Edit tour

Windows Analysis Report
ITC590-Script 3 V2-P-2024.exe

Overview

General Information

Sample name:	ITC590-Script 3 V2-P-2024.exe
Analysis ID:	1522423
MD5:	ae50e6bab627b7a39408186e75821ea3
SHA1:	69ce995fc2e079c7a7afc9f327a5949356ef6223
SHA256:	ca7788bea6909aab6f62b8218025f2b6050c27ffac885e457c60fdc57b2c2d67
Tags:	exeuser-Dyrockful
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Found pyInstaller with non standard icon

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

ITC590-Script 3 V2-P-2024.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe" MD5: AE50E6BAB627B7A39408186E75821EA3)

ITC590-Script 3 V2-P-2024.exe (PID: 6928 cmdline: "C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe" MD5: AE50E6BAB627B7A39408186E75821EA3)

cleanup

Suricata Signatures

ET MALWARE Test CnC Domain in DNS Lookup (test .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T02:11:08.544585+0200	2049956	1	A Network Trojan was detected	192.168.2.4	55846	1.1.1.1	53	UDP

ET MALWARE X CnC Domain in DNS Lookup (test .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T02:11:08.544585+0200	2049957	1	A Network Trojan was detected	192.168.2.4	55846	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ITC590-Script 3 V2-P-2024.exe	ReversingLabs: Detection: 13%
Source: ITC590-Script 3 V2-P-2024.exe	Virustotal: Detection: 27%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: ITC590-Script 3 V2-P-2024.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667822402.00007FFE148E3000.00000002.00000001.01000000.00000007.sdmp, select.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2666857105.00007FFDFB5F2000.00000002.00000001.01000000.00000004.sdmp, python312.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: libcrypto-3.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: _decimal.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: _decimal.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650421083.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: libcrypto-3.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650421083.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: libcrypto-3.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmp, _socket.pyd.0.dr

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D689280 FindFirstFileExW,FindClose,	0_2_00007FF77D689280
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6883C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF77D6883C0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6A1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF77D6A1874
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D689280 FindFirstFileExW,FindClose,	1_2_00007FF77D689280
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6A1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF77D6A1874
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6883C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF77D6883C0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049956 - Severity 1 - ET MALWARE Test CnC Domain in DNS Lookup (test .com) : 192.168.2.4:55846 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049957 - Severity 1 - ET MALWARE X CnC Domain in DNS Lookup (test .com) : 192.168.2.4:55846 -> 1.1.1.1:53

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe

Code function: 1_2_00007FFE133365E8 memset,recvfrom,

1_2_00007FFE133365E8

Source: global traffic	DNS traffic detected: DNS query: malicious-site.net
Source: global traffic	DNS traffic detected: DNS query: suspicious-domain.org
Source: global traffic	DNS traffic detected: DNS query: test.com

Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000002.2671212787.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000002.2671212787.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000002.2671212787.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: unicodedata.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000002.2671212787.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000002.2671212787.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.1658755684.000001AC6F230000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F15C000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F0E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F15C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F15C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F1A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F0E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665778516.000001AC6F450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665778516.000001AC6F450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F15C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662185314.000001AC6D8C3000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664033273.000001AC6D8CC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662498447.000001AC6D8C6000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664062665.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665171674.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662185314.000001AC6D8C3000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664033273.000001AC6D8CC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665220554.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663055050.000001AC6D8EF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662498447.000001AC6D8C6000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664062665.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665171674.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663467952.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F0E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663467952.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662185314.000001AC6D8C3000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664033273.000001AC6D8CC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665220554.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663055050.000001AC6D8EF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662498447.000001AC6D8C6000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664062665.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665171674.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663467952.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662185314.000001AC6D8C3000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664033273.000001AC6D8CC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665220554.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663055050.000001AC6D8EF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662498447.000001AC6D8C6000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664062665.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665171674.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663467952.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665778516.000001AC6F450000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://peps.python.org/pep-0205/
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2666857105.00007FFDFB5F2000.00000002.00000001.01000000.00000004.sdmp, python312.dll.0.dr	String found in binary or memory: https://peps.python.org/pep-0263/
Source: libcrypto-3.dll.0.dr	String found in binary or memory: https://www.openssl.org/H
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667195570.00007FFDFB769000.00000008.00000001.01000000.00000004.sdmp, python312.dll.0.dr	String found in binary or memory: https://www.python.org/psf/license/
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2666857105.00007FFDFB5F2000.00000002.00000001.01000000.00000004.sdmp, python312.dll.0.dr	String found in binary or memory: https://www.python.org/psf/license/)

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D681000	0_2_00007FF77D681000
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6A6964	0_2_00007FF77D6A6964
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6889E0	0_2_00007FF77D6889E0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6A5E7C	0_2_00007FF77D6A5E7C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D69DEF0	0_2_00007FF77D69DEF0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D699EA0	0_2_00007FF77D699EA0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D69E570	0_2_00007FF77D69E570
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D691D54	0_2_00007FF77D691D54
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D695D30	0_2_00007FF77D695D30
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6935A0	0_2_00007FF77D6935A0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6A1874	0_2_00007FF77D6A1874
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6980E4	0_2_00007FF77D6980E4
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6A08C8	0_2_00007FF77D6A08C8
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6A40AC	0_2_00007FF77D6A40AC
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D698794	0_2_00007FF77D698794
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D691F60	0_2_00007FF77D691F60
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D691740	0_2_00007FF77D691740
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6A9728	0_2_00007FF77D6A9728
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D689800	0_2_00007FF77D689800
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D69DA5C	0_2_00007FF77D69DA5C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D68A2DB	0_2_00007FF77D68A2DB
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D692164	0_2_00007FF77D692164
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D691944	0_2_00007FF77D691944
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6939A4	0_2_00007FF77D6939A4
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D68A47B	0_2_00007FF77D68A47B
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6A08C8	0_2_00007FF77D6A08C8
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6A6418	0_2_00007FF77D6A6418
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D68ACAD	0_2_00007FF77D68ACAD
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D691B50	0_2_00007FF77D691B50
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6A3C10	0_2_00007FF77D6A3C10
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D692C10	0_2_00007FF77D692C10
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6A5C00	0_2_00007FF77D6A5C00
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D681000	1_2_00007FF77D681000
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6A6964	1_2_00007FF77D6A6964
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6A5E7C	1_2_00007FF77D6A5E7C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D69DEF0	1_2_00007FF77D69DEF0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D699EA0	1_2_00007FF77D699EA0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D69E570	1_2_00007FF77D69E570
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D691D54	1_2_00007FF77D691D54
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D695D30	1_2_00007FF77D695D30
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6935A0	1_2_00007FF77D6935A0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6A1874	1_2_00007FF77D6A1874
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6980E4	1_2_00007FF77D6980E4
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6A08C8	1_2_00007FF77D6A08C8
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6A40AC	1_2_00007FF77D6A40AC
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D698794	1_2_00007FF77D698794
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D691F60	1_2_00007FF77D691F60
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D691740	1_2_00007FF77D691740
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6A9728	1_2_00007FF77D6A9728
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D689800	1_2_00007FF77D689800
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D69DA5C	1_2_00007FF77D69DA5C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D68A2DB	1_2_00007FF77D68A2DB
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D692164	1_2_00007FF77D692164
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D691944	1_2_00007FF77D691944
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6889E0	1_2_00007FF77D6889E0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6939A4	1_2_00007FF77D6939A4
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D68A47B	1_2_00007FF77D68A47B
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6A08C8	1_2_00007FF77D6A08C8
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6A6418	1_2_00007FF77D6A6418
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D68ACAD	1_2_00007FF77D68ACAD
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D691B50	1_2_00007FF77D691B50
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6A3C10	1_2_00007FF77D6A3C10
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D692C10	1_2_00007FF77D692C10
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6A5C00	1_2_00007FF77D6A5C00
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FFE00451880	1_2_00007FFE00451880
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FFE004512F0	1_2_00007FFE004512F0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FFE133310C0	1_2_00007FFE133310C0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FFE13333B20	1_2_00007FFE13333B20
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FFE1A457CA0	1_2_00007FFE1A457CA0

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: String function: 00007FF77D682710 appears 104 times
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: String function: 00007FF77D682910 appears 34 times

Source: unicodedata.pyd.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650421083.00000177E3071000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe	Binary or memory string: OriginalFilename vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667446336.00007FFDFB891000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython312.dll. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667854016.00007FFE148E6000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs ITC590-Script 3 V2-P-2024.exe

Source: classification engine

Classification label: mal64.winEXE@3/11@5/10

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI68802

Jump to behavior

Source: ITC590-Script 3 V2-P-2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ITC590-Script 3 V2-P-2024.exe	ReversingLabs: Detection: 13%
Source: ITC590-Script 3 V2-P-2024.exe	Virustotal: Detection: 27%

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe

File read: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe "C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe"
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Process created: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe "C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe"
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Process created: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe "C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: ITC590-Script 3 V2-P-2024.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ITC590-Script 3 V2-P-2024.exe

Static file information: File size 7247553 > 1048576

Source: ITC590-Script 3 V2-P-2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ITC590-Script 3 V2-P-2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ITC590-Script 3 V2-P-2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ITC590-Script 3 V2-P-2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ITC590-Script 3 V2-P-2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ITC590-Script 3 V2-P-2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ITC590-Script 3 V2-P-2024.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: ITC590-Script 3 V2-P-2024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667822402.00007FFE148E3000.00000002.00000001.01000000.00000007.sdmp, select.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2666857105.00007FFDFB5F2000.00000002.00000001.01000000.00000004.sdmp, python312.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: libcrypto-3.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: _decimal.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: _decimal.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650421083.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: libcrypto-3.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650421083.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: libcrypto-3.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmp, _socket.pyd.0.dr

Source: ITC590-Script 3 V2-P-2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ITC590-Script 3 V2-P-2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ITC590-Script 3 V2-P-2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ITC590-Script 3 V2-P-2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ITC590-Script 3 V2-P-2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-3.dll.0.dr	Static PE information: section name: .00cfg
Source: python312.dll.0.dr	Static PE information: section name: PyRuntim

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe

Process created: "C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe"

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68802\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68802\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68802\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68802\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68802\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68802\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68802\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68802\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68802\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68802\VCRUNTIME140.dll	Jump to dropped file

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe

Code function: 0_2_00007FF77D6876C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF77D6876C0

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\_decimal.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-17547

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe

API coverage: 4.5 %

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D689280 FindFirstFileExW,FindClose,	0_2_00007FF77D689280
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6883C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF77D6883C0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D6A1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF77D6A1874
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D689280 FindFirstFileExW,FindClose,	1_2_00007FF77D689280
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6A1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF77D6A1874
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D6883C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF77D6883C0

Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663088912.000001AC6F651000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664800905.000001AC6F660000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2666127202.000001AC6F668000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe

Code function: 0_2_00007FF77D69A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF77D69A614

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe

Code function: 0_2_00007FF77D6A3480 GetProcessHeap,

0_2_00007FF77D6A3480

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D69A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF77D69A614
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D68C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF77D68C8A0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D68D30C SetUnhandledExceptionFilter,	0_2_00007FF77D68D30C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 0_2_00007FF77D68D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF77D68D12C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D69A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF77D69A614
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D68C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF77D68C8A0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D68D30C SetUnhandledExceptionFilter,	1_2_00007FF77D68D30C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FF77D68D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF77D68D12C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FFE00452A70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFE00452A70
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FFE00453028 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFE00453028
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FFE13332D70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFE13332D70
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FFE13333328 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFE13333328
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FFE148E14E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFE148E14E0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FFE148E1AA0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFE148E1AA0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FFE1A460AA8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFE1A460AA8

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe

Process created: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe "C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe"

Jump to behavior

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe

Code function: 0_2_00007FF77D6A9570 cpuid

0_2_00007FF77D6A9570

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\unicodedata.pyd VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe

Code function: 0_2_00007FF77D68D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF77D68D010

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe

Code function: 0_2_00007FF77D6A5E7C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF77D6A5E7C

Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FFE133350C0 PySys_Audit,PyEval_SaveThread,bind,PyEval_RestoreThread,_Py_NoneStruct,		1_2_00007FFE133350C0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe	Code function: 1_2_00007FFE133360CC _PyArg_ParseTuple_SizeT,PyEval_SaveThread,listen,PyEval_RestoreThread,_Py_NoneStruct,		1_2_00007FFE133360CC

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Process Injection	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ITC590-Script 3 V2-P-2024.exe	13%	ReversingLabs
ITC590-Script 3 V2-P-2024.exe	27%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\_MEI68802\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68802\VCRUNTIME140.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI68802\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68802\_bz2.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI68802\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68802\_decimal.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI68802\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68802\_hashlib.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI68802\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68802\_lzma.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI68802\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68802\_socket.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI68802\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68802\libcrypto-3.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI68802\python312.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68802\python312.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI68802\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68802\select.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI68802\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68802\unicodedata.pyd	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
test.com	3%	Virustotal	Browse
malicious-site.net	0%	Virustotal	Browse
suspicious-domain.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.openssl.org/H	0%	URL Reputation	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Virustotal		Browse
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	0%	Virustotal		Browse
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	0%	Virustotal		Browse
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	0%	Virustotal		Browse
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	0%	Virustotal		Browse
https://peps.python.org/pep-0205/	0%	Virustotal		Browse
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	0%	Virustotal		Browse
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package	0%	Virustotal		Browse
https://docs.python.org/3/howto/mro.html.	1%	Virustotal		Browse
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Virustotal		Browse
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	0%	Virustotal		Browse
https://www.python.org/psf/license/)	0%	Virustotal		Browse
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	0%	Virustotal		Browse
https://peps.python.org/pep-0263/	0%	Virustotal		Browse
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	0%	Virustotal		Browse
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module	0%	Virustotal		Browse
https://www.python.org/psf/license/	0%	Virustotal		Browse
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	0%	Virustotal		Browse
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
test.com	34.224.149.186	true	false	3%, Virustotal, Browse	unknown
malicious-site.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
suspicious-domain.org	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F0E0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F15C000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662185314.000001AC6D8C3000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664033273.000001AC6D8CC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665220554.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663055050.000001AC6D8EF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662498447.000001AC6D8C6000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664062665.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665171674.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663467952.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F15C000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.openssl.org/H	libcrypto-3.dll.0.dr	false	URL Reputation: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665778516.000001AC6F450000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F15C000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://peps.python.org/pep-0205/	ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665778516.000001AC6F450000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	false	0%, Virustotal, Browse	unknown
https://docs.python.org/3/howto/mro.html.	ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.1658755684.000001AC6F230000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F15C000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	false	1%, Virustotal, Browse	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package	ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F1A4000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665778516.000001AC6F450000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662185314.000001AC6D8C3000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664033273.000001AC6D8CC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665220554.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663055050.000001AC6D8EF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662498447.000001AC6D8C6000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664062665.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665171674.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663467952.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.python.org/psf/license/)	ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2666857105.00007FFDFB5F2000.00000002.00000001.01000000.00000004.sdmp, python312.dll.0.dr	false	0%, Virustotal, Browse	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663467952.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662185314.000001AC6D8C3000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664033273.000001AC6D8CC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662498447.000001AC6D8C6000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664062665.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665171674.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module	ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F0E0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662185314.000001AC6D8C3000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664033273.000001AC6D8CC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665220554.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663055050.000001AC6D8EF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662498447.000001AC6D8C6000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664062665.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665171674.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663467952.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://peps.python.org/pep-0263/	ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2666857105.00007FFDFB5F2000.00000002.00000001.01000000.00000004.sdmp, python312.dll.0.dr	false	0%, Virustotal, Browse	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F0E0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.python.org/psf/license/	ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667195570.00007FFDFB769000.00000008.00000001.01000000.00000004.sdmp, python312.dll.0.dr	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
172.16.69.225
172.16.177.209
172.16.77.202
172.16.63.22
172.16.246.98
172.16.9.240
172.16.97.133
172.16.56.13
172.16.237.12
172.16.89.192

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522423
Start date and time:	2024-09-30 02:09:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ITC590-Script 3 V2-P-2024.exe
Detection:	MAL
Classification:	mal64.winEXE@3/11@5/10
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
test.com	Dev_Project.xls	Get hash	malicious	Unknown	Browse	51.68.214.101
	Dev_Project.xls	Get hash	malicious	Unknown	Browse	51.68.214.101
	http://propertyinaustralia.github.io/propertyinaustralia/property.html	Get hash	malicious	HTMLPhisher	Browse	172.67.192.119
	http://propertyinaustralia.github.io/propertyinaustralia/property.html	Get hash	malicious	HTMLPhisher	Browse	172.67.192.119
	https://bit.ly/2zH1V5k	Get hash	malicious	Unknown	Browse	34.224.149.186
	https://assets-usa.mkt.dynamics.com/c9f731e3-0864-ef11-a66d-6045bd003021/digitalassets/standaloneforms/0424cf3e-7364-ef11-bfe2-6045bd055762	Get hash	malicious	HTMLPhisher	Browse	162.241.61.243
	http://maliciouswebsitetest.com	Get hash	malicious	Unknown	Browse	50.63.7.226
	https://vozer.net/go/?to=aHR0cHM6Ly9vd3FjaC10ZWNueG4zMC5jb20vZ2UxL3Rlc3RAdGVzdC5jb20	Get hash	malicious	HTMLPhisher	Browse	3.18.255.247
	https://download.cnet.com/download/wcfstorm/3000-2218_4-10914361.html	Get hash	malicious	Unknown	Browse	216.239.32.62

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI68802\VCRUNTIME140.dll	ITC590-Script 2 V1-2024.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.1493.31362.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse
	HyZh4pn0RF.exe	Get hash	malicious	Creal Stealer	Browse
	file.exe	Get hash	malicious	Blank Grabber	Browse
	mfsH98ISNV.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	Dkqewub8RE.exe	Get hash	malicious	Unknown	Browse
	Dkqewub8RE.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI68802\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119192
Entropy (8bit):	6.6016214745004635
Encrypted:	false
SSDEEP:	1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
MD5:	BE8DBE2DC77EBE7F88F910C61AEC691A
SHA1:	A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
SHA-256:	4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
SHA-512:	0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: ITC590-Script 2 V1-2024.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.1493.31362.exe, Detection: malicious, Browse Filename: HyZh4pn0RF.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: mfsH98ISNV.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Dkqewub8RE.exe, Detection: malicious, Browse Filename: Dkqewub8RE.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68802\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	85272
Entropy (8bit):	6.591457260071925
Encrypted:	false
SSDEEP:	1536:+yhz79151BVo1vXfzIFnaR4bO1AsCn8Bsjk+tI1CVQ7Sy4x+R:Nhzx15evXkuxAB8BMk+tI1CVQF
MD5:	DD26ED92888DE9C57660A7AD631BB916
SHA1:	77D479D44D9E04F0A1355569332233459B69A154
SHA-256:	324268786921EC940CBD4B5E2F71DAFD08E578A12E373A715658527E5B211697
SHA-512:	D693367565005C1B87823E781DC5925146512182C8D8A3A2201E712C88DF1C0E66E65ECAEC9AF22037F0A8F8B3FB3F511EA47CFD5774651D71673FAB612D2897
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................b....(......(......(......(......(.....................................................Rich...........PE..d......f.........." ...(.....^...............................................`............`.........................................p...H............@.......0..D......../...P..........T...........................p...@............................................text...#........................... ..`.rdata..P>.......@..................@..@.data........ ......................@....pdata..D....0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68802\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	257304
Entropy (8bit):	6.565090204799859
Encrypted:	false
SSDEEP:	6144:3uQjqbJrTwvqM+eYx+lDJOAkl9qWM53pLW1AcfRRR6tlISgOg:3sTwvWeS+xJw4ln7g
MD5:	CEA3B419C7CA87140A157629C6DBD299
SHA1:	7DBFF775235B1937B150AE70302B3208833DC9BE
SHA-256:	95B9850E6FB335B235589DD1348E007507C6B28E332C9ABB111F2A0035C358E5
SHA-512:	6E3A6781C0F05BB5182073CCA1E69B6DF55F05FF7CDCEA394BACF50F88605E2241B7387F1D8BA9F40A96832D04F55EDB80003F0CF1E537A26F99408EE9312F5B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V..............'.....g&......g&......g&......g&.......!.................9....!.......!.......!.......!K......!......Rich............PE..d.....f.........." ...(.....<............................................................`..........................................c..P....c...................&......./......T.......T...........................p...@............................................text...9........................... ..`.rdata..(...........................@..@.data...X*.......$...b..............@....pdata...&.......(..................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68802\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	66328
Entropy (8bit):	6.227566291152438
Encrypted:	false
SSDEEP:	1536:/9gLpgE4Z27ARZWZnEmoAlI1OIH7SyT0xq:26RZeEmoAlI1OIHth
MD5:	D19CB5CA144AE1FD29B6395B0225CF40
SHA1:	5B9EC6E656261CE179DFCFD5C6A3CFE07C2DFEB4
SHA-256:	F95EC2562A3C70FB1A6E44D72F4223CE3C7A0F0038159D09DCE629F59591D5AA
SHA-512:	9AC3A8A4DBDB09BE3760E7CCB11269F82A47B24C03D10D289BCDDED9A43E57D3CD656F8D060D66B810382ECAC3A62F101F83EA626B58CD0B5A3CCA25B67B1519
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........N@.. ... ... ...... ..k!... ..k#... ..k$... ..k%... ..l!... ...!... ..h!... ...!.Y. ..l-... ..l ... ..l.... ..l"... .Rich.. .........................PE..d......f.........." ...(.V.......... @............................................../.....`.........................................p...P................................/......X...@}..T............................\|..@............p..(............................text....T.......V.................. ..`.rdata...O...p...P...Z..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68802\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	160024
Entropy (8bit):	6.85368707809341
Encrypted:	false
SSDEEP:	3072:lsvkxujgo7e2uONOG+hi+C8znfF9mNooXnmbutI1Z1mb:lnu0o7JUrNYOo2Kz
MD5:	8CFBAFE65D6E38DDE8E2E8006B66BB3E
SHA1:	CB63ADDD102E47C777D55753C00C29C547E2243C
SHA-256:	6D548DB0AB73291F82CF0F4CA9EC0C81460185319C8965E829FAEACAE19444FF
SHA-512:	FA021615D5C080AADCD5B84FD221900054EB763A7AF8638F70CF6CD49BD92773074F1AC6884F3CE1D8A15D59439F554381377FAEE4842ED5BEB13FF3E1B510F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D.3H%.`H%.`H%.`A]7`L%.`...aJ%.`...aK%.`...a@%.`...aD%.`]..aK%.`.].aJ%.`H%.`-%.`]..ar%.`]..aI%.`].[`I%.`]..aI%.`RichH%.`........................PE..d......f.........." ...(.f..........`8....................................................`......................................... %..L...l%..x....p.......P.......B.../......4.......T...............................@............................................text...be.......f.................. ..`.rdata..............j..............@..@.data...p....@......................@....pdata.......P......."..............@..@.rsrc........p.......6..............@..@.reloc..4............@..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68802\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83736
Entropy (8bit):	6.31969940395018
Encrypted:	false
SSDEEP:	1536:COYhekrkJqlerLSyypHi9/s+S+pzjii/n1IsJqKNBI1Lw9PD7Sy9duxJ:jwkJqHyypHi9/sT+pzjiE1IwdNBI1LwU
MD5:	E43AED7D6A8BCD9DDFC59C2D1A2C4B02
SHA1:	36F367F68FB9868412246725B604B27B5019D747
SHA-256:	2C2A6A6BA360E38F0C2B5A53B4626F833A3111844D95615EBF35BE0E76B1EF7A
SHA-512:	D92E26EB88DB891DE389A464F850A8DA0A39AF8A4D86D9894768CB97182B8351817CE14FE1EB8301B18B80D1D5D8876A48BA66EB7B874C7C3D7B009FCDBC8C4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...Nb}.Nb}.Nb}.6.}.Nb}g.c\|.Nb}g.a\|.Nb}g.f\|.Nb}g.g\|.Nb}..c\|.Nb}.Nc}.Nb}.6c\|.Nb}..o\|.Nb}..b\|.Nb}..}.Nb}..`\|.Nb}Rich.Nb}................PE..d......f.........." ...(.x..........0-.......................................`......@.....`.........................................@...P............@.......0.........../...P......P...T...............................@............................................text....v.......x.................. ..`.rdata...x.......z...\|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip

Download File

Process:	C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1332769
Entropy (8bit):	5.586560217717372
Encrypted:	false
SSDEEP:	12288:VHlJGUqQlLmgBvc+fYNXPh26UZWAzyX7j7YQqPQCxi2hdmSPpHg1d6R1RbtRwv6:VHlJGUDa+zy/7UlZhdmSPNaQHtRwv6
MD5:	48BA559BF70C3EF963F86633530667D6
SHA1:	E3319E3A70590767AD00290230D77158F8F8307E
SHA-256:	F8377AA03B7036E7735E2814452C1759AB7CEEC3F8F8A202B697B4132809CE5E
SHA-512:	567A7BEF4A7C7FF0890708C0E62D2AF748B645C8B9071953873B0DD5AA789C42796860896A6B5E539651DE9A2243338E2A5FB47743C30DFCDE59B1787C4C1871
Malicious:	false
Preview:	PK..........!./gJ.O...O......._collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z..e........Z..e.e........Z+ejY............................[d...Z-..e-........

C:\Users\user\AppData\Local\Temp\_MEI68802\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5191960
Entropy (8bit):	5.962142634441191
Encrypted:	false
SSDEEP:	98304:n3+pefu6fSar+SJ8aqfPomg1CPwDvt3uFlDCE:3G+u6fb+SJ8aqfwmg1CPwDvt3uFlDCE
MD5:	E547CF6D296A88F5B1C352C116DF7C0C
SHA1:	CAFA14E0367F7C13AD140FD556F10F320A039783
SHA-256:	05FE080EAB7FC535C51E10C1BD76A2F3E6217F9C91A25034774588881C3F99DE
SHA-512:	9F42EDF04C7AF350A00FA4FDF92B8E2E6F47AB9D2D41491985B20CD0ADDE4F694253399F6A88F4BDD765C4F49792F25FB01E84EC03FD5D0BE8BB61773D77D74D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l..l..l......l...m..l...i..l...h..l...o..l..m.y.l...m...l...o..l...h.l...l..l......l...n..l.Rich.l.........PE..d......e.........." ...%..7..4......v.........................................O.......P...`.........................................P.H.0....kN.@.....N.\|.....K.d.....O../....N....P.C.8.............................C.@............`N..............................text.....7.......7................. ..`.rdata....... 7.......7.............@..@.data....n....K..<....J.............@....pdata..0.....K......4K.............@..@.idata...%...`N..&....N.............@..@.00cfg..u.....N.......N.............@..@.rsrc...\|.....N......0N.............@..@.reloc........N......8N.............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68802\python312.dll

Download File

Process:	C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6927640
Entropy (8bit):	5.765554952149868
Encrypted:	false
SSDEEP:	49152:Jc7/HNCHh0IWiUDFsx3hghs7g6kIPuch+Xe16/02yWYqiVx7qb4f4wmC36nhIVcF:JcBZhxsje2kUvid5E+vbHDMiEr/l9o
MD5:	CAE8FA4E7CB32DA83ACF655C2C39D9E1
SHA1:	7A0055588A2D232BE8C56791642CB0F5ABBC71F8
SHA-256:	8AD53C67C2B4DB4387D5F72EE2A3CA80C40AF444B22BF41A6CFDA2225A27BB93
SHA-512:	DB2190DA2C35BCEED0EF91D7553FF0DEA442286490145C3D0E89DB59BA1299B0851E601CC324B5F7FD026414FC73755E8EFF2EF5FB5EEB1C54A9E13E7C66DD0C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D..Z%..Z%..Z%......X%....e.T%......^%......R%......W%..S]..@%...]..Q%..Z%..$..O....%..O...[%..O.g.[%..O...[%..RichZ%..........PE..d......f.........." ...(..(..6B...............................................j......dj...`.........................................pdN.d....1O.......i......._.`I....i../... i..[..0.2.T.....................H.(....2.@............ (..............................text.....(.......(................. ..`.rdata..f7'.. (..8'...(.............@..@.data....J...`O......HO.............@....pdata..`I...._..J....^.............@..@PyRuntim0.....b.......a.............@....rsrc.........i...... h.............@..@.reloc...[... i..\...h.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68802\select.pyd

Download File

Process:	C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31000
Entropy (8bit):	6.553885009751671
Encrypted:	false
SSDEEP:	384:I8RVBC9t6Lhz64SHfZslDT90YBI1QGjHQIYiSy1pCQQRaAM+o/8E9VF0NytuSS:1GyqHfK1HBI1QGT5YiSyvXAMxkEm
MD5:	79CE1AE3A23DFF6ED5FC66E6416600CD
SHA1:	6204374D99144B0A26FD1D61940FF4F0D17C2212
SHA-256:	678E09AD44BE42FA9BC9C7A18C25DBE995A59B6C36A13EECC09C0F02A647B6F0
SHA-512:	A4E48696788798A7D061C0EF620D40187850741C2BEC357DB0E37A2DD94D3A50F9F55BA75DC4D95E50946CBAB78B84BA1FC42D51FD498640A231321566613DAA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t..'..'..'..g'..'-..&..'-..&..'-..&..'-..&..'...&..'..'...'...&..'...&..'...&..'...'..'...&..'Rich..'................PE..d.....f.........." ...(.....2......................................................._....`..........................................@..L...<A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...`....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68802\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1138456
Entropy (8bit):	5.461877321211646
Encrypted:	false
SSDEEP:	12288:FrEHdcM6hb/CjJ43w9hIpCQvb0QN8MdIEQ+U2BNNmD+99FfcAa1:FrEXaCjfk7bPNfv42BN6yzUAa1
MD5:	B848E259FABAF32B4B3C980A0A12488D
SHA1:	DA2E864E18521C86C7D8968DB74BB2B28E4C23E2
SHA-256:	C65073B65F107E471C9BE3C699FB11F774E9A07581F41229582F7B2154B6FC3C
SHA-512:	4C6953504D1401FE0C74435BCEEBC5EC7BF8991FD42B659867A3529CEE5CC64DA54F1AB404E88160E747887A7409098F1A85A546BC40F12F0DDE0025408F9E27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#.}.#.}.#.}...%.}..\|.!.}..~. .}..y.+.}..x...}.6-\|. .}.h.\|.!.}.#.\|.s.}.6-p.".}.6-}.".}.6-..".}.6-..".}.Rich#.}.........PE..d....f.........." ...(.@..........0.......................................p......]M....`.........................................p...X............P.......@.......0.../...`......P^..T............................]..@............P..p............................text...!>.......@.................. ..`.rdata..\....P.......D..............@..@.data........ ......................@....pdata.......@......................@..@.rsrc........P.......$..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.980504182768874
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ITC590-Script 3 V2-P-2024.exe
File size:	7'247'553 bytes
MD5:	ae50e6bab627b7a39408186e75821ea3
SHA1:	69ce995fc2e079c7a7afc9f327a5949356ef6223
SHA256:	ca7788bea6909aab6f62b8218025f2b6050c27ffac885e457c60fdc57b2c2d67
SHA512:	b58483579b05d1cdcc0aa013dc6f1c62ba3c1b006a1c65ef552a5f9b1b84ca8782f27e7b786c303410069943fe5df3bef3ab595029692f5f7b9b324456bade54
SSDEEP:	196608:/jV2NBKA1HeT39Iig5Tet4Q4G/NsINyzWWAMYI93:LV2fj1+TtIiOS1NsIkzWWAcx
TLSH:	D6763355B2F18DE9DAF38239D2F14216A6923C665760C19F13B83B2A3F33581ED3A714
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Zpc.Zpc.Zpc...`.]pc...f..pc...g.Ppc.....Ypc...`.Spc...g.Kpc...f.rpc...b.Qpc.Zpb..pc.O.g.Cpc.O.a.[pc.RichZpc.........PE..d..

File Icon


Icon Hash:	0914347a7d4d9519

Static PE Info

General

Entrypoint:	0x14000cdb0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66C48A5F [Tue Aug 20 12:21:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FD7C8C38FCCh
dec eax
add esp, 28h
jmp 00007FD7C8C38BEFh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007FD7C8C39398h
test eax, eax
je 00007FD7C8C38D93h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FD7C8C38D77h
dec eax
cmp ecx, eax
je 00007FD7C8C38D86h
xor eax, eax
dec eax
cmpxchg dword ptr [0003577Ch], ecx
jne 00007FD7C8C38D60h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FD7C8C38D69h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007FD7C8C38D79h
mov byte ptr [00035765h], 00000001h
call 00007FD7C8C384C5h
call 00007FD7C8C397B0h
test al, al
jne 00007FD7C8C38D76h
xor al, al
jmp 00007FD7C8C38D86h
call 00007FD7C8C462CFh
test al, al
jne 00007FD7C8C38D7Bh
xor ecx, ecx
call 00007FD7C8C397C0h
jmp 00007FD7C8C38D5Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0003572Ch], 00000000h
mov ebx, ecx
jne 00007FD7C8C38DD9h
cmp ecx, 01h
jnbe 00007FD7C8C38DDCh
call 00007FD7C8C3930Eh
test eax, eax
je 00007FD7C8C38D9Ah
test ebx, ebx
jne 00007FD7C8C38D96h
dec eax
lea ecx, dword ptr [00035716h]
call 00007FD7C8C460C2h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca5c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x10e34	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2250	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x58000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f00	0x2a000	a6c3b829cc8eaabb1a474c227e90407f	False	0.5514206659226191	data	6.487493643901088	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a50	0x12c00	cda4abc23abf74bd211d889cc0800cd0	False	0.52453125	data	5.752802244244773	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2250	0x2400	181312260a85d10a1454ba38901c499b	False	0.4705946180555556	data	5.290347578351011	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x10e34	0x11000	dab4368a357cbd0d6e98b24ee58e798e	False	0.2670323988970588	data	3.4978318250119744	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x58000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x470e8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2443 x 2443 px/m	0.2621110848219567
RT_GROUP_ICON	0x57910	0x14	data	1.15
RT_MANIFEST	0x57924	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T02:11:08.544585+0200	2049956	ET MALWARE Test CnC Domain in DNS Lookup (test .com)	1	192.168.2.4	55846	1.1.1.1	53	UDP
2024-09-30T02:11:08.544585+0200	2049957	ET MALWARE X CnC Domain in DNS Lookup (test .com)	1	192.168.2.4	55846	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 02:09:58.465965033 CEST	49730	80	192.168.2.4	172.16.77.202
Sep 30, 2024 02:09:58.470875978 CEST	80	49730	172.16.77.202	192.168.2.4
Sep 30, 2024 02:09:58.471035004 CEST	49730	80	192.168.2.4	172.16.77.202
Sep 30, 2024 02:10:03.465521097 CEST	49731	80	192.168.2.4	172.16.63.22
Sep 30, 2024 02:10:03.471817017 CEST	80	49731	172.16.63.22	192.168.2.4
Sep 30, 2024 02:10:03.471889973 CEST	49731	80	192.168.2.4	172.16.63.22
Sep 30, 2024 02:10:08.466824055 CEST	49732	80	192.168.2.4	172.16.237.12
Sep 30, 2024 02:10:08.471750975 CEST	80	49732	172.16.237.12	192.168.2.4
Sep 30, 2024 02:10:08.471831083 CEST	49732	80	192.168.2.4	172.16.237.12
Sep 30, 2024 02:10:13.468187094 CEST	49733	80	192.168.2.4	172.16.177.209
Sep 30, 2024 02:10:13.473108053 CEST	80	49733	172.16.177.209	192.168.2.4
Sep 30, 2024 02:10:13.473278999 CEST	49733	80	192.168.2.4	172.16.177.209
Sep 30, 2024 02:10:18.468806982 CEST	49740	80	192.168.2.4	172.16.89.192
Sep 30, 2024 02:10:18.473663092 CEST	80	49740	172.16.89.192	192.168.2.4
Sep 30, 2024 02:10:18.473738909 CEST	49740	80	192.168.2.4	172.16.89.192
Sep 30, 2024 02:10:19.855202913 CEST	80	49730	172.16.77.202	192.168.2.4
Sep 30, 2024 02:10:19.855257034 CEST	49730	80	192.168.2.4	172.16.77.202
Sep 30, 2024 02:10:23.469808102 CEST	49741	80	192.168.2.4	172.16.69.225
Sep 30, 2024 02:10:23.474875927 CEST	80	49741	172.16.69.225	192.168.2.4
Sep 30, 2024 02:10:23.474940062 CEST	49741	80	192.168.2.4	172.16.69.225
Sep 30, 2024 02:10:24.840070009 CEST	80	49731	172.16.63.22	192.168.2.4
Sep 30, 2024 02:10:24.842946053 CEST	49731	80	192.168.2.4	172.16.63.22
Sep 30, 2024 02:10:28.472342968 CEST	49742	80	192.168.2.4	172.16.246.98
Sep 30, 2024 02:10:28.477368116 CEST	80	49742	172.16.246.98	192.168.2.4
Sep 30, 2024 02:10:28.477457047 CEST	49742	80	192.168.2.4	172.16.246.98
Sep 30, 2024 02:10:29.859313965 CEST	80	49732	172.16.237.12	192.168.2.4
Sep 30, 2024 02:10:29.859428883 CEST	49732	80	192.168.2.4	172.16.237.12
Sep 30, 2024 02:10:33.479288101 CEST	49743	80	192.168.2.4	172.16.97.133
Sep 30, 2024 02:10:33.484142065 CEST	80	49743	172.16.97.133	192.168.2.4
Sep 30, 2024 02:10:33.484991074 CEST	49743	80	192.168.2.4	172.16.97.133
Sep 30, 2024 02:10:34.838591099 CEST	80	49733	172.16.177.209	192.168.2.4
Sep 30, 2024 02:10:34.838795900 CEST	49733	80	192.168.2.4	172.16.177.209
Sep 30, 2024 02:10:38.472254992 CEST	49730	80	192.168.2.4	172.16.77.202
Sep 30, 2024 02:10:38.477170944 CEST	80	49730	172.16.77.202	192.168.2.4
Sep 30, 2024 02:10:38.479856968 CEST	49744	80	192.168.2.4	172.16.56.13
Sep 30, 2024 02:10:38.484761953 CEST	80	49744	172.16.56.13	192.168.2.4
Sep 30, 2024 02:10:38.484855890 CEST	49744	80	192.168.2.4	172.16.56.13
Sep 30, 2024 02:10:39.873469114 CEST	80	49740	172.16.89.192	192.168.2.4
Sep 30, 2024 02:10:39.879038095 CEST	49740	80	192.168.2.4	172.16.89.192
Sep 30, 2024 02:10:43.480320930 CEST	49731	80	192.168.2.4	172.16.63.22
Sep 30, 2024 02:10:43.482459068 CEST	49745	80	192.168.2.4	172.16.9.240
Sep 30, 2024 02:10:43.485166073 CEST	80	49731	172.16.63.22	192.168.2.4
Sep 30, 2024 02:10:43.487278938 CEST	80	49745	172.16.9.240	192.168.2.4
Sep 30, 2024 02:10:43.487343073 CEST	49745	80	192.168.2.4	172.16.9.240
Sep 30, 2024 02:10:44.838346958 CEST	80	49741	172.16.69.225	192.168.2.4
Sep 30, 2024 02:10:44.838413954 CEST	49741	80	192.168.2.4	172.16.69.225
Sep 30, 2024 02:10:48.472296000 CEST	49732	80	192.168.2.4	172.16.237.12
Sep 30, 2024 02:10:48.479151011 CEST	80	49732	172.16.237.12	192.168.2.4
Sep 30, 2024 02:10:49.844161034 CEST	80	49742	172.16.246.98	192.168.2.4
Sep 30, 2024 02:10:49.844239950 CEST	49742	80	192.168.2.4	172.16.246.98
Sep 30, 2024 02:10:53.482415915 CEST	49733	80	192.168.2.4	172.16.177.209
Sep 30, 2024 02:10:53.487237930 CEST	80	49733	172.16.177.209	192.168.2.4
Sep 30, 2024 02:10:54.856260061 CEST	80	49743	172.16.97.133	192.168.2.4
Sep 30, 2024 02:10:54.856364965 CEST	49743	80	192.168.2.4	172.16.97.133
Sep 30, 2024 02:10:58.485281944 CEST	49740	80	192.168.2.4	172.16.89.192
Sep 30, 2024 02:10:58.490219116 CEST	80	49740	172.16.89.192	192.168.2.4
Sep 30, 2024 02:10:59.872240067 CEST	80	49744	172.16.56.13	192.168.2.4
Sep 30, 2024 02:10:59.875117064 CEST	49744	80	192.168.2.4	172.16.56.13
Sep 30, 2024 02:11:03.475871086 CEST	49741	80	192.168.2.4	172.16.69.225
Sep 30, 2024 02:11:03.480789900 CEST	80	49741	172.16.69.225	192.168.2.4
Sep 30, 2024 02:11:04.840853930 CEST	80	49745	172.16.9.240	192.168.2.4
Sep 30, 2024 02:11:04.840933084 CEST	49745	80	192.168.2.4	172.16.9.240
Sep 30, 2024 02:11:08.478358030 CEST	49742	80	192.168.2.4	172.16.246.98
Sep 30, 2024 02:11:08.484172106 CEST	80	49742	172.16.246.98	192.168.2.4
Sep 30, 2024 02:11:13.485912085 CEST	49743	80	192.168.2.4	172.16.97.133
Sep 30, 2024 02:11:13.491017103 CEST	80	49743	172.16.97.133	192.168.2.4
Sep 30, 2024 02:11:18.494988918 CEST	49744	80	192.168.2.4	172.16.56.13
Sep 30, 2024 02:11:18.499982119 CEST	80	49744	172.16.56.13	192.168.2.4
Sep 30, 2024 02:11:23.496454000 CEST	49745	80	192.168.2.4	172.16.9.240
Sep 30, 2024 02:11:23.501416922 CEST	80	49745	172.16.9.240	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 02:10:48.491168976 CEST	58518	53	192.168.2.4	1.1.1.1
Sep 30, 2024 02:10:48.502798080 CEST	53	58518	1.1.1.1	192.168.2.4
Sep 30, 2024 02:10:58.549777031 CEST	57575	53	192.168.2.4	1.1.1.1
Sep 30, 2024 02:10:58.564137936 CEST	53	57575	1.1.1.1	192.168.2.4
Sep 30, 2024 02:11:08.544584990 CEST	55846	53	192.168.2.4	1.1.1.1
Sep 30, 2024 02:11:08.551413059 CEST	53	55846	1.1.1.1	192.168.2.4
Sep 30, 2024 02:11:18.545569897 CEST	55811	53	192.168.2.4	1.1.1.1
Sep 30, 2024 02:11:18.561050892 CEST	53	55811	1.1.1.1	192.168.2.4
Sep 30, 2024 02:11:28.546617031 CEST	60282	53	192.168.2.4	1.1.1.1
Sep 30, 2024 02:11:28.561342001 CEST	53	60282	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 02:10:48.491168976 CEST	192.168.2.4	1.1.1.1	0xef9a	Standard query (0)	malicious-site.net	A (IP address)	IN (0x0001)	false
Sep 30, 2024 02:10:58.549777031 CEST	192.168.2.4	1.1.1.1	0x8dac	Standard query (0)	suspicious-domain.org	A (IP address)	IN (0x0001)	false
Sep 30, 2024 02:11:08.544584990 CEST	192.168.2.4	1.1.1.1	0x381e	Standard query (0)	test.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 02:11:18.545569897 CEST	192.168.2.4	1.1.1.1	0xb7c9	Standard query (0)	suspicious-domain.org	A (IP address)	IN (0x0001)	false
Sep 30, 2024 02:11:28.546617031 CEST	192.168.2.4	1.1.1.1	0xbd5	Standard query (0)	suspicious-domain.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 02:10:48.502798080 CEST	1.1.1.1	192.168.2.4	0xef9a	Name error (3)	malicious-site.net	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 02:10:58.564137936 CEST	1.1.1.1	192.168.2.4	0x8dac	Name error (3)	suspicious-domain.org	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 02:11:08.551413059 CEST	1.1.1.1	192.168.2.4	0x381e	No error (0)	test.com		34.224.149.186	A (IP address)	IN (0x0001)	false
Sep 30, 2024 02:11:08.551413059 CEST	1.1.1.1	192.168.2.4	0x381e	No error (0)	test.com		3.18.255.247	A (IP address)	IN (0x0001)	false
Sep 30, 2024 02:11:18.561050892 CEST	1.1.1.1	192.168.2.4	0xb7c9	Name error (3)	suspicious-domain.org	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 02:11:28.561342001 CEST	1.1.1.1	192.168.2.4	0xbd5	Name error (3)	suspicious-domain.org	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	20:09:56
Start date:	29/09/2024
Path:	C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe"
Imagebase:	0x7ff77d680000
File size:	7'247'553 bytes
MD5 hash:	AE50E6BAB627B7A39408186E75821EA3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:09:57
Start date:	29/09/2024
Path:	C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe"
Imagebase:	0x7ff77d680000
File size:	7'247'553 bytes
MD5 hash:	AE50E6BAB627B7A39408186E75821EA3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 00007FF77D6889E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77D689390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF77D6845F4,00000000,00007FF77D681985), ref: 00007FF77D6893C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688A56

Part of subcall function 00007FF77D69A47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D69A490

Part of subcall function 00007FF77D69871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D698783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688AE6
CreateProcessW.KERNELBASE ref: 00007FF77D688B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688B28

Part of subcall function 00007FF77D682C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF77D683706,?,00007FF77D683804), ref: 00007FF77D682C9E
Part of subcall function 00007FF77D682C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF77D683706,?,00007FF77D683804), ref: 00007FF77D682D63
Part of subcall function 00007FF77D682C50: MessageBoxW.USER32 ref: 00007FF77D682D99

RegisterClassW.USER32 ref: 00007FF77D688B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688B8B
CreateWindowExW.USER32 ref: 00007FF77D688BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688C15
PeekMessageW.USER32 ref: 00007FF77D688C39
TranslateMessage.USER32 ref: 00007FF77D688C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688C51
PeekMessageW.USER32 ref: 00007FF77D688C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688E04
GetExitCodeProcess.KERNELBASE ref: 00007FF77D688E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688E2F

Strings

Failed to create child process!, xrefs: 00007FF77D688B30
PyInstallerOnefileHiddenWindow, xrefs: 00007FF77D688B54
CreateProcessW, xrefs: 00007FF77D688B37
PyInstaller Onefile Hidden Window, xrefs: 00007FF77D688B95

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: 34e00377a7c517d4f3711e910cfb026c9c9e8db004f15c7c2e3c4c669b66cad1
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: BCD15533E3CA8286E710AF34E8542AABB62FF84B94F800335DA5D87695EF3CD5458750

Function 00007FF77D681000 Relevance: 60.0, APIs: 6, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Could not create temporary directory!, xrefs: 00007FF77D683CBF
Failed to start splash screen!, xrefs: 00007FF77D683ECC
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF77D683EB3
VCRUNTIME140.dll, xrefs: 00007FF77D683DA9
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF77D683A17, 00007FF77D683A2F, 00007FF77D683A9B
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF77D683E9E
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF77D683971
pyi-runtime-tmpdir, xrefs: 00007FF77D683B68
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF77D683BE8
pyi-contents-directory, xrefs: 00007FF77D683B8D
Py_GIL_DISABLED, xrefs: 00007FF77D683AF4
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF77D683A0B, 00007FF77D683CD4, 00007FF77D683F63
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF77D6839DE
Failed to load splash screen resources!, xrefs: 00007FF77D683E7D
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF77D683C61
_PYI_ARCHIVE_FILE, xrefs: 00007FF77D6838D2, 00007FF77D6839FF
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF77D683B32
pkg, xrefs: 00007FF77D6839BE
Failed to remove temporary directory: %s, xrefs: 00007FF77D683FC7
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF77D683882, 00007FF77D6838AF
MEI, xrefs: 00007FF77D683933
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF77D683E02
Failed to convert DLL search path!, xrefs: 00007FF77D683DD4
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF77D683D35
_PYI_SPLASH_IPC, xrefs: 00007FF77D683A23, 00007FF77D683EED
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF77D683D12
pyi-python-flag, xrefs: 00007FF77D683AD6
pyi-disable-windowed-traceback, xrefs: 00007FF77D683BB2

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 0521423bedf0c23ef4483b598af0ac91be45681437f26730e4199ade94993b9f
Instruction ID: ebd3ec9b3ec3dca448e77d6bdf3460358655604b8587c5c124c62c269f785eff
Opcode Fuzzy Hash: 0521423bedf0c23ef4483b598af0ac91be45681437f26730e4199ade94993b9f
Instruction Fuzzy Hash: 86325B23E3C682D1EA15BB2594542BBA793AF957C0FC44236DA5DC3296FF2CE558C320

Function 00007FF77D6A6964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77D6A6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A66D9
Part of subcall function 00007FF77D6A6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A6757
Part of subcall function 00007FF77D6A6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A67A8

CreateFileW.KERNELBASE ref: 00007FF77D6A6A6A
CreateFileW.KERNEL32 ref: 00007FF77D6A6ABA
GetLastError.KERNEL32 ref: 00007FF77D6A6AEA
GetFileType.KERNELBASE ref: 00007FF77D6A6AFF
GetLastError.KERNEL32 ref: 00007FF77D6A6B09
CloseHandle.KERNEL32 ref: 00007FF77D6A6B3C
CloseHandle.KERNEL32 ref: 00007FF77D6A6C9F
CreateFileW.KERNEL32 ref: 00007FF77D6A6CD4
GetLastError.KERNEL32 ref: 00007FF77D6A6CE3

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: 638d7e9c8017b22b817c77545fc0c9addb2e3502f45f0a0012853819baa71786
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: 7DC1B233F38A4285EB10EFA9D4902AE7762F789BD8B414325DA5E97794EF38E411C310

Function 00007FF77D6883C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF77D688919,00007FF77D683F9D), ref: 00007FF77D68842B
RemoveDirectoryW.KERNEL32(?,00007FF77D688919,00007FF77D683F9D), ref: 00007FF77D6884AE
DeleteFileW.KERNELBASE(?,00007FF77D688919,00007FF77D683F9D), ref: 00007FF77D6884CD
FindNextFileW.KERNELBASE(?,00007FF77D688919,00007FF77D683F9D), ref: 00007FF77D6884DB
FindClose.KERNEL32(?,00007FF77D688919,00007FF77D683F9D), ref: 00007FF77D6884EC
RemoveDirectoryW.KERNELBASE(?,00007FF77D688919,00007FF77D683F9D), ref: 00007FF77D6884F5

Strings

%s\*, xrefs: 00007FF77D6883F2

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction ID: c07d5cb395715dd410a49aadce718f7da0e29f8871393ed39e3004db75572869
Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction Fuzzy Hash: 3A410F23E3C642C5EA60AB64B4441BBA7A2FB98BD4FD00332E69DC2695FF3CD5458750

Function 00007FF77D689280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF77D6892B3
FindClose.KERNELBASE ref: 00007FF77D6892C2

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: ef05c9abaec79f1baf501e12dc119f0554db9dea8a58efbf38667a894d5111d3
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: 6AF08623E3C64186E7A09B64B49476BB751AB843A4F440336D9AD416D5EF3CD0588600

Function 00007FF77D681950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77D687F90: _fread_nolock.LIBCMT ref: 00007FF77D68803A

_fread_nolock.LIBCMT ref: 00007FF77D681A1B

Part of subcall function 00007FF77D682910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF77D681B6A), ref: 00007FF77D68295E

Strings

MEI, xrefs: 00007FF77D681991
Could not allocate memory for archive structure!, xrefs: 00007FF77D681A61
Failed to read cookie!, xrefs: 00007FF77D681A2B
fseek, xrefs: 00007FF77D6819F5
fread, xrefs: 00007FF77D681A32, 00007FF77D681B5C
calloc, xrefs: 00007FF77D681A68
Failed to seek to cookie position!, xrefs: 00007FF77D6819EE
malloc, xrefs: 00007FF77D681B22
Could not allocate buffer for TOC!, xrefs: 00007FF77D681B1B
Could not read full TOC!, xrefs: 00007FF77D681B55
Error on file., xrefs: 00007FF77D681B8D

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 75df882cb69919a76d97c614361eef51b2ec2ab8d5059f73c2ac4bb1c74e6529
Instruction ID: 83922bc56829acc6bac01e1bf8f7adc290153d9d7fcf2b094e8aaa3f7ec5f98e
Opcode Fuzzy Hash: 75df882cb69919a76d97c614361eef51b2ec2ab8d5059f73c2ac4bb1c74e6529
Instruction Fuzzy Hash: 2C816272E3C686C5EB60AB14D0502BAA792EF887C4F844635D98DC7685FE3CE5858760

Function 00007FF77D681600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF77D681742
fwrite, xrefs: 00007FF77D6817D1
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF77D6817CA
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF77D6816DA
fseek, xrefs: 00007FF77D6816E1
Failed to create symbolic link %s!, xrefs: 00007FF77D681622
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF77D6817DF
Failed to extract %s: failed to open target file!, xrefs: 00007FF77D68165C
fread, xrefs: 00007FF77D6817E6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF77D6816A2
malloc, xrefs: 00007FF77D681749
fopen, xrefs: 00007FF77D681663

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: d7e5a8d788c56064f5ee056adac7b7af7416d0cf868ad80b96a324f46d3978b4
Instruction ID: 2d90dc93eb87c9af10278bff285bdb620f9fc7c968573217592183f3775d7416
Opcode Fuzzy Hash: d7e5a8d788c56064f5ee056adac7b7af7416d0cf868ad80b96a324f46d3978b4
Instruction Fuzzy Hash: D25166A2E3C64392EA10BB2594001BBA393BF947D4FC44735EE4D87696FE3CE5858320

Function 00007FF77D688660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF77D683CBB), ref: 00007FF77D688704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF77D683CBB), ref: 00007FF77D68870A
CreateDirectoryW.KERNELBASE(?,00000000,00007FF77D683CBB), ref: 00007FF77D68874C

Part of subcall function 00007FF77D688830: GetEnvironmentVariableW.KERNEL32(00007FF77D68388E), ref: 00007FF77D688867
Part of subcall function 00007FF77D688830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF77D688889

Part of subcall function 00007FF77D698238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D698251

Part of subcall function 00007FF77D682810: MessageBoxW.USER32 ref: 00007FF77D6828EA

Strings

LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF77D68877E
TMP, xrefs: 00007FF77D68869C, 00007FF77D6887A3
_MEI%d, xrefs: 00007FF77D688712
LOADER: failed to set the TMP environment variable., xrefs: 00007FF77D6886DC
TMP, xrefs: 00007FF77D6886C2

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction ID: 50204aff8da51a422479435c137203fc0330067df22e64af5479c5e94f38ef68
Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction Fuzzy Hash: FF418E13E3D64284EA10B765A8552BB9393AF85BC4FC40336ED4EC769AFE3CE5018760

Function 00007FF77D681210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF77D681276
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF77D68141E
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF77D6812EF
malloc, xrefs: 00007FF77D6812C1, 00007FF77D6812F6
1.3.1, xrefs: 00007FF77D681249
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF77D6812BA

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 8f2f3123d1cabff2ad8e3db6a95d4b235f7cad2490955ba460222a7cf36d71df
Instruction ID: 6fc43e447a5e945ef554c006f7a8bc8e178cab03547c7e4315cf93f1e5f21b37
Opcode Fuzzy Hash: 8f2f3123d1cabff2ad8e3db6a95d4b235f7cad2490955ba460222a7cf36d71df
Instruction Fuzzy Hash: 8951BE63E3CA4281EA60BB15A4503BBA693BF857D4FC44235ED4D87799FE3CE5428720

Function 00007FF77D69ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF77D69F0AA,?,?,-00000018,00007FF77D69AD53,?,?,?,00007FF77D69AC4A,?,?,?,00007FF77D695F3E), ref: 00007FF77D69EE8C
GetProcAddress.KERNEL32(?,?,?,00007FF77D69F0AA,?,?,-00000018,00007FF77D69AD53,?,?,?,00007FF77D69AC4A,?,?,?,00007FF77D695F3E), ref: 00007FF77D69EE98

Strings

ext-ms-, xrefs: 00007FF77D69EDE9
api-ms-, xrefs: 00007FF77D69EDD6

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: 3f419700d9c87f4cc518c828b84b93490e374cb9828bfc36d435b36294ff061f
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: D041C127F3EA1281EA15AB169800577A293BF49BD0FD84639DD1DC7785FE3CE4098220

Function 00007FF77D6836B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF77D683804), ref: 00007FF77D6836E1
GetLastError.KERNEL32(?,00007FF77D683804), ref: 00007FF77D6836EB

Part of subcall function 00007FF77D682C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF77D683706,?,00007FF77D683804), ref: 00007FF77D682C9E
Part of subcall function 00007FF77D682C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF77D683706,?,00007FF77D683804), ref: 00007FF77D682D63
Part of subcall function 00007FF77D682C50: MessageBoxW.USER32 ref: 00007FF77D682D99

Strings

GetModuleFileNameW, xrefs: 00007FF77D6836FA
Failed to resolve full path to executable %ls., xrefs: 00007FF77D683739
\\?\, xrefs: 00007FF77D68375A
Failed to convert executable path to UTF-8., xrefs: 00007FF77D683790
Failed to obtain executable path., xrefs: 00007FF77D6836F3

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: 2e476d2f6d941a74fd16b2d7717fb61c0f2e0d329c3e561c0342d00257dee15e
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: 9E212162F3C642C1FA20B724E8152BB9252BF983D4FC04336D59EC66D5FE2CE5048724

Function 00007FF77D69BA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D69BE89

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction ID: 80d9848ce04a3ccc5ac468d0a5d3889eb111a81db3293cd5f5d8d96e5f846de3
Opcode Fuzzy Hash: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction Fuzzy Hash: 21C1D523D3C68691E650AB1990802BFBF57FB81BC0F950379EA4D83395EE7CE4498721

Function 00007FF77D688570 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF77D688590
OpenProcessToken.ADVAPI32 ref: 00007FF77D6885A3
GetTokenInformation.KERNELBASE ref: 00007FF77D6885C8
GetLastError.KERNEL32 ref: 00007FF77D6885D2
GetTokenInformation.KERNELBASE ref: 00007FF77D688612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF77D68862E
CloseHandle.KERNEL32 ref: 00007FF77D688646

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction ID: 94258746bd98367c86d28a0d08f67c62ef3f8c4008dd103b7e33b55fc64fbf5b
Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction Fuzzy Hash: CF21F422E2C64381EA50AB55B54423BE7A2EBC5BE4FD00335E6AD83AD5EE6CD8458710

Function 00007FF77D6890E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77D688570: GetCurrentProcess.KERNEL32 ref: 00007FF77D688590
Part of subcall function 00007FF77D688570: OpenProcessToken.ADVAPI32 ref: 00007FF77D6885A3
Part of subcall function 00007FF77D688570: GetTokenInformation.KERNELBASE ref: 00007FF77D6885C8
Part of subcall function 00007FF77D688570: GetLastError.KERNEL32 ref: 00007FF77D6885D2
Part of subcall function 00007FF77D688570: GetTokenInformation.KERNELBASE ref: 00007FF77D688612
Part of subcall function 00007FF77D688570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF77D68862E
Part of subcall function 00007FF77D688570: CloseHandle.KERNEL32 ref: 00007FF77D688646

LocalFree.KERNEL32(?,00007FF77D683C55), ref: 00007FF77D68916C
LocalFree.KERNEL32(?,00007FF77D683C55), ref: 00007FF77D689175

Strings

S-1-3-4, xrefs: 00007FF77D689121
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF77D689183
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF77D689142
D:(A;;FA;;;%s), xrefs: 00007FF77D689157

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction ID: 2dce878d88bfbae65d5177f2ef36d88d8a86a456530baf3d0837dc4e58a400d1
Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction Fuzzy Hash: E7211462E3C74181E650BB10E5152EBA262FB887C0FC44236EA8D93796FF3CE5458760

Function 00007FF77D69CF60 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77D69CF4B), ref: 00007FF77D69D07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77D69CF4B), ref: 00007FF77D69D107

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: 196cbd5a16054765cac47f1e13bde620b678d246ddfc815946f20d7abc784894
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: C691B423E3C65185F750AF65944427EABA3BB44BC8F98427DDF0E97694EE38D442CB20

Function 00007FF77D695628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D695655
CreateFileW.KERNELBASE ref: 00007FF77D695694
CloseHandle.KERNEL32 ref: 00007FF77D6956C9

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction ID: ea7e72c7268e0419abb72c941a83c969c7be7a1269a0cadce512aafad17464ad
Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction Fuzzy Hash: A7419273D3C78183E610AB20951037AA662FB943E4F508339EA9C47AD5EF6CA5A08710

Function 00007FF77D68CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77D68CE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF77D68CE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF77D68CC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF77D68CCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF77D68CD21

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: 914ca16ccf4346beff4d0740888d0e3adcdcd3908f1196b53007a2791beb6d9e
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: 2E314A23E3C24385FA14BB6594212BBA6839F853C4FC55235EA4DC72D7FE2CA808C230

Function 00007FF77D699A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF77D699A2C), ref: 00007FF77D699A41
TerminateProcess.KERNEL32(?,?,?,00007FF77D699A2C), ref: 00007FF77D699A4C
ExitProcess.KERNEL32 ref: 00007FF77D699A5B

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction ID: 34d50d27d36c7eb228f4ae2060e3627701440c600119799c8ca60bb6fb0ff0f3
Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction Fuzzy Hash: 11D09E12F3C74642EB183F755C5507E965BAF88781F94267DC84BC6393FD2CA8494320

Function 00007FF77D69013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D690180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D690277

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: 21c0bdc59a7a93c0742b9ae98d83d451d752be6ea68830a80dd56eb435c3a41b
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: F451D823F3D24286E764BA65940067BA793AF84BE4F984778DD6DD37C9EE3CD4018620

Function 00007FF77D69C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF77D69C2CD), ref: 00007FF77D69C180
GetLastError.KERNEL32(?,?,?,?,?,00007FF77D69C2CD), ref: 00007FF77D69C18A

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: fe1c6438bf410d08f137c0ca01d62abe3ad886dae487efa23d711f97814a878c
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: A811B662A3CA4181DA209B15B85417AB753AB45FF4F944335EE7D877D5EE3CD0118704

Function 00007FF77D69A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF77D6A2D22,?,?,?,00007FF77D6A2D5F,?,?,00000000,00007FF77D6A3225,?,?,?,00007FF77D6A3157), ref: 00007FF77D69A95E
GetLastError.KERNEL32(?,?,?,00007FF77D6A2D22,?,?,?,00007FF77D6A2D5F,?,?,00000000,00007FF77D6A3225,?,?,?,00007FF77D6A3157), ref: 00007FF77D69A968

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction ID: 8258ee10993d3adc20218761088cb686075471faba7fe16b1b70ea7f96ab12c9
Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction Fuzzy Hash: D5E04F12E3D20242FE147BB1A45513B96936FD4780FC50278C84DC22A1FE2CA8418230

Function 00007FF77D69AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF77D69A9D5,?,?,00000000,00007FF77D69AA8A), ref: 00007FF77D69ABC6
GetLastError.KERNEL32(?,?,?,00007FF77D69A9D5,?,?,00000000,00007FF77D69AA8A), ref: 00007FF77D69ABD0

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: e2ad6391bf9841f06cbde35e8cc9902471aad44a92eb800acae98f259ce72047
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: 8A219252F3C68241EAA07751959037FA6C39F84BE4F8443BDE96ECB7D5EE6CE4414220

Function 00007FF77D69BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D69BED4

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: 1341a35870d3daf0a261345285948970b17c3c62fb942517886956d6244abe96
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: C541A833D3C24187EA24AB19A58017AB7A3EB55BC0F500379D68EC36D5EF6CE402CB61

Function 00007FF77D687F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF77D68803A

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 7026eb3b68f3585a2f5768ea15c5ca7bda34a28a3ae4cdbb6486ed2f903c9d01
Instruction ID: 95eef0b9fb9ae0f7f0e94ee4543e26550f4de6ba46678be69ddfdd3d6290369d
Opcode Fuzzy Hash: 7026eb3b68f3585a2f5768ea15c5ca7bda34a28a3ae4cdbb6486ed2f903c9d01
Instruction Fuzzy Hash: D6216F22F7C69286EA50BA2269043BBD752BF45FC4FC84535EE0D9B786EE7DE0418210

Function 00007FF77D69B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D69B9C2

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction ID: 3e39e0dda8aef983554fb3a1958000068eba41bd1e8be829d58bd4f8ac2e56f6
Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction Fuzzy Hash: 3E317423E3C60285E6117B69948137EAA53AF95BE0FC10379D91D833D2EE7CE4418735

Function 00007FF77D699961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF77D69998F

