00C50 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4434153055.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b1b48394f3fbd94b49bf0363da4aacb2f5213ffc525cd7dd23c92e01eeb3ac
Instruction ID: 032f182f5949678d907d94ea467c33c09f59d8520755a3d370b42273e841661b
Opcode Fuzzy Hash: 63b1b48394f3fbd94b49bf0363da4aacb2f5213ffc525cd7dd23c92e01eeb3ac
Instruction Fuzzy Hash: 5EE09231B083542FCB04DFBD984159EBFE99B86124B5544B9C108DB251EF399C018791

Function 00D20606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4434166502.0000000000D20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537ae7803091bf90168106c9c34822d8146c6023aeca64b8a4ef9e77dabb80e2
Instruction ID: 5d00c4570f778563dc1135be8c660f77d87412e4d7724e4dcdbf4e944ae13f75
Opcode Fuzzy Hash: 537ae7803091bf90168106c9c34822d8146c6023aeca64b8a4ef9e77dabb80e2
Instruction Fuzzy Hash: 90E092B66006444B9750CF0AED41462FBD8EB88630748C47FDC0D8BB01E239B908CBE5

Function 00D00C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4434153055.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ef9d6cd83d150b0b90866abd4fa3630032285474ab4410690a2de172f6673
Instruction ID: 985d91742692199d4de11956c9953944c0b790d3c92eec257c44e7f6beda00d6
Opcode Fuzzy Hash: 592ef9d6cd83d150b0b90866abd4fa3630032285474ab4410690a2de172f6673
Instruction Fuzzy Hash: FAD01231F042182B8B48EFF9985159EBAEA9B84154B55447D9009D7340EE399C0187D1

Function 00D00E08 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4434153055.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b3cb6452ec816ad737a9893f180c51aad337a9a05ac3602bcc6cbe3f28dc1b
Instruction ID: 91c1e5ecbece06eae467d14f1130acf1098827b35aa0c86db0f53121bfe630fc
Opcode Fuzzy Hash: a1b3cb6452ec816ad737a9893f180c51aad337a9a05ac3602bcc6cbe3f28dc1b
Instruction Fuzzy Hash: A4E08C312003008FC705F728EA5BA95BFA8AB82314F59C596D8085F1A7C778EC00CB65

Function 00D00DD1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4434153055.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c242f9649c28833e95159ae49a1033a2c5aa8cf5b8c5b4aa1e7a3fd6ebbac721
Instruction ID: 4cf36cbf9363560468b23cab90875b660d36337cf26d3667114bd182fe7c7b79
Opcode Fuzzy Hash: c242f9649c28833e95159ae49a1033a2c5aa8cf5b8c5b4aa1e7a3fd6ebbac721
Instruction Fuzzy Hash: C5E0C2302043008FC306EB24C566B557FA9ABC1304F4A8596C4084F2E7C738DD80C790

Function 006A23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4433751849.00000000006A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 006A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a2000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25284050e3c35e63741cbbce65090f42ba99489164e23a896d5ce73055c7ecb
Instruction ID: 02fcda180d218d0dc88ddeb104addbeb107846b5344ea90ebc47340b15fc02bf
Opcode Fuzzy Hash: f25284050e3c35e63741cbbce65090f42ba99489164e23a896d5ce73055c7ecb
Instruction Fuzzy Hash: 60D02E392407C24FD326AB0CC2A4BC637E4AB66704F0A44F9A800CB763C728DCC0CA10

Function 006A23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4433751849.00000000006A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 006A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a2000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0468b484dcc990076519ff9e2c3edc10a8565420e64c5b0155a136d0082696b
Instruction ID: 5e2d6d4551b4d398c5c3020d75a00ebc000156f8e06c4c1e3c25f24f85b0a7f2
Opcode Fuzzy Hash: b0468b484dcc990076519ff9e2c3edc10a8565420e64c5b0155a136d0082696b
Instruction Fuzzy Hash: 01D05E352402824BCB25EA0CC2E4F9937D5AB42714F0648E8AC108B762C7A8DCC0DE00

Function 00D00E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4434153055.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cf2b085169ca21b4b353e93ccbe0bb79c9350766c8ef0d31aa7bae7e9fbb00
Instruction ID: 2e335b7db723674d912bea29d84bd2ad3fd678ab66e87efeb5b73767ae4865ad
Opcode Fuzzy Hash: a0cf2b085169ca21b4b353e93ccbe0bb79c9350766c8ef0d31aa7bae7e9fbb00
Instruction Fuzzy Hash: 09C012303402048FC704B778D519F697B9957C5304F98C564A80C1B296CB78EC40C694

Function 00D00DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4434153055.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b323f62b5d81e92e99606c8f027cb582da42db8a81a3b9a384fbd2e88359b5b
Instruction ID: 4f433c9b87894ebbf687336dc9e9cea4227189735df830e0aeaacf6e97b65b10
Opcode Fuzzy Hash: 1b323f62b5d81e92e99606c8f027cb582da42db8a81a3b9a384fbd2e88359b5b
Instruction Fuzzy Hash: 88C012303402048FC704B778D519F6A779657C0304F59C564D40C1B296CB78EC80C6D4

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QuarantineDownload.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 2604, Parent PID: 1028

General

Chronological Activities

Analysis Process: 7za.exePID: 6504, Parent PID: 2604

General

Chronological Activities

Analysis Process: conhost.exePID: 6604, Parent PID: 6504

General

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 2604, Parent PID: 1028COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 006AB1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Function 006AB246 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Control-flow Graph

Windows Analysis Report
QuarantineDownload.zip

Function 006AB246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 006AAD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 006AAB76 Relevance: 1.6, APIs: 1, Instructions: 93
pipeCOMMON

Function 006AA5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Function 006AA120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Function 006AA370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Function 006AB276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 006AAD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 006AA850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 006AA933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 006AA5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 006AA78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 006AA6D4 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 006AAA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 006AA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON