Edit tour
Windows
Analysis Report
PyIsvSahWy.exe
Overview
General Information
| Sample name: | PyIsvSahWy.exerenamed because original name is a hash value |
| Original sample name: | ae601b5d146625e57ed192f334882823.exe |
| Analysis ID: | 1577609 |
| MD5: | ae601b5d146625e57ed192f334882823 |
| SHA1: | 882a2f15960cacbe612a73170b2d577e6476730f |
| SHA256: | 8a50b6a8a1aaf1304c853d1ff3f6e93d65172b1f0381e2b86cef8d550100627a |
| Tags: | exeuser-abuse_ch |
| Infos: | |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Classification
- System is w10x64
PyIsvSahWy.exe (PID: 3840 cmdline: "C:\Users\ user\Deskt op\PyIsvSa hWy.exe" MD5: AE601B5D146625E57ED192F334882823)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF6B90785A0 | |
| Source: | Code function: | 0_2_00007FF6B90779B0 | |
| Source: | Code function: | 0_2_00007FF6B9090B84 | |
| Source: | Code function: | 0_2_00007FF6B9095C74 | |
| Source: | Code function: | 0_2_00007FF6B9071000 | |
| Source: | Code function: | 0_2_00007FF6B9098A38 | |
| Source: | Code function: | 0_2_00007FF6B9080A60 | |
| Source: | Code function: | 0_2_00007FF6B9081280 | |
| Source: | Code function: | 0_2_00007FF6B9087AAC | |
| Source: | Code function: | 0_2_00007FF6B9078B20 | |
| Source: | Code function: | 0_2_00007FF6B909518C | |
| Source: | Code function: | 0_2_00007FF6B90891B0 | |
| Source: | Code function: | 0_2_00007FF6B908D200 | |
| Source: | Code function: | 0_2_00007FF6B9080C64 | |
| Source: | Code function: | 0_2_00007FF6B9081484 | |
| Source: | Code function: | 0_2_00007FF6B9082CC4 | |
| Source: | Code function: | 0_2_00007FF6B9090B84 | |
| Source: | Code function: | 0_2_00007FF6B90933BC | |
| Source: | Code function: | 0_2_00007FF6B90873F4 | |
| Source: | Code function: | 0_2_00007FF6B908FBD8 | |
| Source: | Code function: | 0_2_00007FF6B9080E70 | |
| Source: | Code function: | 0_2_00007FF6B9094F10 | |
| Source: | Code function: | 0_2_00007FF6B908FBD8 | |
| Source: | Code function: | 0_2_00007FF6B9095728 | |
| Source: | Code function: | 0_2_00007FF6B9081F30 | |
| Source: | Code function: | 0_2_00007FF6B9092F20 | |
| Source: | Code function: | 0_2_00007FF6B908CD6C | |
| Source: | Code function: | 0_2_00007FF6B90795FB | |
| Source: | Code function: | 0_2_00007FF6B9085040 | |
| Source: | Code function: | 0_2_00007FF6B9081074 | |
| Source: | Code function: | 0_2_00007FF6B908D880 | |
| Source: | Code function: | 0_2_00007FF6B90828C0 | |
| Source: | Code function: | 0_2_00007FF6B907979B | |
| Source: | Code function: | 0_2_00007FF6B9079FCD | |
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00007FF6B90729E0 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF6B9076EA0 | |
| Source: | Check user administrative privileges: | graph_0-17488 | ||
| Source: | API coverage: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00007FF6B90785A0 | |
| Source: | Code function: | 0_2_00007FF6B90779B0 | |
| Source: | Code function: | 0_2_00007FF6B9090B84 | |
| Source: | Code function: | 0_2_00007FF6B907C44C | |
| Source: | Code function: | 0_2_00007FF6B9092790 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00007FF6B907C44C | |
| Source: | Code function: | 0_2_00007FF6B907BBC0 | |
| Source: | Code function: | 0_2_00007FF6B907C62C | |
| Source: | Code function: | 0_2_00007FF6B9089924 | |
| Source: | Code function: | 0_2_00007FF6B9098880 | |
| Source: | Code function: | 0_2_00007FF6B907C330 | |
| Source: | Code function: | 0_2_00007FF6B909518C | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | LSASS Memory | 2 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 13 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 29% | ReversingLabs | Win64.Trojan.Etset |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | 199.232.210.172 | true | false | high | |
| ax-0001.ax-msedge.net | 150.171.27.10 | true | false | high |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1577609 |
| Start date and time: | 2024-12-18 15:53:53 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 14s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 17 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | PyIsvSahWy.exerenamed because original name is a hash value |
| Original Sample Name: | ae601b5d146625e57ed192f334882823.exe |
| Detection: | MAL |
| Classification: | mal48.winEXE@1/0@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.95.31.18, 92.122.16.236, 13.107.246.63, 20.190.177.148, 20.223.35.26, 2.16.158.33, 4.245.163.56, 150.171.27.10, 2.16.158.176
- Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, login.live.com, e16604.g.akamaiedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
- VT rate limit hit for: PyIsvSahWy.exe
⊘No simulations
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ax-0001.ax-msedge.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Socks5Systemz | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | SystemBC | Browse |
| ||
| bg.microsoft.map.fastly.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Socks5Systemz | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AsyncRAT, DcRat, Stealerium | Browse |
|
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.924314180370906 |
| TrID: |
|
| File name: | PyIsvSahWy.exe |
| File size: | 1'803'264 bytes |
| MD5: | ae601b5d146625e57ed192f334882823 |
| SHA1: | 882a2f15960cacbe612a73170b2d577e6476730f |
| SHA256: | 8a50b6a8a1aaf1304c853d1ff3f6e93d65172b1f0381e2b86cef8d550100627a |