Part of subcall function 00007FF77D699A88: GetModuleHandleExW.KERNEL32 ref: 00007FF77D699AAD
Part of subcall function 00007FF77D699A88: GetProcAddress.KERNEL32 ref: 00007FF77D699AC3
Part of subcall function 00007FF77D699A88: FreeLibrary.KERNEL32 ref: 00007FF77D699AEA

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction ID: 27d2d722566f3883fccce894ffa33606881ef06c02cb5dc04ad4876933af58f1
Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction Fuzzy Hash: 31219C72E2874589EB24AF74C4802BD33AAEB04358F84163BE75C86A85FF38D444C750

Function 00007FF77D695F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D695EF9

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 136951fb9509d705491368f8ee86a25d4afcc9f1a3e8ff0f38ff872a8c37cef5
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 27113333E3D64281EA60BF11940017BE667AF85BD4F844679EA8C97A9DEF3DE4015720

Function 00007FF77D6A6354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A6377

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: d1bb41677979dd9643b95bed57c614ae39378a41c57e0cf896c9ca7ba700f38e
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: D821A473A3CA4286DB60AF58D44037AB6A2FBD4B94F944334E69D876D5EF3CD4018B10

Function 00007FF77D6903BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D690410

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 027e05393a801b3cf4312072a579ee1b0245e3008372fa877798353260f46892
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: F8017022E3C74180E644BB52990007AE793AB95FE0F884775EE5CA3BDAEE3CD4118310

Function 00007FF77D69D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF77D690C90,?,?,?,00007FF77D6922FA,?,?,?,?,?,00007FF77D693AE9), ref: 00007FF77D69D63A

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: e83b0a8adcd1f60e09fa382d63607825a85069ea51ee0710c564be3489a39218
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: 83F03A26E7D20240FE547BA1585527692934FC47E0F8C0778DA2EC62C2FD2CA4808930

Non-executed Functions

Function 00007FF77D6876C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF77D6876D7
GetLastError.KERNEL32 ref: 00007FF77D6876E9
GetProcAddress.KERNEL32 ref: 00007FF77D687725
GetLastError.KERNEL32 ref: 00007FF77D687737
GetProcAddress.KERNEL32 ref: 00007FF77D687750
GetLastError.KERNEL32 ref: 00007FF77D687762
GetProcAddress.KERNEL32 ref: 00007FF77D68777B
GetLastError.KERNEL32 ref: 00007FF77D68778D
GetProcAddress.KERNEL32 ref: 00007FF77D6877A9
GetLastError.KERNEL32 ref: 00007FF77D6877BB
GetProcAddress.KERNEL32 ref: 00007FF77D6877D7
GetLastError.KERNEL32 ref: 00007FF77D6877E9
GetProcAddress.KERNEL32 ref: 00007FF77D687805
GetLastError.KERNEL32 ref: 00007FF77D687817
GetProcAddress.KERNEL32 ref: 00007FF77D687833
GetLastError.KERNEL32 ref: 00007FF77D687845
GetProcAddress.KERNEL32 ref: 00007FF77D687861
GetLastError.KERNEL32 ref: 00007FF77D687873

Strings

Tcl_EvalObjv, xrefs: 00007FF77D687BEF, 00007FF77D687C11
Tcl_Init, xrefs: 00007FF77D6876D0, 00007FF77D6876EF
Tcl_ConditionFinalize, xrefs: 00007FF77D68793D, 00007FF77D68795F
Tcl_CreateInterp, xrefs: 00007FF77D68771B, 00007FF77D68773D
Tk_Init, xrefs: 00007FF77D687C79, 00007FF77D687C9B
Tcl_ConditionWait, xrefs: 00007FF77D687999, 00007FF77D6879BB
Tcl_MutexUnlock, xrefs: 00007FF77D6878E1, 00007FF77D687903
Tcl_Finalize, xrefs: 00007FF77D68779F, 00007FF77D6877C1
Tcl_GetString, xrefs: 00007FF77D687AAD, 00007FF77D687ACF
Tcl_MutexFinalize, xrefs: 00007FF77D68790F, 00007FF77D687931
Tcl_Free, xrefs: 00007FF77D687C4B, 00007FF77D687C6D
Tcl_ConditionNotify, xrefs: 00007FF77D68796B, 00007FF77D68798D
Tcl_MutexLock, xrefs: 00007FF77D6878B3, 00007FF77D6878D5
Tk_GetNumMainWindows, xrefs: 00007FF77D687CA7, 00007FF77D687CC9
Tcl_JoinThread, xrefs: 00007FF77D687885, 00007FF77D6878A7
Tcl_NewStringObj, xrefs: 00007FF77D687ADB, 00007FF77D687AFD
Tcl_CreateThread, xrefs: 00007FF77D687829, 00007FF77D68784B
Tcl_EvalEx, xrefs: 00007FF77D687BC1, 00007FF77D687BE3
Tcl_NewByteArrayObj, xrefs: 00007FF77D687B09, 00007FF77D687B2B
Tcl_Alloc, xrefs: 00007FF77D687C1D, 00007FF77D687C3F
Tcl_DeleteInterp, xrefs: 00007FF77D6877FB, 00007FF77D68781D
GetProcAddress, xrefs: 00007FF77D6876FF
Tcl_GetVar2, xrefs: 00007FF77D687A23, 00007FF77D687A45
Tcl_ThreadAlert, xrefs: 00007FF77D6879F5, 00007FF77D687A17
Tcl_DoOneEvent, xrefs: 00007FF77D687771, 00007FF77D687793
Tcl_SetVar2Ex, xrefs: 00007FF77D687B37, 00007FF77D687B59
Failed to get address for %hs, xrefs: 00007FF77D6876F8
Tcl_FinalizeThread, xrefs: 00007FF77D6877CD, 00007FF77D6877EF
Tcl_GetObjResult, xrefs: 00007FF77D687B65, 00007FF77D687B87
Tcl_FindExecutable, xrefs: 00007FF77D687746, 00007FF77D687768
Tcl_CreateObjCommand, xrefs: 00007FF77D687A7F, 00007FF77D687AA1
Tcl_EvalFile, xrefs: 00007FF77D687B93, 00007FF77D687BB5
Tcl_GetCurrentThread, xrefs: 00007FF77D687857, 00007FF77D687879
Tcl_ThreadQueueEvent, xrefs: 00007FF77D6879C7, 00007FF77D6879E9
Tcl_SetVar2, xrefs: 00007FF77D687A51, 00007FF77D687A73

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: e2cd111523718ad98217b7b84b7b650eb24fd88aca6d7889f8e3b3a670434045
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: 8E02B762D3DB07D1EA14BB59A8105B7A7A3AF857C5FC41331D5AE82260FF7CB5898230

Function 00007FF77D6A40AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF77D6A40FA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A4766
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A48DC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A4B9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A4DBA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A4FF7
memcpy_s.LIBCPMT ref: 00007FF77D6A50D2
memcpy_s.LIBCPMT ref: 00007FF77D6A517D
memcpy_s.LIBCPMT ref: 00007FF77D6A524C

Strings

1#QNAN, xrefs: 00007FF77D6A4213
1#INF, xrefs: 00007FF77D6A4223
1#SNAN, xrefs: 00007FF77D6A420A
1#IND, xrefs: 00007FF77D6A41E7

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction ID: 912fa5254f2ac2e412f21aac711455c26aa4b3eda1bb4e564218feb1da57dfaa
Opcode Fuzzy Hash: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction Fuzzy Hash: 3DB2B973E3C2924AE7649E64D9407FEB7A2FB943C4F905235DA4D97A84EB38B900C750

Function 00007FF77D68ACAD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid literal/lengths set, xrefs: 00007FF77D68B133
invalid bit length repeat, xrefs: 00007FF77D68B099
invalid distances set, xrefs: 00007FF77D68B1A0
invalid literal/length code, xrefs: 00007FF77D68B3E2
invalid distance code, xrefs: 00007FF77D68B5B4
invalid distance too far back, xrefs: 00007FF77D68B670
invalid code lengths set, xrefs: 00007FF77D68AE2D
too many length or distance symbols, xrefs: 00007FF77D68AE46
invalid code -- missing end-of-block, xrefs: 00007FF77D68B0C6

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 14409f6b5173d9f28888b9fb9c68bcc2b54b8e7def706e6c40ef53002486e1ba
Instruction ID: b722a574c1ea8e41aca58d827f9f0692a23592c5729ebf8348da7c3c7f8994ad
Opcode Fuzzy Hash: 14409f6b5173d9f28888b9fb9c68bcc2b54b8e7def706e6c40ef53002486e1ba
Instruction Fuzzy Hash: 0D52D573E386A587D7A49F14D558B7E7BAAFB44380F414239EA4A87780EB3CD844CB50

Function 00007FF77D68D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF77D68D148
RtlCaptureContext.KERNEL32 ref: 00007FF77D68D175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF77D68D18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF77D68D1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF77D68D224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF77D68D241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF77D68D24C

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: 7d1036c6c82a6052f7ed7e1c180a54b758027f9c70dad95328147599a9ae7eed
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: C3311273A28B8185EB60DF64E8503EE6765FB84744F44413ADB8D87B94EF38D548C720

Function 00007FF77D6A5C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF77D6A5C45

Part of subcall function 00007FF77D6A5598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A55AC

Part of subcall function 00007FF77D69A948: RtlFreeHeap.NTDLL(?,?,?,00007FF77D6A2D22,?,?,?,00007FF77D6A2D5F,?,?,00000000,00007FF77D6A3225,?,?,?,00007FF77D6A3157), ref: 00007FF77D69A95E
Part of subcall function 00007FF77D69A948: GetLastError.KERNEL32(?,?,?,00007FF77D6A2D22,?,?,?,00007FF77D6A2D5F,?,?,00000000,00007FF77D6A3225,?,?,?,00007FF77D6A3157), ref: 00007FF77D69A968

Part of subcall function 00007FF77D69A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF77D69A8DF,?,?,?,?,?,00007FF77D69A7CA), ref: 00007FF77D69A909
Part of subcall function 00007FF77D69A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF77D69A8DF,?,?,?,?,?,00007FF77D69A7CA), ref: 00007FF77D69A92E

_get_daylight.LIBCMT ref: 00007FF77D6A5C34

Part of subcall function 00007FF77D6A55F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A560C

_get_daylight.LIBCMT ref: 00007FF77D6A5EAA
_get_daylight.LIBCMT ref: 00007FF77D6A5EBB
_get_daylight.LIBCMT ref: 00007FF77D6A5ECC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF77D6A610C), ref: 00007FF77D6A5EF3

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction ID: 84a1d99538c7b729871c4fd621ae15e0faac0752d833767e992d1e87c2e3ead1
Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction Fuzzy Hash: E0D18F33E3C25245E724FF2595411BAA792EB947C4FC48236EA8D87A99FF3CE4418760

Function 00007FF77D69A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF77D69A68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF77D69A6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF77D69A6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF77D69A719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF77D69A723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF77D69A72E

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: 2168f0251e0edc82cf9c3ff9d270d03f838ae3f58a0b4a548375ef2d03e2967c
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: D6317437A28B8185DB60DB24E8402BF77A5FB84798F940236EA9D83B55EF3CC155CB10

Function 00007FF77D6A1874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A18C0
FindFirstFileExW.KERNEL32 ref: 00007FF77D6A19CA

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction ID: 125be0b080765887eaaac8652f811729fe6dc44776966959b9e78c55322146d3
Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction Fuzzy Hash: 38B1A963F3C69641EA61AB2195001BBE392EB94BE4F845236DADD87785FF3CE441C320

Function 00007FF77D6A5E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF77D6A5EAA

Part of subcall function 00007FF77D6A55F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A560C

_get_daylight.LIBCMT ref: 00007FF77D6A5EBB

Part of subcall function 00007FF77D6A5598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A55AC

_get_daylight.LIBCMT ref: 00007FF77D6A5ECC

Part of subcall function 00007FF77D6A55C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A55DC

Part of subcall function 00007FF77D69A948: RtlFreeHeap.NTDLL(?,?,?,00007FF77D6A2D22,?,?,?,00007FF77D6A2D5F,?,?,00000000,00007FF77D6A3225,?,?,?,00007FF77D6A3157), ref: 00007FF77D69A95E
Part of subcall function 00007FF77D69A948: GetLastError.KERNEL32(?,?,?,00007FF77D6A2D22,?,?,?,00007FF77D6A2D5F,?,?,00000000,00007FF77D6A3225,?,?,?,00007FF77D6A3157), ref: 00007FF77D69A968

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF77D6A610C), ref: 00007FF77D6A5EF3

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction ID: b288ef16ba4581bc56b0ebfd55469ac10e8c2754b8a98275d16c27a205f8ae34
Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction Fuzzy Hash: D6513033E3C64286E710FF25D5815AAE762BB987C4F804236EA8DC7695EF3CE4418760

Function 00007FF77D68D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF77D68D03C
GetCurrentThreadId.KERNEL32 ref: 00007FF77D68D04A
GetCurrentProcessId.KERNEL32 ref: 00007FF77D68D056
QueryPerformanceCounter.KERNEL32 ref: 00007FF77D68D066

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: 14a8499e14123beba902dd89f1c22f41f4dd9097b921d8cf51a00b565be52fc5
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: 09111F26B28B0589EB00DF64E8542BA73B4F759798F440E31DA6D86764EF78D1548350

Function 00007FF77D6A3C10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF77D6A3C76
memcpy_s.LIBCPMT ref: 00007FF77D6A3CA1

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: d25fbc313e9eb53404c1c9a001f91f18a5715038422c1878ef179c7271dc71b6
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 41C1B073A3C68687D7249F55E04466AF792F784B84F858235DB8E83744EF3DE8058B40

Function 00007FF77D68A47B Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

unknown header flags set, xrefs: 00007FF77D68A4C5
, xrefs: 00007FF77D68A55B
header crc mismatch, xrefs: 00007FF77D68A921

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: e32b299fc273864699ec3bddfbf8fc958dab4a7742ffdf8f0166f3b43fcc42d1
Instruction ID: e64f71d1c55cb5227cd3e1608f259aa6e4ac6001c33279031de3216b302a954e
Opcode Fuzzy Hash: e32b299fc273864699ec3bddfbf8fc958dab4a7742ffdf8f0166f3b43fcc42d1
Instruction Fuzzy Hash: DBF19473E3C3C58BE7A5AB14C188A3BBAAAEF44784F454634DE4987790EB38E541C750

Function 00007FF77D6A9728 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF77D6A9977
RaiseException.KERNEL32 ref: 00007FF77D6A9988

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction ID: a0bfba8f3c0bb4cde7997d7ebcf05b6bb4503127710c1d60a7e52e8500a4730d
Opcode Fuzzy Hash: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction Fuzzy Hash: A3B1B373A24B848BE715CF29C84536D77E1F780B88F688922DB9D877A4DB39D451C710

Function 00007FF77D6939A4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF77D693B12
, xrefs: 00007FF77D693D54

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction ID: bac39b7171496ea23e6ee26e7ec05bd1f80118255af16b9213e168169ea02850
Opcode Fuzzy Hash: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction Fuzzy Hash: D4E1B573E3C64281DB64AE15815013EB3A3EF45BC8F94537DDA0E87694EF2AE856C710

Function 00007FF77D68A2DB Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF77D68A449
incorrect header check, xrefs: 00007FF77D68A462

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: e8ec78490181e4ccec650f854842bb3e08bcfae3bf2db5596c2af0d8e2ff5899
Instruction ID: 11e2dcd2c68ae0a359083519b61e4965d8e7a984ebff72165b9e2fad7bc8f73f
Opcode Fuzzy Hash: e8ec78490181e4ccec650f854842bb3e08bcfae3bf2db5596c2af0d8e2ff5899
Instruction Fuzzy Hash: F4919A73E3C2C5C7E7A49E18C558A3F7AAAFB45390F514239DA4AC6790EB38E540CB50

Function 00007FF77D69DEF0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF77D69E07A
e+000, xrefs: 00007FF77D69DFFD

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction ID: aec1cdcb7c2a294b89923f657d5f3370f40ce60cf30ba618ef61bf4a58a2389e
Opcode Fuzzy Hash: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction Fuzzy Hash: 64514627F3C2C146E7249E35980577AAB93E744BD4F888379CB9887AC6EE3DD4008710

Function 00007FF77D6A08C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 237fa8d459c5d11eae1bba494416b753c006fbba9c027a8b8839988129060696
Instruction ID: 516078e5ecaec83d4c9e5f7f43e77dc014de633a4e6fac6369469cd3fa18432e
Opcode Fuzzy Hash: 237fa8d459c5d11eae1bba494416b753c006fbba9c027a8b8839988129060696
Instruction Fuzzy Hash: 1A027E23E3D65241FB65BB21950027BA683AF95BE0FC54735DDADE62D6FE3CA4018320

Function 00007FF77D69DA5C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF77D69DD9E

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: 47efe2bb04f2a36297dbaae06486cd3d9f235eda863aef8a8e3d81aac1900128
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: FCA14763E2C78586EB21DF25A0047BAB797AB50BC4F488276DB4D87785EE3DD406CB10

Function 00007FF77D698794 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF77D6987B3

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction ID: 1bbcfd67540072279ba8c5cf1633a1d35bd36794e6d47e1ab30a6f5124792ead
Opcode Fuzzy Hash: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction Fuzzy Hash: 91518B83F3C65241EA68BA265A0117BD3936F94FD4F884679DE5EC7796FE3CE4024220

Function 00007FF77D6A3480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF77D6A3484

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction ID: 626926095de90d8603c66662d075983c9e3460b0ed6cf9609d95965a276da719
Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction Fuzzy Hash: DBB09B11E3B701C1ED0477155C8221556557F44740FD40235C05C80330ED2C24E55710

Function 00007FF77D6935A0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction ID: 64b6f3cd419dc563dc59f87ed0f4d1212fa003ba8de331c06123c9fb78744510
Opcode Fuzzy Hash: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction Fuzzy Hash: 5ED1B573E3C64245EB68AA25854027FA6A3EB05BC8F94037DCE0D87795EF39E845C760

Function 00007FF77D689800 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction ID: b5809044f38a3583a90a478bc8b1b4da625af30407de518c9fff8c5ca241db4a
Opcode Fuzzy Hash: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction Fuzzy Hash: DDC1AD726281E08BD28AEB29E46947A73E1F78934DBD5406BEF8747785C73CA414DB20

Function 00007FF77D692C10 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction ID: ce69a63b2fcbfa9afe79f9d881fd096ae6071dd7623ccc2d76a102f9ee00e38c
Opcode Fuzzy Hash: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction Fuzzy Hash: F7B1BD73D3C64585E7649F28C08013EBBA3E709B88FE60279CA4E83398EF29D445C764

Function 00007FF77D69E570 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction ID: a7b9ef6ea967d17abf82f5356a50e0d1c447e5240800b4f2db64d57f4bbd2159
Opcode Fuzzy Hash: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction Fuzzy Hash: C481E177E3D28146EA649B19944037BAA93FB457D0F844339EA8D87B86EE3DE0008B10

Function 00007FF77D6A6418 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 403f67b08c5d8b9127b9d27d37b93e2a1e0a746a19683c5483168a42cc689f1f
Instruction ID: 7a960bd1108f79ab80dfd8ccb4f464c62e456d6f53c9e55f338e3f4eeef3433f
Opcode Fuzzy Hash: 403f67b08c5d8b9127b9d27d37b93e2a1e0a746a19683c5483168a42cc689f1f
Instruction Fuzzy Hash: 1861EB23E3C95246F764A6A8905067ED583EF817E0F944339D69DC26D5FE6DE8008720

Function 00007FF77D691D54 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: bc652c820a445fab73090d70a7020464a0935160af26845c8c76e0c50ce1471f
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: B851B7B7E3C65185E7249B19C04023A73A3EB45B98F744275CA4D87794DB3EE847C760

Function 00007FF77D692164 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 7ff963e1d7daa37137741492d1baec0cf802322f453defbc43ca5337987538e8
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: DF519537E3C65181E7249B29C44023A73A3EB59B98FE54279CB4C87794EB3AE853C750

Function 00007FF77D691944 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 018c035b3df0932ff2cfd873333bf4af2d15986e6fbd67d19bb7087a9459f53c
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: E25185B7E3C65189E7249B29C04023963A3EB54B98F744275CA8D97794EB3EEC43C760

Function 00007FF77D691F60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 304daeef299834581bc759e3f8f378b6907cfd41998a5366cf199f8c2315523e
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 2051F877E3C65585E7249B29C04033A73A3EB48B98FA54275CE4C87799DB3AE843C750

Function 00007FF77D691740 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 9900171e1cc1cd2a4dd74116b38dd3934732de43766b3eee5d9b7172c4cb9d16
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 2A51C677E3C65189E7249B29C14023A63A3EB54B98F744275DE4C87794EB3EE843C760

Function 00007FF77D691B50 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: a0075a9701050275316995b5d1eb8be82ff64c6b4c1e008007891d23d0819df0
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: AC51B7B7E3C65189E7249B18C04023967A3EB45B98F744275CE4C97798EB3EE843C760

Function 00007FF77D695D30 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: e31ebd090da83b02917ab8d631684ba592630bbfd45f687bae9d17fcc6f3e36a
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 20419473C3D78A05ED95D91845046769A839F227E0F9813FCDD9D973CBE90E654EC120

Function 00007FF77D699EA0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction ID: a01cf79d697a2804a0fc77336b066cff1161cb6d007709a61a07a09736724b21
Opcode Fuzzy Hash: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction Fuzzy Hash: 7D41D423B38A5582EF04DF2ADA1457AA3A2B748FD0B999537DE4DD7B58EE3DD0418300

Function 00007FF77D6980E4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
Instruction ID: d0bb73289c56f4d7f01c22fb9d05403c733ef86304c79e1cb711848325bd4842
Opcode Fuzzy Hash: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
Instruction Fuzzy Hash: 9731A273A3DB4241E764AB25A44017EA6D7AB85BD0F54433CEA9D93B95EF3CD0028714