| SHA512: | b78edaeebaf3a206729f528a0bd6e73003a5650ec8f01d0bbd0c87c328fedd865f9443f8302008442d6fd90e20967d33ede942dfd70d3cd78b563c4208b2b876 |
| SSDEEP: | 49152:6riCrSsBav5PTa1cluR79QyQsb8QBFO89B:6TSiUlux9XQsb8QzpB |
| TLSH: | BC851298B3E50EE5FDB7513EC8528607D7B2BC220760DA9F03B046670F136E59D2A792 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Xhc.Xhc.Xhc...`._hc...f..hc...g.Rhc.....[hc...`.Qhc...g.Ihc...f.phc...b.Shc.Xhb..hc.K.g.Ahc.K.a.Yhc.RichXhc.........PE..d.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x14000c0d0 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x669909F2 [Thu Jul 18 12:26:26 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 456e8615ad4320c9f54e50319a19df9c |
| Signature Valid: | |
| Signature Issuer: | |
| Signature Validation Error: | |
| Error Number: | |
| Not Before, Not After | |
| Subject Chain | |
| Version: | |
| Thumbprint MD5: | |
| Thumbprint SHA-1: | |
| Thumbprint SHA-256: | |
| Serial: |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007FB20CAD3AACh |
| dec eax |
| add esp, 28h |
| jmp 00007FB20CAD36CFh |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| dec eax |
| sub esp, 28h |
| call 00007FB20CAD3E78h |
| test eax, eax |
| je 00007FB20CAD3873h |
| dec eax |
| mov eax, dword ptr [00000030h] |
| dec eax |
| mov ecx, dword ptr [eax+08h] |
| jmp 00007FB20CAD3857h |
| dec eax |
| cmp ecx, eax |
| je 00007FB20CAD3866h |
| xor eax, eax |
| dec eax |
| cmpxchg dword ptr [0003843Ch], ecx |
| jne 00007FB20CAD3840h |
| xor al, al |
| dec eax |
| add esp, 28h |
| ret |
| mov al, 01h |
| jmp 00007FB20CAD3849h |
| int3 |
| int3 |
| int3 |
| dec eax |
| sub esp, 28h |
| test ecx, ecx |
| jne 00007FB20CAD3859h |
| mov byte ptr [00038425h], 00000001h |
| call 00007FB20CAD2FA5h |
| call 00007FB20CAD4290h |
| test al, al |
| jne 00007FB20CAD3856h |
| xor al, al |
| jmp 00007FB20CAD3866h |
| call 00007FB20CAE0D9Fh |
| test al, al |
| jne 00007FB20CAD385Bh |
| xor ecx, ecx |
| call 00007FB20CAD42A0h |
| jmp 00007FB20CAD383Ch |
| mov al, 01h |
| dec eax |
| add esp, 28h |
| ret |
| int3 |
| int3 |
| inc eax |
| push ebx |
| dec eax |
| sub esp, 20h |
| cmp byte ptr [000383ECh], 00000000h |
| mov ebx, ecx |
| jne 00007FB20CAD38B9h |
| cmp ecx, 01h |
| jnbe 00007FB20CAD38BCh |
| call 00007FB20CAD3DEEh |
| test eax, eax |
| je 00007FB20CAD387Ah |
| test ebx, ebx |
| jne 00007FB20CAD3876h |
| dec eax |
| lea ecx, dword ptr [000383D6h] |
| call 00007FB20CAE0B92h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3c76c | 0x78 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x49000 | 0x94c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x46000 | 0x2208 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x8beba3 | 0x2448 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x4a000 | 0x768 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x39dc0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x39c80 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2b000 | 0x450 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x29210 | 0x29400 | aca64598002ecff9eefbc96554edf015 | False | 0.5511067708333334 | data | 6.4784482217419175 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2b000 | 0x12642 | 0x12800 | 707f62f07c15d947659847c2c167585f | False | 0.524585620777027 | data | 5.750842204545925 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x3e000 | 0x73d8 | 0xe00 | d0a288978c66419b180b35f625b6dce7 | False | 0.13532366071428573 | data | 1.8378139998458343 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x46000 | 0x2208 | 0x2400 | 74cf3ea22e0a1756984435d6f80f7da5 | False | 0.4671223958333333 | data | 5.259201915045256 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x49000 | 0x94c | 0xa00 | c1b8b9c35bd90af92121f3e7dc8cea02 | False | 0.428515625 | data | 5.096629753028753 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x4a000 | 0x768 | 0x800 | 71de9271648326ec88350e903470cf3e | False | 0.5576171875 | data | 5.283119454571673 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x490a0 | 0x39c | data | 0.45670995670995673 | ||
| RT_MANIFEST | 0x4943c | 0x50d | XML 1.0 document, ASCII text | 0.4694508894044857 |
| DLL | Import |
|---|---|
| USER32.dll | CreateWindowExW, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW |
| COMCTL32.dll | |
| KERNEL32.dll | GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, GetLastError, FormatMessageW, GetModuleFileNameW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, CreateDirectoryW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, GetEnvironmentStringsW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, WaitForSingleObject, Sleep, GetCurrentProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, IsProcessorFeaturePresent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW |
| ADVAPI32.dll | OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW |
| GDI32.dll | SelectObject, DeleteObject, CreateFontIndirectW |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 18, 2024 15:55:14.254487038 CET | 1.1.1.1 | 192.168.2.6 | 0x1998 | No error (0) | ax-0001.ax-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 18, 2024 15:55:14.254487038 CET | 1.1.1.1 | 192.168.2.6 | 0x1998 | No error (0) | 150.171.27.10 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 15:55:14.254487038 CET | 1.1.1.1 | 192.168.2.6 | 0x1998 | No error (0) | 150.171.28.10 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 15:55:37.865242958 CET | 1.1.1.1 | 192.168.2.6 | 0xb3e9 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 15:55:37.865242958 CET | 1.1.1.1 | 192.168.2.6 | 0xb3e9 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false |