Function 00007FF77D6A9570 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction ID: ce96b4e79149a88492b647cfaaabf469f045715af843cb18f136b63b9f15fd92
Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction Fuzzy Hash: 93F04472B382A58ADB98AF6DB84262A77D1F7483C0F908239D58DC3B14EA3C90518F14

Function 00007FF77D68D30C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction ID: d9f5151ef415bf2dced9d0db38f648036bb5db902808a1d9d7adeafe29df196b
Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction Fuzzy Hash: E6A00122D3C80AD5E644AB04A8A04B6A622FB99385BC40232E15D910A0AF2CA4049760

Function 00007FF77D685830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D685840
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D685852
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D685889
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D68589B
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D6858B4
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D6858C6
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D6858DF
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D6858F1
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D68590D
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D68591F
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D68593B
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D68594D
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D685969
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D68597B
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D685997
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D6859A9
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D6859C5
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D6859D7

Strings

Py_DecRef, xrefs: 00007FF77D685836, 00007FF77D685858
PyUnicode_Join, xrefs: 00007FF77D685FA9, 00007FF77D685FCB
PyUnicode_FromFormat, xrefs: 00007FF77D685F4D, 00007FF77D685F6F
PyUnicode_Replace, xrefs: 00007FF77D685FD7, 00007FF77D685FF9
Py_IsInitialized, xrefs: 00007FF77D685931, 00007FF77D685953
PyModule_GetDict, xrefs: 00007FF77D685CC9, 00007FF77D685CEB
PyErr_NormalizeException, xrefs: 00007FF77D685AFD, 00007FF77D685B1F
PySys_GetObject, xrefs: 00007FF77D685E67, 00007FF77D685E89
PyErr_Fetch, xrefs: 00007FF77D685ACF, 00007FF77D685AF1
PyImport_AddModule, xrefs: 00007FF77D685BE3, 00007FF77D685C05
PyConfig_SetBytesString, xrefs: 00007FF77D685A17, 00007FF77D685A39
PyErr_Occurred, xrefs: 00007FF77D685B2B, 00007FF77D685B4D
PySys_SetObject, xrefs: 00007FF77D685E95, 00007FF77D685EB7
PyConfig_SetString, xrefs: 00007FF77D685A45, 00007FF77D685A67
PyErr_Print, xrefs: 00007FF77D685B59, 00007FF77D685B7B
PyRun_SimpleStringFlags, xrefs: 00007FF77D685E0B, 00007FF77D685E2D
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF77D685DDD, 00007FF77D685DFF
PyObject_CallFunctionObjArgs, xrefs: 00007FF77D685D25, 00007FF77D685D47
PyObject_Str, xrefs: 00007FF77D685DAF, 00007FF77D685DD1
PyObject_CallFunction, xrefs: 00007FF77D685CF7, 00007FF77D685D19
PyUnicode_Decode, xrefs: 00007FF77D685EF1, 00007FF77D685F13
PyEval_EvalCode, xrefs: 00007FF77D685BB5, 00007FF77D685BD7
Py_ExitStatusException, xrefs: 00007FF77D6858AA, 00007FF77D6858CC
PyImport_ImportModule, xrefs: 00007FF77D685C3F, 00007FF77D685C61
Py_Finalize, xrefs: 00007FF77D6858D5, 00007FF77D6858F7
PyErr_Restore, xrefs: 00007FF77D685B87, 00007FF77D685BA9
PyErr_Clear, xrefs: 00007FF77D685AA1, 00007FF77D685AC3
PyUnicode_AsUTF8, xrefs: 00007FF77D685EC3, 00007FF77D685EE5
PyUnicode_DecodeFSDefault, xrefs: 00007FF77D685F1F, 00007FF77D685F41
PyObject_SetAttrString, xrefs: 00007FF77D685D81, 00007FF77D685DA3
GetProcAddress, xrefs: 00007FF77D685868
PyMarshal_ReadObjectFromString, xrefs: 00007FF77D685C6D, 00007FF77D685C8F
PyImport_ExecCodeModule, xrefs: 00007FF77D685C11, 00007FF77D685C33
Py_PreInitialize, xrefs: 00007FF77D68595F, 00007FF77D685981
PyConfig_InitIsolatedConfig, xrefs: 00007FF77D6859BB, 00007FF77D6859DD
PyStatus_Exception, xrefs: 00007FF77D685E39, 00007FF77D685E5B
PyObject_GetAttrString, xrefs: 00007FF77D685D53, 00007FF77D685D75
PyConfig_SetWideStringList, xrefs: 00007FF77D685A73, 00007FF77D685A95
Failed to get address for %hs, xrefs: 00007FF77D685861
Py_InitializeFromConfig, xrefs: 00007FF77D685903, 00007FF77D685925
PyUnicode_FromString, xrefs: 00007FF77D685F7B, 00007FF77D685F9D
PyConfig_Clear, xrefs: 00007FF77D68598D, 00007FF77D6859AF
PyConfig_Read, xrefs: 00007FF77D6859E9, 00007FF77D685A0B
PyMem_RawFree, xrefs: 00007FF77D685C9B, 00007FF77D685CBD
Py_DecodeLocale, xrefs: 00007FF77D68587F, 00007FF77D6858A1

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: 79a2aa684798d68db572ee7fe86d9353dcc48203dacf02854a67bea2127dd6c7
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: 90229266E3DB17D1FA05BB69A814577A7A2AF847C1BC51336C49E82364FF3CB5488230

Function 00007FF77D6881D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77D689390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF77D6845F4,00000000,00007FF77D681985), ref: 00007FF77D6893C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF77D6886B7,?,?,00000000,00007FF77D683CBB), ref: 00007FF77D68822C

Part of subcall function 00007FF77D682810: MessageBoxW.USER32 ref: 00007FF77D6828EA

Strings

LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF77D688240
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF77D6882D9
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF77D688203
%.*s, xrefs: 00007FF77D68830C
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF77D68829D
\, xrefs: 00007FF77D688261
CreateDirectory, xrefs: 00007FF77D68837C
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF77D688373

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction ID: 13f5c94b32422a94e6a83ed4de74b14c0ac98d3864a61f303e0d215e65f1d957
Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction Fuzzy Hash: E7514113E3C642C1EA50FB65A8516BBE393AF94BC0FC44636D64EC26D5FE2CE5058760

Function 00007FF77D682180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF77D6821AB
SelectObject.GDI32 ref: 00007FF77D6821F2
DrawTextW.USER32 ref: 00007FF77D682215
SelectObject.GDI32 ref: 00007FF77D68222B
ReleaseDC.USER32 ref: 00007FF77D68223B
MoveWindow.USER32 ref: 00007FF77D68228B
MoveWindow.USER32 ref: 00007FF77D6822CB
MoveWindow.USER32 ref: 00007FF77D68231E
MoveWindow.USER32 ref: 00007FF77D682366

Strings

P%, xrefs: 00007FF77D6821FF

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 324a2019fd3fd77a4f37da7bbf7c37a1025943420115d161faca1770fff69cc4
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: E751CC265287A186D6349F25E4181BBFBA2F7987A1F404135DFDE83654EF3CD045D720

Function 00007FF77D6880C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF77D6880FF
GetWindowLongPtrW.USER32 ref: 00007FF77D68817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF77D688192
GetLastError.KERNEL32 ref: 00007FF77D68819C
SetWindowLongPtrW.USER32 ref: 00007FF77D6881B3

Strings

Needs to remove its temporary files., xrefs: 00007FF77D688185

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: 8f05c8cd3f3a5116c4117493b49271758d2e5c89a6cadda8ec4540b80e3b5054
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: D7215522E3CA43C1E641AB79F84416AA752EF85FD1F984331DA5DC3394FE2CD5558220

Function 00007FF77D696290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6962D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6966C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D69695C

Strings

f, xrefs: 00007FF77D6963F5
p, xrefs: 00007FF77D6963FD
:, xrefs: 00007FF77D69648C
p, xrefs: 00007FF77D696385
-, xrefs: 00007FF77D696369

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: d9aab633c8f04de42bd4728b457c556a7bdbb2263cd69309181dd9a70507b33f
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 48127273E3C34386FB247A94D25427BB693EB50794FC44279E689876C4EB3CE5809B21

Function 00007FF77D690FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D691008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6913D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D69166F

Strings

f, xrefs: 00007FF77D69110A
p, xrefs: 00007FF77D691112
f, xrefs: 00007FF77D6910A0
p, xrefs: 00007FF77D6910AD
f, xrefs: 00007FF77D691255

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 1fc66d006c6cbfe357807823516de38c13e5d618623b1bb0c58bbff24acb8589
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 571252A3E3C5438AFB207A15D05467BB6A3FB407D4FE44279D699866C4EB7CE5408B30

Function 00007FF77D681050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF77D681108
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF77D6810CC
fseek, xrefs: 00007FF77D6810D3
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF77D6811F6
fread, xrefs: 00007FF77D6811FD
Failed to extract %s: failed to open archive file!, xrefs: 00007FF77D681098
malloc, xrefs: 00007FF77D68110F

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: bdb51f189eec0aae26590c8a1b92bbb562030306dab734aaada4990c27a5542a
Instruction ID: 01ad64ff8b063d00765917566a35483823c59f4bff9c8d3f0c7078e534128e88
Opcode Fuzzy Hash: bdb51f189eec0aae26590c8a1b92bbb562030306dab734aaada4990c27a5542a
Instruction Fuzzy Hash: 70415C63E3C65285EA10FB16A8006BBE797BB84BC4FC44631ED8C87785EE3CE5458320

Function 00007FF77D681470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF77D681518
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF77D6814DE
fseek, xrefs: 00007FF77D6814E5
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF77D6815DF
fread, xrefs: 00007FF77D6815E6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF77D68149F
malloc, xrefs: 00007FF77D68151F

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: a8e221c47165c0dbec1a7dc4007f346f16716469ebf4d834264a8452580f1fe3
Instruction ID: 1c993f77c24be8577f77987fd2f93e51290cf9efd07bd9fdbf9392e402d31871
Opcode Fuzzy Hash: a8e221c47165c0dbec1a7dc4007f346f16716469ebf4d834264a8452580f1fe3
Instruction Fuzzy Hash: D1417EA3E3C64285EB10EB2194105BAE392BF847D4FC44A32ED4D87A99FE3CE5418725

Function 00007FF77D68EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF77D68EA65

Part of subcall function 00007FF77D68F9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF77D68F9FF
Part of subcall function 00007FF77D68F9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF77D68FA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF77D68EB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF77D68ED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF77D68EE98

Strings

csm, xrefs: 00007FF77D68EAE6
csm, xrefs: 00007FF77D68EB60
csm, xrefs: 00007FF77D68EA7F

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: 3513ea4b6d242e8808e2c46404d92e596a2edcbc03762cb966261ad0d9c977c0
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: FFD18E27E2C741CAEB20AB2494403AEA7A1FB557D8F900235DE4D97B96EF3DE494C710

Function 00007FF77D682C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF77D683706,?,00007FF77D683804), ref: 00007FF77D682C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF77D683706,?,00007FF77D683804), ref: 00007FF77D682D63
MessageBoxW.USER32 ref: 00007FF77D682D99

Strings

Error, xrefs: 00007FF77D682D8C
<FormatMessageW failed.>, xrefs: 00007FF77D682D70
%ls: , xrefs: 00007FF77D682D22
[PYI-%d:ERROR] , xrefs: 00007FF77D682CA6

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: 537b623d01a84f08960f518e141ccaae2c50135e1e60a1aeec94eae88f1fe8c7
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: 8531B863B2C64192E620B715A8106ABA693BB887D4F810235EF4E93759EF3CD546C310

Function 00007FF77D68DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF77D68DF7A,?,?,?,00007FF77D68DC6C,?,?,?,00007FF77D68D869), ref: 00007FF77D68DD4D
GetLastError.KERNEL32(?,?,?,00007FF77D68DF7A,?,?,?,00007FF77D68DC6C,?,?,?,00007FF77D68D869), ref: 00007FF77D68DD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF77D68DF7A,?,?,?,00007FF77D68DC6C,?,?,?,00007FF77D68D869), ref: 00007FF77D68DD85
FreeLibrary.KERNEL32(?,?,?,00007FF77D68DF7A,?,?,?,00007FF77D68DC6C,?,?,?,00007FF77D68D869), ref: 00007FF77D68DDF3
GetProcAddress.KERNEL32(?,?,?,00007FF77D68DF7A,?,?,?,00007FF77D68DC6C,?,?,?,00007FF77D68D869), ref: 00007FF77D68DDFF

Strings

api-ms-, xrefs: 00007FF77D68DD6D

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: 1fb76656279d9900e4032762bbedfd79774d37c0b2462908baf8b221a47c4ba4
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: C9318F23F3E642D5EE11AB1694005AAA7D6FF48BE4F994635DE1D86380FE3CE4488730

Function 00007FF77D686360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

ucrtbase.dll, xrefs: 00007FF77D6863DD
LoadLibrary, xrefs: 00007FF77D6864AE
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF77D686456
Failed to load Python DLL '%ls'., xrefs: 00007FF77D6864A7
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF77D6863C7
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF77D686407

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction ID: e930acdb83edfe63373f6dbed40ed639e00ecd0f7df7aa3d1f0f0edfdebd16b6
Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction Fuzzy Hash: D0412932E3C686D1EA15EB60E4542EAA352FB943C4FC04232DA9D83695FF3CE559C760

Function 00007FF77D682A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF77D68351A,?,00000000,00007FF77D683F1B), ref: 00007FF77D682AA0

Strings

0, xrefs: 00007FF77D682B16
[PYI-%d:%s] , xrefs: 00007FF77D682AA8
Warning, xrefs: 00007FF77D682B1E
WARNING, xrefs: 00007FF77D682AAF
Warning [ANSI Fallback], xrefs: 00007FF77D682B0F

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: 1b3b05edfa342a6c7f06649f5716d58dd1f984ecc9c62e1f30ffa5f348c703cd
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: 9A217173A3C78192E620AB55B8417E7A795FB887C4F800236EE8D93659EF3CD245C650

Function 00007FF77D69B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF77D69B15F
FlsGetValue.KERNEL32 ref: 00007FF77D69B174
FlsSetValue.KERNEL32 ref: 00007FF77D69B195
FlsSetValue.KERNEL32 ref: 00007FF77D69B1C2
FlsSetValue.KERNEL32 ref: 00007FF77D69B1D3
FlsSetValue.KERNEL32 ref: 00007FF77D69B1E4
SetLastError.KERNEL32 ref: 00007FF77D69B1FF

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 12f476f87c8743e70c8b210e20a22f1b01636e2fed05d2f1e0a082253e023e8e
Instruction ID: 174cf1dcc9d109f80b6433a43d60c4efc33aa519a9ace5c3c236834d7e1bb264
Opcode Fuzzy Hash: 12f476f87c8743e70c8b210e20a22f1b01636e2fed05d2f1e0a082253e023e8e
Instruction Fuzzy Hash: AD214F26E3C24241F9587729669113BE6835F447F0F94477CE97EC7AC6FD2CA4408320

Function 00007FF77D6A7D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF77D6A7D9D
GetLastError.KERNEL32 ref: 00007FF77D6A7DA9
CloseHandle.KERNEL32 ref: 00007FF77D6A7DC1
CreateFileW.KERNEL32 ref: 00007FF77D6A7DEC
WriteConsoleW.KERNEL32 ref: 00007FF77D6A7E0B

Strings

CONOUT$, xrefs: 00007FF77D6A7DCD

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: 93fa2b00c20efc0f7774d803c743df272006ca24b00337319647b22d24ae8da6
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: D9118422E3CA4186E750AB16F85433AA7A1FB88BE4F500334D99DC7794EF3CD8148750

Function 00007FF77D688ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF77D683FA9), ref: 00007FF77D688EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF77D683FA9), ref: 00007FF77D688F5A

Part of subcall function 00007FF77D689390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF77D6845F4,00000000,00007FF77D681985), ref: 00007FF77D6893C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF77D683FA9), ref: 00007FF77D688FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF77D683FA9), ref: 00007FF77D689044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF77D683FA9), ref: 00007FF77D689055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF77D683FA9), ref: 00007FF77D68906A

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction ID: 77824dc5bf1fcac4117a58aed5dc672a675f41ae0319790c727e635c5f256a75
Opcode Fuzzy Hash: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction Fuzzy Hash: FC415467E3D682C1EA30AB11A5402BBA396EB85BD4F854239DF4D97789FE3CE501C710

Function 00007FF77D69B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF77D694F11,?,?,?,?,00007FF77D69A48A,?,?,?,?,00007FF77D69718F), ref: 00007FF77D69B2D7
FlsSetValue.KERNEL32(?,?,?,00007FF77D694F11,?,?,?,?,00007FF77D69A48A,?,?,?,?,00007FF77D69718F), ref: 00007FF77D69B30D
FlsSetValue.KERNEL32(?,?,?,00007FF77D694F11,?,?,?,?,00007FF77D69A48A,?,?,?,?,00007FF77D69718F), ref: 00007FF77D69B33A
FlsSetValue.KERNEL32(?,?,?,00007FF77D694F11,?,?,?,?,00007FF77D69A48A,?,?,?,?,00007FF77D69718F), ref: 00007FF77D69B34B
FlsSetValue.KERNEL32(?,?,?,00007FF77D694F11,?,?,?,?,00007FF77D69A48A,?,?,?,?,00007FF77D69718F), ref: 00007FF77D69B35C
SetLastError.KERNEL32(?,?,?,00007FF77D694F11,?,?,?,?,00007FF77D69A48A,?,?,?,?,00007FF77D69718F), ref: 00007FF77D69B377

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 341ed06667cf8b6c5416a7ef0c6dfdccbf195f5bc763a811adde1679d5f4f530
Instruction ID: a96e01a7bef85c33d27e2799890d1b277947c484131ebdca5929970c70d9a0e1
Opcode Fuzzy Hash: 341ed06667cf8b6c5416a7ef0c6dfdccbf195f5bc763a811adde1679d5f4f530
Instruction Fuzzy Hash: F4116D26E3C64282FA54B329569113FE6879F457F0F948778E83EC76D6FE2CA4414320

Function 00007FF77D682910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF77D681B6A), ref: 00007FF77D68295E

Strings

Error, xrefs: 00007FF77D682A0E
Error [ANSI Fallback], xrefs: 00007FF77D6829FF
%s: %s, xrefs: 00007FF77D6829E8
[PYI-%d:ERROR] , xrefs: 00007FF77D682966

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction ID: 73ec6bf89455a57c58b06fa0ae3ab1c5e2a7bc309814cbec61ad3786700b431e
Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction Fuzzy Hash: 1831B763F3C68192E710B765A8406E7A696BF887D4F810236EE8DC3759FF3CD5468210

Function 00007FF77D682390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF77D6823C8
DialogBoxIndirectParamW.USER32 ref: 00007FF77D68248E
DeleteObject.GDI32 ref: 00007FF77D6824C1
DestroyIcon.USER32 ref: 00007FF77D6824D3

Strings

Unhandled exception in script, xrefs: 00007FF77D6823F8

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction ID: 446fb72b4d02c4236079d394fb0ed5ce25fc5d267de1381daf6e25d45655badc
Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction Fuzzy Hash: EC315363A3D68285E710AB21E8552FAA752FF887C4F840235EA4D87B49EF3CD1048710

Function 00007FF77D682B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF77D68918F,?,00007FF77D683C55), ref: 00007FF77D682BA0
MessageBoxW.USER32 ref: 00007FF77D682C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF77D682BA8
Warning, xrefs: 00007FF77D682C1D
WARNING, xrefs: 00007FF77D682BAF

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: f63257a47553c2032eff2fe4cf6b8ec4a3197cfdd41733b07804cf9f15422fb3
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: 3021A663B2CB4182E710AB14F4447ABA766FB887C4F800236EA8D97659EF3CD255C750

Function 00007FF77D682710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF77D681B99), ref: 00007FF77D682760

Strings

Error, xrefs: 00007FF77D6827DE
[PYI-%d:%s] , xrefs: 00007FF77D682768
Error [ANSI Fallback], xrefs: 00007FF77D6827CF
ERROR, xrefs: 00007FF77D68276F

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction ID: 01d34c8c1c0404b22cbe3ae83f56b1663057af70ef693a0824993ba038dc5048
Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction Fuzzy Hash: F3217F73E3C78182E720AB55B8417E7A7A5EB883C4F800236EA8D93659EF7CD1458750

Function 00007FF77D699A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF77D699AAD
GetProcAddress.KERNEL32 ref: 00007FF77D699AC3
FreeLibrary.KERNEL32 ref: 00007FF77D699AEA

Strings

mscoree.dll, xrefs: 00007FF77D699AA4
CorExitProcess, xrefs: 00007FF77D699ABC

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: 1770cd55ac1beb024a4d0b1099aa99eea230b739e2cc4ce52add5c26bad3d860
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 5DF04422E3D60681EA10AB24A45437B9762EF897E5F941339D56E851E4FF2CD444C720

Function 00007FF77D6A9368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF77D6A9390
_set_statfp.LIBCMT ref: 00007FF77D6A93AB
_set_statfp.LIBCMT ref: 00007FF77D6A93C7
_set_statfp.LIBCMT ref: 00007FF77D6A9403

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 213db936796fc3778afcba5c84b0d6d08a704705715f00606921d5d5fe13ce49
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 91114F23D7CA0201F6542155A89137B9062AFD93E8FE40736EBAE962DABE6C68414220

Function 00007FF77D69B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF77D69A5A3,?,?,00000000,00007FF77D69A83E,?,?,?,?,?,00007FF77D69A7CA), ref: 00007FF77D69B3AF
FlsSetValue.KERNEL32(?,?,?,00007FF77D69A5A3,?,?,00000000,00007FF77D69A83E,?,?,?,?,?,00007FF77D69A7CA), ref: 00007FF77D69B3CE
FlsSetValue.KERNEL32(?,?,?,00007FF77D69A5A3,?,?,00000000,00007FF77D69A83E,?,?,?,?,?,00007FF77D69A7CA), ref: 00007FF77D69B3F6
FlsSetValue.KERNEL32(?,?,?,00007FF77D69A5A3,?,?,00000000,00007FF77D69A83E,?,?,?,?,?,00007FF77D69A7CA), ref: 00007FF77D69B407
FlsSetValue.KERNEL32(?,?,?,00007FF77D69A5A3,?,?,00000000,00007FF77D69A83E,?,?,?,?,?,00007FF77D69A7CA), ref: 00007FF77D69B418

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 076d9937837767d8c0599fb7139188ad361754fd070b51876ae2b58645e7f25c
Instruction ID: 83ca0808ae1361b3a0c94cd2bef51bd5ce1e9d53afcc9c135310723a2e4ed9a1
Opcode Fuzzy Hash: 076d9937837767d8c0599fb7139188ad361754fd070b51876ae2b58645e7f25c
Instruction Fuzzy Hash: BA116D26E3C60241FA58B329969113BA5835F447F0FD8937CE83DC66CAFE2CE4429220

Function 00007FF77D69B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF77D69B235
FlsSetValue.KERNEL32 ref: 00007FF77D69B254
FlsSetValue.KERNEL32 ref: 00007FF77D69B27C
FlsSetValue.KERNEL32 ref: 00007FF77D69B28D
FlsSetValue.KERNEL32 ref: 00007FF77D69B29E

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 84df6eade7ca2759e64539926e88efdc2e23a1e9973d593929f07b0eae7a4c09
Instruction ID: f538c7682a5980089d859b24db90e66a5ae9d22e0dc95da31c83f38e38dad85e
Opcode Fuzzy Hash: 84df6eade7ca2759e64539926e88efdc2e23a1e9973d593929f07b0eae7a4c09
Instruction Fuzzy Hash: ED110626E3C20741F958B36945A117BA5838F467F0FA487BCE93ECA6C2FD2CB4404231

Function 00007FF77D695FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D695FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D696106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6961BC

Strings

verbose, xrefs: 00007FF77D695FB0

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 49fc8158dee8d03463ff35406dbe0ecb005a87ac0c8d3ef9179d083adc5d5de7
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 2191AE23E3C74681EB60AFA8D55037FB693AB41BD4FC4427ADA59872D5EE3CE4058320

Function 00007FF77D69FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D69FEA7

Part of subcall function 00007FF77D697A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D697A59

Strings

ccs, xrefs: 00007FF77D69FDE2
UTF-16LEUNICODE, xrefs: 00007FF77D69FE45
UTF-8, xrefs: 00007FF77D69FE26

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: 00767ae982e21424efe52ce2e6c62e4e55cc184f1f67ef8eba1cd89e678e24d8
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: 8E81A473E3C202D5F764BE25811027BB6A3AB117C4FD68279CA09D7285EF2DE9499321

Function 00007FF77D68D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF77D68D673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF77D68D70A
RtlUnwindEx.KERNEL32 ref: 00007FF77D68D764

Strings

csm, xrefs: 00007FF77D68D6F1

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: 1745753b4f805a345d4c0616f5d3b058fc74155de081ad507d368850db67da1f
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: BD517023E3D602CEDB14AB15D444A7AA792EB44BD8F984231DB4E87744EF7CE841CB20

Function 00007FF77D68EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF77D68EF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF77D68EF83

Strings

MOC, xrefs: 00007FF77D68EF4B
RCC, xrefs: 00007FF77D68EF53

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: 070cc0957e374de7d9a95a03585695e38ce21bbd50daed78c51e6b64d8680c66
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: 7B616C3392CB85C5DB20AB15E4403AAB7A1FB957D8F444235EA9C43B96EF7CD190CB10

Function 00007FF77D68F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF77D68F2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF77D68F398

Strings

csm, xrefs: 00007FF77D68F3EA
csm, xrefs: 00007FF77D68F2D2

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: 67e3a653c59d2beac016d2c38ef232b8e60f1bc17d661ba938a5d04c8be8dfd0
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: 5A519F33E3C242C6EB64AA21914426AB7A2EB64BC4F944236DA4C83B96DF3CE450C751

Function 00007FF77D687E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF77D68352C,?,00000000,00007FF77D683F1B), ref: 00007FF77D687F32

Strings

%s%c, xrefs: 00007FF77D687EA4
%.*s, xrefs: 00007FF77D687EEB
\, xrefs: 00007FF77D687E97

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction ID: 3c798745d1f8650b8f62018f9636e3239a9f20de0f3146175b9d1dd341fbab97
Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction Fuzzy Hash: 1C31BA62E3DAC185EA21A711E4507ABA356EB84BE0F844331EAAD877C5FF2CD6418750

Function 00007FF77D682810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF77D6828EA

Strings

Error, xrefs: 00007FF77D6828DD
ERROR, xrefs: 00007FF77D68286F
[PYI-%d:%ls] , xrefs: 00007FF77D682868

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: 31a32ef2c6f95a0c2a27cc5e00b15e28b4dc188d125b7932c4417faf45dc7aa1
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: 1E219163B28B4182E710AB14B4447ABA7A6EB887C0F800236EA8D93659EF3CD255C750

Function 00007FF77D69C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF77D69C61F
WriteFile.KERNEL32 ref: 00007FF77D69C8E7
WriteFile.KERNEL32 ref: 00007FF77D69C92D
GetLastError.KERNEL32 ref: 00007FF77D69C9E3

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: b620f536da00e8410c8aad0e1fdc1d57d60188c4c5e9e8a437d79d7f895de897
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: 26D1EF73F2CA818AE710DF75D4402BD77A2FB547D8B81426ADE5E97B89EA38D006C710

Function 00007FF77D69F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF77D69FA7C
_get_daylight.LIBCMT ref: 00007FF77D69FA8D
_get_daylight.LIBCMT ref: 00007FF77D69FA9E
_isindst.LIBCMT ref: 00007FF77D69FB69

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: 47c386d92cb6092024ef8aaec72e1afa5e0f926da57bb014de277f08e1199991
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: D8510B73F3811186EB14EF6499516BDA7A3AF543E8F910339DE1D92AD9EF38A402C710

Function 00007FF77D69577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF77D6957AF
GetFileInformationByHandle.KERNEL32 ref: 00007FF77D695811
GetLastError.KERNEL32 ref: 00007FF77D6958A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77D6956B4), ref: 00007FF77D6958EE

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction ID: 8a28f5429d2e4c9e67125e252388ac25a87a77d90ee7c1001c010b0887ce1940
Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction Fuzzy Hash: EA518233E3865185FB10EF71D5503BEA7A3AB48798F944639DE4D87689EF38D4418360

Function 00007FF77D6820C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF77D6820F4
SetWindowLongPtrW.USER32 ref: 00007FF77D682116
GetWindowLongPtrW.USER32 ref: 00007FF77D682140
InvalidateRect.USER32 ref: 00007FF77D682160

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 4db702e4260f0ae1114fb5573849cb1bf17f1f569369efbc96099a92f6ea5e0a
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 7611E922F3C142C2F654A769E54427B9693EB887C0FD44230DB8947B8DED3DD4D18220

Function 00007FF77D6A5B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77D6A1760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A1793

_get_daylight.LIBCMT ref: 00007FF77D6A5C34
_get_daylight.LIBCMT ref: 00007FF77D6A5C45

Strings

?, xrefs: 00007FF77D6A5BC5

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction ID: ff92f2518d4ab9e194f3fd5ebea0e4a1a50341733b802b621a1c783827fed23c
Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction Fuzzy Hash: 5041F523E3C28241E724E725945137BA692EBD0BE4F944339EE9D86ADDEF3CD4418710

Function 00007FF77D699014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D699046

Part of subcall function 00007FF77D69A948: RtlFreeHeap.NTDLL(?,?,?,00007FF77D6A2D22,?,?,?,00007FF77D6A2D5F,?,?,00000000,00007FF77D6A3225,?,?,?,00007FF77D6A3157), ref: 00007FF77D69A95E
Part of subcall function 00007FF77D69A948: GetLastError.KERNEL32(?,?,?,00007FF77D6A2D22,?,?,?,00007FF77D6A2D5F,?,?,00000000,00007FF77D6A3225,?,?,?,00007FF77D6A3157), ref: 00007FF77D69A968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF77D68CBA5), ref: 00007FF77D699064

Strings

C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe, xrefs: 00007FF77D699052

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe
API String ID: 3580290477-818140841
Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction ID: 55a836dad8fb8ed1c6f3f5e98ecb12e168b273073b0afe6edf662220781ca243
Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction Fuzzy Hash: BA416E37E3C71285E714AF2595800BAB7A7FB487D0B95527AE94D83B85FE3CE4818320

Function 00007FF77D69CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF77D69CD4F
GetLastError.KERNEL32 ref: 00007FF77D69CD71

Strings

U, xrefs: 00007FF77D69CCFB

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: cbeb1b35439bb3f0d7e1996fb4b1a01f507193706e99a2bb16ecf329025b6c6d
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: E4419163A3CA4181DB20AF25E4443BAA7A2FB887C4F814235EA4DC7798EF3CD405CB50

Function 00007FF77D69F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF77D69F5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF77D69F64A

Strings

:, xrefs: 00007FF77D69F60E

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: d7e4ed55f29cf6b5985c16ba7c582ed18ee62b51760ed1b5a20f115a32bf7e2e
Instruction ID: 964337a21861e369412d896d3835c6b074c981b240ba78b7c6488159310ffc96
Opcode Fuzzy Hash: d7e4ed55f29cf6b5985c16ba7c582ed18ee62b51760ed1b5a20f115a32bf7e2e
Instruction Fuzzy Hash: 6E21A073E3C34181EB20AB15904427EA3A3EB94BC4F864239D68D83695EF7CE5458761

Function 00007FF77D68FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF77D68FD98
RaiseException.KERNEL32 ref: 00007FF77D68FDD9

Strings

csm, xrefs: 00007FF77D68FDC6

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: ba8f854b799dacf9db38a70c412af82643bc7bf57596a335849349486092c63c
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: 86114C33A2CB8182EB219F15E40026ABBE5FB88B84F984631DBCD47759EF3CC5558700

Function 00007FF77D6A073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A076C
GetDriveTypeW.KERNEL32 ref: 00007FF77D6A07AC

Strings

:, xrefs: 00007FF77D6A0795

Memory Dump Source

Source File: 00000000.00000002.2671355791.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000000.00000002.2671333760.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671388999.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671411289.00007FF77D6C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2671454067.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: ec74fa260558e8435e2ed8b85590191b1fb7eb131c19f089dfce8499952ac3d5
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: 6A017163D3C20285E720BF60946127FA3A2EF847C4FD00235D58DD2685FE3CE5048B24

Analysis Process: ITC590-Script 3 V2-P-2024.exePID: 6928, Parent PID: 6880COMMON

Executed Functions

Function 00007FFE133310C0 Relevance: 694.3, APIs: 203, Strings: 193, Instructions: 1313networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE133310F8
Py_AtExit.PYTHON312 ref: 00007FFE1333110D
PyErr_NewException.PYTHON312 ref: 00007FFE13331133
PyModule_AddObjectRef.PYTHON312 ref: 00007FFE13331153
PyErr_NewException.PYTHON312 ref: 00007FFE13331175
PyModule_AddObjectRef.PYTHON312 ref: 00007FFE13331195
PyModule_AddObjectRef.PYTHON312 ref: 00007FFE133311B7
PyModule_AddObjectRef.PYTHON312 ref: 00007FFE133311D9
PyType_FromMetaclass.PYTHON312 ref: 00007FFE133311F6
PyModule_AddObjectRef.PYTHON312 ref: 00007FFE13331215
PyModule_AddType.PYTHON312 ref: 00007FFE13331229
PyModule_AddObjectRef.PYTHON312 ref: 00007FFE13331248
PyMem_Malloc.PYTHON312 ref: 00007FFE1333125B
PyCapsule_New.PYTHON312 ref: 00007FFE133312BF
PyModule_AddObjectRef.PYTHON312 ref: 00007FFE133312DE
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333130A
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331328
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331346
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331364
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331382
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133313A0
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133313BE
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133313DC
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133313FA
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331418
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331436
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331454
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331472
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331490
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133314AE
PyModule_AddStringConstant.PYTHON312 ref: 00007FFE133314CD
PyModule_AddStringConstant.PYTHON312 ref: 00007FFE133314EC
PyModule_AddStringConstant.PYTHON312 ref: 00007FFE1333150B
PyModule_AddStringConstant.PYTHON312 ref: 00007FFE1333152A
PyModule_AddStringConstant.PYTHON312 ref: 00007FFE13331549
PyModule_AddStringConstant.PYTHON312 ref: 00007FFE13331568
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331586
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133315A4
PyModule_AddStringConstant.PYTHON312 ref: 00007FFE133315C3
PyModule_AddStringConstant.PYTHON312 ref: 00007FFE133315E2
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331600
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333161E
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333163C
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333165A
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331678
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331696
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133316B4
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133316D2
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133316F0
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333170E
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333172C
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333174A
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331768
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331786
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133317A4
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133317C2
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133317E0
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133317FE
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333181C
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333183A
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331858
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331876
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331894
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133318B2
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133318D0
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133318EE
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333190C
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333192A
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331948
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331966
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331984
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133319A2
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133319C0
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133319DE
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133319FC
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331A1A
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331A38
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331A53
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331A6E
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331A8C
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331AAA
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331AC8
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331AE6
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331B04
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331B22
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331B40
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331B5E
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331B7C
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331B9A
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331BB8
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331BD6
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331BF4
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331C12
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331C30
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331C4E
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331C6C
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331C8A
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331CA8
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331CC6
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331CE4
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331D02
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331D20
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331D3E
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331D5C
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331D7A
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331D98
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331DB6
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331DD4
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331DF2
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331E10
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331E2E
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331E49
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331E67
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331E85
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331EA3
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331EC1
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331EDF
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331EFD
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331F1B
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331F39
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331F57
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331F75
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331F93
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331FB1
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331FCF
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13331FED
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333200B
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332029
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332047
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332065
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332083
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133320A1
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133320BF
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133320DD
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133320FB
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332119
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332137
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332155
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332173
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332191
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133321AF
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133321CD
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133321EB
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332209
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332227
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332245
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332263
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332281
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333229F
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133322BD
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133322DB
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133322F9
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332317
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332335
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332353
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332371
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333238F
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133323AD
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133323CB
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133323E9
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332407
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332425
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332443
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332461
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333247F
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333249D
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133324BB
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133324D9
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133324F7
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332515
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332533
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332551
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333256F
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333258D
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133325AB
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133325C9
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE133325E7
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332605
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332623
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333263E
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333265C
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333267A
PyLong_FromUnsignedLong.PYTHON312 ref: 00007FFE133326D5
PyModule_AddObjectRef.PYTHON312 ref: 00007FFE133326F0
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333272C
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE1333274A
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332768
PyModule_AddIntConstant.PYTHON312 ref: 00007FFE13332786
PyModule_GetDict.PYTHON312 ref: 00007FFE13332797
memset.VCRUNTIME140 ref: 00007FFE133327B6
VerSetConditionMask.KERNEL32 ref: 00007FFE133327D6
VerSetConditionMask.KERNEL32 ref: 00007FFE133327E7
VerSetConditionMask.KERNEL32 ref: 00007FFE133327F8
VerifyVersionInfoA.KERNEL32 ref: 00007FFE1333281F
PyUnicode_FromString.PYTHON312 ref: 00007FFE1333283B
_PyDict_Pop.PYTHON312 ref: 00007FFE13332856
_Py_Dealloc.PYTHON312 ref: 00007FFE1333286D
PyErr_Format.PYTHON312 ref: 00007FFE133339DC
PyErr_NoMemory.PYTHON312 ref: 00007FFE13333A0E
_Py_Dealloc.PYTHON312 ref: 00007FFE13333A48