| Target ID: | 0 |
| Start time: | 09:54:49 |
| Start date: | 18/12/2024 |
| Path: | C:\Users\user\Desktop\PyIsvSahWy.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b9070000 |
| File size: | 1'803'264 bytes |
| MD5 hash: | AE601B5D146625E57ED192F334882823 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 5.2% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 19.8% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 23 |
Graph
Function 00007FF6B9071000 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 338COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90718F0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908AD6C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90733E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90725F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B907F45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908B444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908B1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908AC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B907F6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908C90C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9076EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90933BC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90779B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90729E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9089924 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B907C330 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9098A38 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90828C0 Relevance: .3, Instructions: 327COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9078B20 Relevance: .3, Instructions: 287COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9081F30 Relevance: .2, Instructions: 241COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908D880 Relevance: .2, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9095728 Relevance: .2, Instructions: 183COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9080C64 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9081484 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9081074 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9080A60 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9081280 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9080E70 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9085040 Relevance: .1, Instructions: 138COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90891B0 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90873F4 Relevance: .1, Instructions: 98COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9098880 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B907C62C Relevance: .0, Instructions: 2COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90750B0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90715C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90777D0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90720F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90855A0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 493COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90802E8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9071050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9071440 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9077FC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89processsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B907DD28 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90711F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908E020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9077C40 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B907CFE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908A460 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B909707C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9078400 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908A5D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9072300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9072760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9088DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9098678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908A6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B90852B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908EED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B907C968 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B907E1F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B907E5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9077530 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9072870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B9094E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908832C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908F8E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908BF48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908E8C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B907F068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B908FA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|