Strings

HV_GUID_ZERO, xrefs: 00007FFE133314C6
INADDR_NONE, xrefs: 00007FFE13331EF3
NI_NUMERICSERV, xrefs: 00007FFE133325FB
EAI_NODATA, xrefs: 00007FFE1333241B
BDADDR_LOCAL, xrefs: 00007FFE133315DB
HVSOCKET_CONNECT_TIMEOUT_MAX, xrefs: 00007FFE13331468
IPV6_CHECKSUM, xrefs: 00007FFE133321C3
RCVALL_MAX, xrefs: 00007FFE1333277C
AI_NUMERICHOST, xrefs: 00007FFE133324CF
AF_APPLETALK, xrefs: 00007FFE1333135A
IP_RECVDSTADDR, xrefs: 00007FFE13331FA7
HV_GUID_WILDCARD, xrefs: 00007FFE133314E5
EAI_MEMORY, xrefs: 00007FFE133323FD
IPPROTO_TCP, xrefs: 00007FFE13331B18
EAI_AGAIN, xrefs: 00007FFE13332385
IPPROTO_RAW, xrefs: 00007FFE13331CDA
MSG_MCAST, xrefs: 00007FFE133319B6
AF_INET, xrefs: 00007FFE1333131E
timeout, xrefs: 00007FFE133311CC
IP_BLOCK_SOURCE, xrefs: 00007FFE13332097
SO_DONTROUTE, xrefs: 00007FFE13331722
IPPROTO_RDP, xrefs: 00007FFE13331D8E
HV_GUID_CHILDREN, xrefs: 00007FFE13331523
TCP_KEEPINTVL, xrefs: 00007FFE1333232B
IP_RECVTOS, xrefs: 00007FFE13331F89
SHUT_RDWR, xrefs: 00007FFE13332670
SHUT_RD, xrefs: 00007FFE13332634
SIO_RCVALL, xrefs: 00007FFE13332688
AI_V4MAPPED, xrefs: 00007FFE13332547
NI_NAMEREQD, xrefs: 00007FFE133325DD
IPV6_HOPOPTS, xrefs: 00007FFE1333221D
IPV6_LEAVE_GROUP, xrefs: 00007FFE1333210F
SO_LINGER, xrefs: 00007FFE1333177C
HVSOCKET_CONNECT_TIMEOUT, xrefs: 00007FFE1333144A
SocketType, xrefs: 00007FFE1333120B
HV_GUID_PARENT, xrefs: 00007FFE13331561
90DB8B89-0D35-4F79-8CE9-49EA0AC8B7CD, xrefs: 00007FFE13331519
MSG_BCAST, xrefs: 00007FFE13331998
SO_OOBINLINE, xrefs: 00007FFE1333179A
IP_MULTICAST_IF, xrefs: 00007FFE13331FC5
SHUT_WR, xrefs: 00007FFE13332652
IPPROTO_MAX, xrefs: 00007FFE13331CF8
_socket.CAPI, xrefs: 00007FFE133312B8
IPPROTO_IGMP, xrefs: 00007FFE13331AA0
SO_TYPE, xrefs: 00007FFE1333188A
AI_ADDRCONFIG, xrefs: 00007FFE13332529
EAI_SERVICE, xrefs: 00007FFE13332457
IP_ADD_MEMBERSHIP, xrefs: 00007FFE1333201F
AF_UNSPEC, xrefs: 00007FFE13331300
NI_DGRAM, xrefs: 00007FFE13332619
IPPROTO_CBT, xrefs: 00007FFE13331D52
EAI_FAMILY, xrefs: 00007FFE133323DF
HV_GUID_BROADCAST, xrefs: 00007FFE13331504
TCP_KEEPIDLE, xrefs: 00007FFE1333230D
IPV6_MULTICAST_LOOP, xrefs: 00007FFE13332169
BDADDR_ANY, xrefs: 00007FFE133315BC
IP_UNBLOCK_SOURCE, xrefs: 00007FFE13332079
IPV6_TCLASS, xrefs: 00007FFE133322B3
AI_CANONNAME, xrefs: 00007FFE133324B1
SOCK_SEQPACKET, xrefs: 00007FFE13331650
IP_MULTICAST_LOOP, xrefs: 00007FFE13332001
IPPROTO_ROUTING, xrefs: 00007FFE13331BCC
INADDR_ALLHOSTS_GROUP, xrefs: 00007FFE13331EB7
IPPROTO_PIM, xrefs: 00007FFE13331C9E
IPV6_V6ONLY, xrefs: 00007FFE133321A5
IPPROTO_AH, xrefs: 00007FFE13331C26
AF_HYPERV, xrefs: 00007FFE1333140E
IPPROTO_ESP, xrefs: 00007FFE13331C08
FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF, xrefs: 00007FFE133314FA
00000000-0000-0000-0000-000000000000, xrefs: 00007FFE133314BC, 00007FFE133314DB
IPPROTO_ICLFXBM, xrefs: 00007FFE13331D16
MSG_OOB, xrefs: 00007FFE133318C6
NI_NOFQDN, xrefs: 00007FFE133325A1
SIO_KEEPALIVE_VALS, xrefs: 00007FFE133326A1
IPPROTO_ND, xrefs: 00007FFE13331BAE
SO_DEBUG, xrefs: 00007FFE1333168C
IPV6_DONTFRAG, xrefs: 00007FFE133321E1
IPV6_MULTICAST_IF, xrefs: 00007FFE1333214B
IPPROTO_ICMPV6, xrefs: 00007FFE13331C44
gaierror, xrefs: 00007FFE1333118B
RCVALL_SOCKETLEVELONLY, xrefs: 00007FFE1333275E
IPPROTO_IDP, xrefs: 00007FFE13331B90
HV_PROTOCOL_RAW, xrefs: 00007FFE1333142C
TCP_KEEPCNT, xrefs: 00007FFE13332349
AF_IPX, xrefs: 00007FFE1333133C
AF_BLUETOOTH, xrefs: 00007FFE1333157C
EAI_NONAME, xrefs: 00007FFE13332439
SO_SNDBUF, xrefs: 00007FFE133317B8
EAI_BADFLAGS, xrefs: 00007FFE133323A3
SOCK_RDM, xrefs: 00007FFE1333166E
SOCK_DGRAM, xrefs: 00007FFE13331614
socket.gaierror, xrefs: 00007FFE13331168
INADDR_LOOPBACK, xrefs: 00007FFE13331E7B
IPPROTO_IP, xrefs: 00007FFE13331A49
SO_RCVBUF, xrefs: 00007FFE133317D6
SOCK_STREAM, xrefs: 00007FFE133315F6
SOCK_RAW, xrefs: 00007FFE13331632
SOL_TCP, xrefs: 00007FFE13331A10
INADDR_BROADCAST, xrefs: 00007FFE13331E5D
IPV6_RECVRTHDR, xrefs: 00007FFE13332259
IPPROTO_UDP, xrefs: 00007FFE13331B72
AF_SNA, xrefs: 00007FFE133313D2
IPV6_PKTINFO, xrefs: 00007FFE1333223B
IP_ADD_SOURCE_MEMBERSHIP, xrefs: 00007FFE133320B5
00:00:00:FF:FF:FF, xrefs: 00007FFE133315D1
IP_PKTINFO, xrefs: 00007FFE1333205B
SO_RCVTIMEO, xrefs: 00007FFE1333184E
BTPROTO_RFCOMM, xrefs: 00007FFE1333159A
00:00:00:00:00:00, xrefs: 00007FFE133315B2
IP_TOS, xrefs: 00007FFE13331F4D
IPPROTO_ST, xrefs: 00007FFE13331D34
INADDR_UNSPEC_GROUP, xrefs: 00007FFE13331E99
IPPROTO_NONE, xrefs: 00007FFE13331C62
E0E16197-DD56-4A10-9195-5EE7A155A838, xrefs: 00007FFE13331538
SO_SNDTIMEO, xrefs: 00007FFE13331830
NI_MAXHOST, xrefs: 00007FFE13332565
MSG_WAITALL, xrefs: 00007FFE1333195C
AI_PASSIVE, xrefs: 00007FFE13332493
SO_EXCLUSIVEADDRUSE, xrefs: 00007FFE133316E6
A42E7CDA-D03F-480C-9CC2-A4DE20ABB878, xrefs: 00007FFE13331557
IP_MULTICAST_TTL, xrefs: 00007FFE13331FE3
SOMAXCONN, xrefs: 00007FFE133318A8
HV_GUID_LOOPBACK, xrefs: 00007FFE13331542
IPV6_MULTICAST_HOPS, xrefs: 00007FFE1333212D
IPV6_JOIN_GROUP, xrefs: 00007FFE133320F1
SO_KEEPALIVE, xrefs: 00007FFE13331704
IPPROTO_IPV4, xrefs: 00007FFE13331ADC
IPPROTO_HOPOPTS, xrefs: 00007FFE13331A64
RCVALL_OFF, xrefs: 00007FFE13332722
SO_ACCEPTCONN, xrefs: 00007FFE133316AA
IPV6_HOPLIMIT, xrefs: 00007FFE133321FF
TCP_MAXSEG, xrefs: 00007FFE133322EF
IPPORT_USERRESERVED, xrefs: 00007FFE13331E24
IP_HDRINCL, xrefs: 00007FFE13331F2F
socket.herror, xrefs: 00007FFE13331117
IPPROTO_PUP, xrefs: 00007FFE13331B54
SOL_SOCKET, xrefs: 00007FFE133319D4
IPV6_UNICAST_HOPS, xrefs: 00007FFE13332187
IPV6_RTHDR, xrefs: 00007FFE13332295
IP_DROP_SOURCE_MEMBERSHIP, xrefs: 00007FFE133320D3
MSG_ERRQUEUE, xrefs: 00007FFE1333197A
SO_RCVLOWAT, xrefs: 00007FFE13331812
IPPROTO_DSTOPTS, xrefs: 00007FFE13331C80
AF_DECnet, xrefs: 00007FFE13331396
SOL_UDP, xrefs: 00007FFE13331A2E
WSAStartup failed: network not ready, xrefs: 00007FFE133339E8
MSG_PEEK, xrefs: 00007FFE133318E4
RCVALL_ON, xrefs: 00007FFE13332740
IPV6_RECVTCLASS, xrefs: 00007FFE13332277
SIO_LOOPBACK_FAST_PATH, xrefs: 00007FFE133326BA
HVSOCKET_ADDRESS_FLAG_PASSTHRU, xrefs: 00007FFE133314A4
MSG_CTRUNC, xrefs: 00007FFE1333193E
TCP_NODELAY, xrefs: 00007FFE133322D1
SOL_IP, xrefs: 00007FFE133319F2
SO_REUSEADDR, xrefs: 00007FFE133316C8
AI_ALL, xrefs: 00007FFE1333250B
EAI_FAIL, xrefs: 00007FFE133323C1
IPPROTO_IGP, xrefs: 00007FFE13331D70
IPPROTO_FRAGMENT, xrefs: 00007FFE13331BEA
WSAStartup failed: requested version not supported, xrefs: 00007FFE133339F1
EAI_SOCKTYPE, xrefs: 00007FFE13332475
IPPROTO_PGM, xrefs: 00007FFE13331DAC
SO_USELOOPBACK, xrefs: 00007FFE1333175E
SO_SNDLOWAT, xrefs: 00007FFE133317F4
has_ipv6, xrefs: 00007FFE1333123E
HVSOCKET_CONNECTED_SUSPEND, xrefs: 00007FFE13331486
AI_NUMERICSERV, xrefs: 00007FFE133324ED
IPPROTO_SCTP, xrefs: 00007FFE13331CBC, 00007FFE13331DE8
IPPROTO_GGP, xrefs: 00007FFE13331ABE
AF_IRDA, xrefs: 00007FFE133313F0
IP_DROP_MEMBERSHIP, xrefs: 00007FFE1333203D
TCP_FASTOPEN, xrefs: 00007FFE13332367
NI_NUMERICHOST, xrefs: 00007FFE133325BF
SO_ERROR, xrefs: 00007FFE1333186C
IPPROTO_EGP, xrefs: 00007FFE13331B36
WSAStartup failed: error code %d, xrefs: 00007FFE133339CF
IPPROTO_IPV6, xrefs: 00007FFE13331AFA
INADDR_MAX_LOCAL_GROUP, xrefs: 00007FFE13331ED5
SO_BROADCAST, xrefs: 00007FFE13331740
herror, xrefs: 00007FFE13331149
INADDR_ANY, xrefs: 00007FFE13331E3F
IPPORT_RESERVED, xrefs: 00007FFE13331E06
AF_INET6, xrefs: 00007FFE13331378
CAPI, xrefs: 00007FFE133312D4
error, xrefs: 00007FFE133311AA
MSG_DONTROUTE, xrefs: 00007FFE13331902
IPPROTO_ICMP, xrefs: 00007FFE13331A82
IPPROTO_L2TP, xrefs: 00007FFE13331DCA
IP_OPTIONS, xrefs: 00007FFE13331F11
MSG_TRUNC, xrefs: 00007FFE13331920
NI_MAXSERV, xrefs: 00007FFE13332583
AF_LINK, xrefs: 00007FFE133313B4
IP_TTL, xrefs: 00007FFE13331F6B

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Module_$Constant$String$Object$Err_$ConditionFromMask$DeallocException$Capsule_DictDict_ExitFormatInfoLongLong_MallocMem_MemoryMetaclassStartupTypeType_Unicode_UnsignedVerifyVersionmemset
String ID: 00000000-0000-0000-0000-000000000000$00:00:00:00:00:00$00:00:00:FF:FF:FF$90DB8B89-0D35-4F79-8CE9-49EA0AC8B7CD$A42E7CDA-D03F-480C-9CC2-A4DE20ABB878$AF_APPLETALK$AF_BLUETOOTH$AF_DECnet$AF_HYPERV$AF_INET$AF_INET6$AF_IPX$AF_IRDA$AF_LINK$AF_SNA$AF_UNSPEC$AI_ADDRCONFIG$AI_ALL$AI_CANONNAME$AI_NUMERICHOST$AI_NUMERICSERV$AI_PASSIVE$AI_V4MAPPED$BDADDR_ANY$BDADDR_LOCAL$BTPROTO_RFCOMM$CAPI$E0E16197-DD56-4A10-9195-5EE7A155A838$EAI_AGAIN$EAI_BADFLAGS$EAI_FAIL$EAI_FAMILY$EAI_MEMORY$EAI_NODATA$EAI_NONAME$EAI_SERVICE$EAI_SOCKTYPE$FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF$HVSOCKET_ADDRESS_FLAG_PASSTHRU$HVSOCKET_CONNECTED_SUSPEND$HVSOCKET_CONNECT_TIMEOUT$HVSOCKET_CONNECT_TIMEOUT_MAX$HV_GUID_BROADCAST$HV_GUID_CHILDREN$HV_GUID_LOOPBACK$HV_GUID_PARENT$HV_GUID_WILDCARD$HV_GUID_ZERO$HV_PROTOCOL_RAW$INADDR_ALLHOSTS_GROUP$INADDR_ANY$INADDR_BROADCAST$INADDR_LOOPBACK$INADDR_MAX_LOCAL_GROUP$INADDR_NONE$INADDR_UNSPEC_GROUP$IPPORT_RESERVED$IPPORT_USERRESERVED$IPPROTO_AH$IPPROTO_CBT$IPPROTO_DSTOPTS$IPPROTO_EGP$IPPROTO_ESP$IPPROTO_FRAGMENT$IPPROTO_GGP$IPPROTO_HOPOPTS$IPPROTO_ICLFXBM$IPPROTO_ICMP$IPPROTO_ICMPV6$IPPROTO_IDP$IPPROTO_IGMP$IPPROTO_IGP$IPPROTO_IP$IPPROTO_IPV4$IPPROTO_IPV6$IPPROTO_L2TP$IPPROTO_MAX$IPPROTO_ND$IPPROTO_NONE$IPPROTO_PGM$IPPROTO_PIM$IPPROTO_PUP$IPPROTO_RAW$IPPROTO_RDP$IPPROTO_ROUTING$IPPROTO_SCTP$IPPROTO_ST$IPPROTO_TCP$IPPROTO_UDP$IPV6_CHECKSUM$IPV6_DONTFRAG$IPV6_HOPLIMIT$IPV6_HOPOPTS$IPV6_JOIN_GROUP$IPV6_LEAVE_GROUP$IPV6_MULTICAST_HOPS$IPV6_MULTICAST_IF$IPV6_MULTICAST_LOOP$IPV6_PKTINFO$IPV6_RECVRTHDR$IPV6_RECVTCLASS$IPV6_RTHDR$IPV6_TCLASS$IPV6_UNICAST_HOPS$IPV6_V6ONLY$IP_ADD_MEMBERSHIP$IP_ADD_SOURCE_MEMBERSHIP$IP_BLOCK_SOURCE$IP_DROP_MEMBERSHIP$IP_DROP_SOURCE_MEMBERSHIP$IP_HDRINCL$IP_MULTICAST_IF$IP_MULTICAST_LOOP$IP_MULTICAST_TTL$IP_OPTIONS$IP_PKTINFO$IP_RECVDSTADDR$IP_RECVTOS$IP_TOS$IP_TTL$IP_UNBLOCK_SOURCE$MSG_BCAST$MSG_CTRUNC$MSG_DONTROUTE$MSG_ERRQUEUE$MSG_MCAST$MSG_OOB$MSG_PEEK$MSG_TRUNC$MSG_WAITALL$NI_DGRAM$NI_MAXHOST$NI_MAXSERV$NI_NAMEREQD$NI_NOFQDN$NI_NUMERICHOST$NI_NUMERICSERV$RCVALL_MAX$RCVALL_OFF$RCVALL_ON$RCVALL_SOCKETLEVELONLY$SHUT_RD$SHUT_RDWR$SHUT_WR$SIO_KEEPALIVE_VALS$SIO_LOOPBACK_FAST_PATH$SIO_RCVALL$SOCK_DGRAM$SOCK_RAW$SOCK_RDM$SOCK_SEQPACKET$SOCK_STREAM$SOL_IP$SOL_SOCKET$SOL_TCP$SOL_UDP$SOMAXCONN$SO_ACCEPTCONN$SO_BROADCAST$SO_DEBUG$SO_DONTROUTE$SO_ERROR$SO_EXCLUSIVEADDRUSE$SO_KEEPALIVE$SO_LINGER$SO_OOBINLINE$SO_RCVBUF$SO_RCVLOWAT$SO_RCVTIMEO$SO_REUSEADDR$SO_SNDBUF$SO_SNDLOWAT$SO_SNDTIMEO$SO_TYPE$SO_USELOOPBACK$SocketType$TCP_FASTOPEN$TCP_KEEPCNT$TCP_KEEPIDLE$TCP_KEEPINTVL$TCP_MAXSEG$TCP_NODELAY$WSAStartup failed: error code %d$WSAStartup failed: network not ready$WSAStartup failed: requested version not supported$_socket.CAPI$error$gaierror$has_ipv6$herror$socket.gaierror$socket.herror$timeout
API String ID: 1196102948-1188461360
Opcode ID: 0fb31f2eee656220925b4e47e62874025d6cd115870c459d51081d29a567eca9
Instruction ID: 793fe9db789615f8576ce65e197cf62a071756f2d7b2b83fd003fb7fd1d769df
Opcode Fuzzy Hash: 0fb31f2eee656220925b4e47e62874025d6cd115870c459d51081d29a567eca9
Instruction Fuzzy Hash: D8D2C961F08E1389F6148B23EC543649654BF65FE1F80D0B9D93EAA274EF6DE245C388

Function 00007FF77D681000 Relevance: 60.0, APIs: 6, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF77D683E02
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF77D683E9E
pyi-contents-directory, xrefs: 00007FF77D683B8D
Failed to start splash screen!, xrefs: 00007FF77D683ECC
Py_GIL_DISABLED, xrefs: 00007FF77D683AF4
pyi-runtime-tmpdir, xrefs: 00007FF77D683B68
Failed to remove temporary directory: %s, xrefs: 00007FF77D683FC7
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF77D6839DE
pyi-disable-windowed-traceback, xrefs: 00007FF77D683BB2
Failed to load splash screen resources!, xrefs: 00007FF77D683E7D
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF77D683B32
_PYI_SPLASH_IPC, xrefs: 00007FF77D683A23, 00007FF77D683EED
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF77D683971
pkg, xrefs: 00007FF77D6839BE
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF77D683BE8
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF77D683D35
VCRUNTIME140.dll, xrefs: 00007FF77D683DA9
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF77D683D12
Failed to convert DLL search path!, xrefs: 00007FF77D683DD4
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF77D683882, 00007FF77D6838AF
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF77D683A0B, 00007FF77D683CD4, 00007FF77D683F63
_PYI_ARCHIVE_FILE, xrefs: 00007FF77D6838D2, 00007FF77D6839FF
MEI, xrefs: 00007FF77D683933
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF77D683A17, 00007FF77D683A2F, 00007FF77D683A9B
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF77D683EB3
Could not create temporary directory!, xrefs: 00007FF77D683CBF
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF77D683C61
pyi-python-flag, xrefs: 00007FF77D683AD6

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: e13306a1dc2fdd2583e75603ea30a2f2fc44fee967f56f1d82945797d443fea0
Instruction ID: ebd3ec9b3ec3dca448e77d6bdf3460358655604b8587c5c124c62c269f785eff
Opcode Fuzzy Hash: e13306a1dc2fdd2583e75603ea30a2f2fc44fee967f56f1d82945797d443fea0
Instruction Fuzzy Hash: 86325B23E3C682D1EA15BB2594542BBA793AF957C0FC44236DA5DC3296FF2CE558C320

Function 00007FF77D6A6964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77D6A6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A66D9
Part of subcall function 00007FF77D6A6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A6757
Part of subcall function 00007FF77D6A6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A67A8

CreateFileW.KERNELBASE ref: 00007FF77D6A6A6A
CreateFileW.KERNEL32 ref: 00007FF77D6A6ABA
GetLastError.KERNEL32 ref: 00007FF77D6A6AEA
GetFileType.KERNELBASE ref: 00007FF77D6A6AFF
GetLastError.KERNEL32 ref: 00007FF77D6A6B09
CloseHandle.KERNEL32 ref: 00007FF77D6A6B3C
CloseHandle.KERNEL32 ref: 00007FF77D6A6C9F
CreateFileW.KERNEL32 ref: 00007FF77D6A6CD4
GetLastError.KERNEL32 ref: 00007FF77D6A6CE3

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: 638d7e9c8017b22b817c77545fc0c9addb2e3502f45f0a0012853819baa71786
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: 7DC1B233F38A4285EB10EFA9D4902AE7762F789BD8B414325DA5E97794EF38E411C310

Function 00007FF77D689280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF77D6892B3
FindClose.KERNELBASE ref: 00007FF77D6892C2

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: ef05c9abaec79f1baf501e12dc119f0554db9dea8a58efbf38667a894d5111d3
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: 6AF08623E3C64186E7A09B64B49476BB751AB843A4F440336D9AD416D5EF3CD0588600

Function 00007FFE13335AFC Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 234
threadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyType_GetModuleByDef.PYTHON312 ref: 00007FFE13335B40
PySys_Audit.PYTHON312 ref: 00007FFE13335B78
PyErr_Format.PYTHON312 ref: 00007FFE13335BD0
PySys_Audit.PYTHON312 ref: 00007FFE13335CCE
PyEval_SaveThread.PYTHON312 ref: 00007FFE13335CDC
WSASocketW.WS2_32 ref: 00007FFE13335D08
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13335D14
SetHandleInformation.KERNEL32 ref: 00007FFE13335D32
PyErr_SetFromWindowsErr.PYTHON312 ref: 00007FFE13335D3E
closesocket.WS2_32 ref: 00007FFE13335D47
PyLong_AsLongLong.PYTHON312 ref: 00007FFE13335D71
PyErr_Occurred.PYTHON312 ref: 00007FFE13335D80
PyErr_SetString.PYTHON312 ref: 00007FFE13335DA0
memset.VCRUNTIME140 ref: 00007FFE13335DC0
getsockname.WS2_32 ref: 00007FFE13335DD2
WSAGetLastError.WS2_32 ref: 00007FFE13335DF1
getsockopt.WS2_32 ref: 00007FFE13335E2E
PyEval_SaveThread.PYTHON312 ref: 00007FFE13335E6F
WSASocketW.WS2_32 ref: 00007FFE13335E90
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13335E9C

Strings

socket descriptor string has wrong size, should be %zu bytes., xrefs: 00007FFE13335BC0
socket.__new__, xrefs: 00007FFE13335B71, 00007FFE13335C69
Oiii, xrefs: 00007FFE13335B5F, 00007FFE13335CA9
negative file descriptor, xrefs: 00007FFE13335D96

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Err_Eval_Thread$AuditLongRestoreSaveSocketSys_$ErrorFormatFromHandleInformationLastLong_ModuleOccurredStringType_Windowsclosesocketgetsocknamegetsockoptmemset
String ID: Oiii$negative file descriptor$socket descriptor string has wrong size, should be %zu bytes.$socket.__new__
API String ID: 3363282672-2881308447
Opcode ID: 4cb0448f202c41487222ee5ef5d738bee55fded3baec7f269166aa18e43a2a4b
Instruction ID: b97a3cc58f1252197cce44a4863e6dc2eb1446be83d9cf868311c271099ad0a1
Opcode Fuzzy Hash: 4cb0448f202c41487222ee5ef5d738bee55fded3baec7f269166aa18e43a2a4b
Instruction Fuzzy Hash: 1EB14062A08E85C6F6109F2A94042B9A7A0FBA5FB4F049375DA6D636F1DF3CE5C48704

Function 00007FFE13334C58 Relevance: 42.2, APIs: 18, Strings: 6, Instructions: 170
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyEval_SaveThread.PYTHON312 ref: 00007FFE13334CBD
getaddrinfo.WS2_32 ref: 00007FFE13334CD9
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13334CE5
freeaddrinfo.WS2_32 ref: 00007FFE13334D09
PyErr_SetString.PYTHON312 ref: 00007FFE13334D20
freeaddrinfo.WS2_32 ref: 00007FFE13334D46
memcpy.VCRUNTIME140 ref: 00007FFE13334D68
freeaddrinfo.WS2_32 ref: 00007FFE13334D70
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE13334D87
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE13334D9E
inet_pton.WS2_32 ref: 00007FFE13334DCA
strchr.VCRUNTIME140 ref: 00007FFE13334DEF
inet_pton.WS2_32 ref: 00007FFE13334E15
PyEval_SaveThread.PYTHON312 ref: 00007FFE13334E43
getaddrinfo.WS2_32 ref: 00007FFE13334E5B
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13334E67
memcpy.VCRUNTIME140 ref: 00007FFE13334EA1
freeaddrinfo.WS2_32 ref: 00007FFE13334EA9

Strings

wildcard resolved to multiple address, xrefs: 00007FFE13334D4C
address family mismatched, xrefs: 00007FFE13334EDB
unsupported address family, xrefs: 00007FFE13334D0F
unknown address family, xrefs: 00007FFE13334EC2
255.255.255.255, xrefs: 00007FFE13334D7D
<broadcast>, xrefs: 00007FFE13334D94

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Eval_Threadfreeaddrinfo$RestoreSavegetaddrinfoinet_ptonmemcpystrcmp$Err_Stringstrchr
String ID: 255.255.255.255$<broadcast>$address family mismatched$unknown address family$unsupported address family$wildcard resolved to multiple address
API String ID: 535957624-1715193308
Opcode ID: 84e0856cd869813e583fc43c899fd160c3153486a779d11b04d7bc0fb41145c4
Instruction ID: 45b36c55ae07bede03ab2d6d827c35276558d0f5b4a7049a375df1c7337c356c
Opcode Fuzzy Hash: 84e0856cd869813e583fc43c899fd160c3153486a779d11b04d7bc0fb41145c4
Instruction Fuzzy Hash: 78718125A08E428AF7608F279404279A360FB68FA0F54C271DE6E736B5DF3CE5958708

Function 00007FFE13335190 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114
networkthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_PyDeadline_Get.PYTHON312 ref: 00007FFE133351E4
_PyDeadline_Init.PYTHON312 ref: 00007FFE1333520C
WSAGetLastError.WS2_32 ref: 00007FFE13335237
WSAGetLastError.WS2_32 ref: 00007FFE1333523F
PyErr_CheckSignals.PYTHON312 ref: 00007FFE13335250
PyEval_SaveThread.PYTHON312 ref: 00007FFE1333527B
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13335295
WSAGetLastError.WS2_32 ref: 00007FFE133352A4
WSAGetLastError.WS2_32 ref: 00007FFE133352AC
PyErr_CheckSignals.PYTHON312 ref: 00007FFE133352B9

Part of subcall function 00007FFE13334594: _PyTime_AsTimeval_clamp.PYTHON312 ref: 00007FFE133345E9
Part of subcall function 00007FFE13334594: PyEval_SaveThread.PYTHON312 ref: 00007FFE13334628
Part of subcall function 00007FFE13334594: select.WS2_32 ref: 00007FFE1333465C
Part of subcall function 00007FFE13334594: PyEval_RestoreThread.PYTHON312 ref: 00007FFE13334667

WSAGetLastError.WS2_32 ref: 00007FFE133352CC
WSAGetLastError.WS2_32 ref: 00007FFE133352E1
PyErr_SetString.PYTHON312 ref: 00007FFE1333531D

Strings

timed out, xrefs: 00007FFE13335313

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ErrorLast$Eval_Thread$Err_$CheckDeadline_RestoreSaveSignals$InitStringTime_Timeval_clampselect
String ID: timed out
API String ID: 497267021-3163636755
Opcode ID: e8d612662e15c7c42ff97858117ad99e66a695495dedd8023d3accc3127b9541
Instruction ID: 80c77a4c33465ad9b07df6bb4c63610289dc35ba118497851f27eb81e5ed3df2
Opcode Fuzzy Hash: e8d612662e15c7c42ff97858117ad99e66a695495dedd8023d3accc3127b9541
Instruction Fuzzy Hash: 72414A61E0CE42CEFA615B67A444379E290AF64F74F0482B0DD6DA26F4DF7CA8858609

Function 00007FF77D681950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77D687F90: _fread_nolock.LIBCMT ref: 00007FF77D68803A

_fread_nolock.LIBCMT ref: 00007FF77D681A1B

Part of subcall function 00007FF77D682910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF77D681B6A), ref: 00007FF77D68295E

Strings

Could not allocate memory for archive structure!, xrefs: 00007FF77D681A61
Could not allocate buffer for TOC!, xrefs: 00007FF77D681B1B
Failed to read cookie!, xrefs: 00007FF77D681A2B
MEI, xrefs: 00007FF77D681991
Failed to seek to cookie position!, xrefs: 00007FF77D6819EE
Could not read full TOC!, xrefs: 00007FF77D681B55
fseek, xrefs: 00007FF77D6819F5
calloc, xrefs: 00007FF77D681A68
Error on file., xrefs: 00007FF77D681B8D
fread, xrefs: 00007FF77D681A32, 00007FF77D681B5C
malloc, xrefs: 00007FF77D681B22

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: b18f55c6ecb75a3fc56284abae084b4e17b12eab67ba0458cb036b44204923da
Instruction ID: 83922bc56829acc6bac01e1bf8f7adc290153d9d7fcf2b094e8aaa3f7ec5f98e
Opcode Fuzzy Hash: b18f55c6ecb75a3fc56284abae084b4e17b12eab67ba0458cb036b44204923da
Instruction Fuzzy Hash: 2C816272E3C686C5EB60AB14D0502BAA792EF887C4F844635D98DC7685FE3CE5858760

Function 00007FF77D681470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF77D6814DE
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF77D6815DF
fseek, xrefs: 00007FF77D6814E5
Failed to extract %s: failed to open archive file!, xrefs: 00007FF77D68149F
fread, xrefs: 00007FF77D6815E6
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF77D681518
malloc, xrefs: 00007FF77D68151F

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: d2721f8f4a1b86741b69537dbfe1e2307113a529978f64cbd07fd1568b1093b8
Instruction ID: 1c993f77c24be8577f77987fd2f93e51290cf9efd07bd9fdbf9392e402d31871
Opcode Fuzzy Hash: d2721f8f4a1b86741b69537dbfe1e2307113a529978f64cbd07fd1568b1093b8
Instruction Fuzzy Hash: D1417EA3E3C64285EB10EB2194105BAE392BF847D4FC44A32ED4D87A99FE3CE5418725

Function 00007FFE13334484 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77
networkthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyEval_SaveThread.PYTHON312 ref: 00007FFE133344A2
connect.WS2_32 ref: 00007FFE133344B5
PyEval_RestoreThread.PYTHON312 ref: 00007FFE133344C0
WSAGetLastError.WS2_32 ref: 00007FFE133344CE
WSAGetLastError.WS2_32 ref: 00007FFE133344DA
PyErr_CheckSignals.PYTHON312 ref: 00007FFE133344E7
WSASetLastError.WS2_32 ref: 00007FFE13334501

Strings

3', xrefs: 00007FFE1333451A

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ErrorLast$Eval_Thread$CheckErr_RestoreSaveSignalsconnect
String ID: 3'
API String ID: 4284410693-280543908
Opcode ID: 5ee1b2844932ffeb3788b70137a3e3ec97db18574fdf692120edec56d670c67d
Instruction ID: 4adae62879985039c43fc6627b2dac055c004e2c493851fd361ff8f2373c725e
Opcode Fuzzy Hash: 5ee1b2844932ffeb3788b70137a3e3ec97db18574fdf692120edec56d670c67d
Instruction Fuzzy Hash: 18313225F08F428AF7604F67A544279A690AF64FB4F048175EE6EB37B5DF3CE4408648

Function 00007FF77D681210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF77D681276
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF77D68141E
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF77D6812BA
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF77D6812EF
1.3.1, xrefs: 00007FF77D681249
malloc, xrefs: 00007FF77D6812C1, 00007FF77D6812F6

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: ab383ac4b995131bdd40696453c0f16ebeee9cffe796343d9728e2385cbc1d23
Instruction ID: 6fc43e447a5e945ef554c006f7a8bc8e178cab03547c7e4315cf93f1e5f21b37
Opcode Fuzzy Hash: ab383ac4b995131bdd40696453c0f16ebeee9cffe796343d9728e2385cbc1d23
Instruction Fuzzy Hash: 8951BE63E3CA4281EA60BB15A4503BBA693BF857D4FC44235ED4D87799FE3CE5428720

Function 00007FF77D6836B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF77D683804), ref: 00007FF77D6836E1
GetLastError.KERNEL32(?,00007FF77D683804), ref: 00007FF77D6836EB

Part of subcall function 00007FF77D682C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF77D683706,?,00007FF77D683804), ref: 00007FF77D682C9E
Part of subcall function 00007FF77D682C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF77D683706,?,00007FF77D683804), ref: 00007FF77D682D63
Part of subcall function 00007FF77D682C50: MessageBoxW.USER32 ref: 00007FF77D682D99

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF77D683790
\\?\, xrefs: 00007FF77D68375A
Failed to resolve full path to executable %ls., xrefs: 00007FF77D683739
GetModuleFileNameW, xrefs: 00007FF77D6836FA
Failed to obtain executable path., xrefs: 00007FF77D6836F3

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: 2e476d2f6d941a74fd16b2d7717fb61c0f2e0d329c3e561c0342d00257dee15e
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: 9E212162F3C642C1FA20B724E8152BB9252BF983D4FC04336D59EC66D5FE2CE5048724

Function 00007FF77D69BA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D69BE89

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
Instruction ID: 80d9848ce04a3ccc5ac468d0a5d3889eb111a81db3293cd5f5d8d96e5f846de3
Opcode Fuzzy Hash: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
Instruction Fuzzy Hash: 21C1D523D3C68691E650AB1990802BFBF57FB81BC0F950379EA4D83395EE7CE4498721

Function 00007FFE1333599C Relevance: 10.6, APIs: 7, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_PyArg_UnpackKeywords.PYTHON312 ref: 00007FFE13335A2C
_PyLong_AsInt.PYTHON312 ref: 00007FFE13335A4B
PyErr_Occurred.PYTHON312 ref: 00007FFE13335A58
_PyLong_AsInt.PYTHON312 ref: 00007FFE13335A72
PyErr_Occurred.PYTHON312 ref: 00007FFE13335A7F
_PyLong_AsInt.PYTHON312 ref: 00007FFE13335A99
PyErr_Occurred.PYTHON312 ref: 00007FFE13335AA7

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Err_Long_Occurred$Arg_KeywordsUnpack
String ID:
API String ID: 591546834-0
Opcode ID: eaa410074ab6af26ceaef7c7596cb67db9cb42dc3dbf0cc41afd0b861dd1535a
Instruction ID: 6ac3a1aaa2476cb816bcf56a99ddc9b1bafe6f3906480d3bc7f45471325f6687
Opcode Fuzzy Hash: eaa410074ab6af26ceaef7c7596cb67db9cb42dc3dbf0cc41afd0b861dd1535a
Instruction Fuzzy Hash: 9541A362A19E42CAFE529B63A454374A290BF24FB4F188675DE3D637E0DF3CE4849344

Function 00007FF77D686360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to load Python DLL '%ls'., xrefs: 00007FF77D6864A7
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF77D6863C7
LoadLibrary, xrefs: 00007FF77D6864AE
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF77D686456
ucrtbase.dll, xrefs: 00007FF77D6863DD
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF77D686407

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction ID: e930acdb83edfe63373f6dbed40ed639e00ecd0f7df7aa3d1f0f0edfdebd16b6
Opcode Fuzzy Hash: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction Fuzzy Hash: D0412932E3C686D1EA15EB60E4542EAA352FB943C4FC04232DA9D83695FF3CE559C760

Function 00007FFE133376FC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13337738
PySys_Audit.PYTHON312 ref: 00007FFE13337757
PyMem_Free.PYTHON312 ref: 00007FFE13337798

Strings

socket.gethostbyname, xrefs: 00007FFE13337750
et:gethostbyname, xrefs: 00007FFE1333772F
idna, xrefs: 00007FFE13337725

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_AuditFreeMem_ParseSizeSys_Tuple_
String ID: et:gethostbyname$idna$socket.gethostbyname
API String ID: 3195760359-1353326193
Opcode ID: 8c3671177d6417e8f700e328b80b74f8916f546f18c6b125032ce1e96dbaf85f
Instruction ID: 03d6ba511f82d25d6f243373a026db6e17cc10f129c529ce798c670919311f0d
Opcode Fuzzy Hash: 8c3671177d6417e8f700e328b80b74f8916f546f18c6b125032ce1e96dbaf85f
Instruction Fuzzy Hash: F1115461B18E8289E7109B23F4441A6A761FFA8FE4F408171EAAE67775DE3CD145C704

Function 00007FFE133346B0 Relevance: 9.0, APIs: 6, Instructions: 34threadnetworkCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON312(?,?,?,00007FFE1333446A), ref: 00007FFE133346C4
ioctlsocket.WS2_32 ref: 00007FFE133346E9
PyEval_RestoreThread.PYTHON312(?,?,?,00007FFE1333446A), ref: 00007FFE133346F6
PyEval_RestoreThread.PYTHON312(?,?,?,00007FFE1333446A), ref: 00007FFE13334700
WSAGetLastError.WS2_32(?,?,?,00007FFE1333446A), ref: 00007FFE13334706
PyErr_SetExcFromWindowsErr.PYTHON312(?,?,?,00007FFE1333446A), ref: 00007FFE13334718

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Eval_Thread$Restore$Err_ErrorFromLastSaveWindowsioctlsocket
String ID:
API String ID: 863680558-0
Opcode ID: 964070f957597cead12d681d8d9d4b975f1a861eb6e29b6fc22a496edc13ce25
Instruction ID: e62046da84133128b76eda7a5a6240090914351252c905e921934f5329109777
Opcode Fuzzy Hash: 964070f957597cead12d681d8d9d4b975f1a861eb6e29b6fc22a496edc13ce25
Instruction Fuzzy Hash: CB014425B19E42C6E3509B77F444169A3A0EF98FF1B508070E96E63774CE3CD4D58704

Function 00007FF77D695628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D695655
CreateFileW.KERNELBASE ref: 00007FF77D695694
CloseHandle.KERNEL32 ref: 00007FF77D6956C9

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction ID: ea7e72c7268e0419abb72c941a83c969c7be7a1269a0cadce512aafad17464ad
Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction Fuzzy Hash: A7419273D3C78183E610AB20951037AA662FB943E4F508339EA9C47AD5EF6CA5A08710

Function 00007FFE13334594 Relevance: 6.1, APIs: 4, Instructions: 75threadtimeCOMMON

Download Yara Rule

APIs

_PyTime_AsTimeval_clamp.PYTHON312 ref: 00007FFE133345E9
PyEval_SaveThread.PYTHON312 ref: 00007FFE13334628
select.WS2_32 ref: 00007FFE1333465C
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13334667

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Eval_Thread$RestoreSaveTime_Timeval_clampselect
String ID:
API String ID: 3905867726-0
Opcode ID: 12a889711c2c2e54b49b1f454469c8620633830652707fbfba1c602784efdac5
Instruction ID: b6401b1962018c88e5468518815d68d8756b9dae774ccf28dc6e9be0a8189d48
Opcode Fuzzy Hash: 12a889711c2c2e54b49b1f454469c8620633830652707fbfba1c602784efdac5
Instruction Fuzzy Hash: F931B872B08F818AE760CF27A8443A5A390FB98BB4F504275DA7D637A4DF3CD4058708

Function 00007FFE133353A4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13333DD0: PyErr_Format.PYTHON312 ref: 00007FFE13334154

PySys_Audit.PYTHON312 ref: 00007FFE133353FC

Part of subcall function 00007FFE13334484: PyEval_SaveThread.PYTHON312 ref: 00007FFE133344A2
Part of subcall function 00007FFE13334484: connect.WS2_32 ref: 00007FFE133344B5
Part of subcall function 00007FFE13334484: PyEval_RestoreThread.PYTHON312 ref: 00007FFE133344C0
Part of subcall function 00007FFE13334484: WSAGetLastError.WS2_32 ref: 00007FFE133344CE
Part of subcall function 00007FFE13334484: WSAGetLastError.WS2_32 ref: 00007FFE133344DA
Part of subcall function 00007FFE13334484: PyErr_CheckSignals.PYTHON312 ref: 00007FFE133344E7
Part of subcall function 00007FFE13334484: WSASetLastError.WS2_32 ref: 00007FFE13334501

Strings

socket.connect, xrefs: 00007FFE133353F5
connect, xrefs: 00007FFE133353C3

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ErrorLast$Err_Eval_Thread$AuditCheckFormatRestoreSaveSignalsSys_connect
String ID: connect$socket.connect
API String ID: 2206401578-326844852
Opcode ID: f61d2d1e51494460e737621043c48afaf6b2b37121598ef846ec6ce56cffa346
Instruction ID: 62ac3c42190a2e0aa211a407fecc58f078779d752994e60564538a6204a19685
Opcode Fuzzy Hash: f61d2d1e51494460e737621043c48afaf6b2b37121598ef846ec6ce56cffa346
Instruction Fuzzy Hash: 9F115B21B08E82C9FB209B13F4403A6B360BF64BE4F409072DE6D67AA5DE3CE141C704

Function 00007FF77D68CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77D68CE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF77D68CE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF77D68CC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF77D68CCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF77D68CD21

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: 914ca16ccf4346beff4d0740888d0e3adcdcd3908f1196b53007a2791beb6d9e
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: 2E314A23E3C24385FA14BB6594212BBA6839F853C4FC55235EA4DC72D7FE2CA808C230

Function 00007FF77D699A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF77D699A2C), ref: 00007FF77D699A41
TerminateProcess.KERNEL32(?,?,?,00007FF77D699A2C), ref: 00007FF77D699A4C
ExitProcess.KERNEL32 ref: 00007FF77D699A5B

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction ID: 34d50d27d36c7eb228f4ae2060e3627701440c600119799c8ca60bb6fb0ff0f3
Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction Fuzzy Hash: 11D09E12F3C74642EB183F755C5507E965BAF88781F94267DC84BC6393FD2CA8494320

Function 00007FF77D69013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D690180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D690277

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: 21c0bdc59a7a93c0742b9ae98d83d451d752be6ea68830a80dd56eb435c3a41b
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: F451D823F3D24286E764BA65940067BA793AF84BE4F984778DD6DD37C9EE3CD4018620

Function 00007FF77D69C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF77D69C2CD), ref: 00007FF77D69C180
GetLastError.KERNEL32(?,?,?,?,?,00007FF77D69C2CD), ref: 00007FF77D69C18A

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: fe1c6438bf410d08f137c0ca01d62abe3ad886dae487efa23d711f97814a878c
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: A811B662A3CA4181DA209B15B85417AB753AB45FF4F944335EE7D877D5EE3CD0118704

Function 00007FF77D69AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF77D69A9D5,?,?,00000000,00007FF77D69AA8A), ref: 00007FF77D69ABC6
GetLastError.KERNEL32(?,?,?,00007FF77D69A9D5,?,?,00000000,00007FF77D69AA8A), ref: 00007FF77D69ABD0

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: e2ad6391bf9841f06cbde35e8cc9902471aad44a92eb800acae98f259ce72047
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: 8A219252F3C68241EAA07751959037FA6C39F84BE4F8443BDE96ECB7D5EE6CE4414220

Function 00007FF77D69BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D69BED4

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: 1341a35870d3daf0a261345285948970b17c3c62fb942517886956d6244abe96
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: C541A833D3C24187EA24AB19A58017AB7A3EB55BC0F500379D68EC36D5EF6CE402CB61

Function 00007FF77D687F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF77D68803A

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 099000bfa7eb4d531f925c94d3ef225b080b4c69407bccb7aa9f501698e7d18a
Instruction ID: 95eef0b9fb9ae0f7f0e94ee4543e26550f4de6ba46678be69ddfdd3d6290369d
Opcode Fuzzy Hash: 099000bfa7eb4d531f925c94d3ef225b080b4c69407bccb7aa9f501698e7d18a
Instruction Fuzzy Hash: D6216F22F7C69286EA50BA2269043BBD752BF45FC4FC84535EE0D9B786EE7DE0418210

Function 00007FF77D69B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D69B9C2

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction ID: 3e39e0dda8aef983554fb3a1958000068eba41bd1e8be829d58bd4f8ac2e56f6
Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction Fuzzy Hash: 3E317423E3C60285E6117B69948137EAA53AF95BE0FC10379D91D833D2EE7CE4418735

Function 00007FF77D699961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF77D69998F

Part of subcall function 00007FF77D699A88: GetModuleHandleExW.KERNEL32 ref: 00007FF77D699AAD
Part of subcall function 00007FF77D699A88: GetProcAddress.KERNEL32 ref: 00007FF77D699AC3
Part of subcall function 00007FF77D699A88: FreeLibrary.KERNEL32 ref: 00007FF77D699AEA

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction ID: 27d2d722566f3883fccce894ffa33606881ef06c02cb5dc04ad4876933af58f1
Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction Fuzzy Hash: 31219C72E2874589EB24AF74C4802BD33AAEB04358F84163BE75C86A85FF38D444C750

Function 00007FF77D695F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D695EF9

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 136951fb9509d705491368f8ee86a25d4afcc9f1a3e8ff0f38ff872a8c37cef5
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 27113333E3D64281EA60BF11940017BE667AF85BD4F844679EA8C97A9DEF3DE4015720

Function 00007FF77D6A6354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A6377

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: d1bb41677979dd9643b95bed57c614ae39378a41c57e0cf896c9ca7ba700f38e
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: D821A473A3CA4286DB60AF58D44037AB6A2FBD4B94F944334E69D876D5EF3CD4018B10

Function 00007FF77D6903BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D690410

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 027e05393a801b3cf4312072a579ee1b0245e3008372fa877798353260f46892
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: F8017022E3C74180E644BB52990007AE793AB95FE0F884775EE5CA3BDAEE3CD4118310

Function 00007FF77D688E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77D689390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF77D6845F4,00000000,00007FF77D681985), ref: 00007FF77D6893C9

LoadLibraryExW.KERNELBASE(?,00007FF77D686476,?,00007FF77D68336E), ref: 00007FF77D688EA2

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
Instruction ID: db3d74427a2f92bbedf783d37f0326c31954e9341216ed21b0192f6d2321361b
Opcode Fuzzy Hash: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
Instruction Fuzzy Hash: 58D0CD02F3815542EA44B767754663A91535FC9BC0FC8C035EE4D43749FC3CD0414700

Function 00007FF77D69D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF77D690C90,?,?,?,00007FF77D6922FA,?,?,?,?,?,00007FF77D693AE9), ref: 00007FF77D69D63A

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: e83b0a8adcd1f60e09fa382d63607825a85069ea51ee0710c564be3489a39218
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: 83F03A26E7D20240FE547BA1585527692934FC47E0F8C0778DA2EC62C2FD2CA4808930

Non-executed Functions

Function 00007FF77D6889E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77D689390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF77D6845F4,00000000,00007FF77D681985), ref: 00007FF77D6893C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688A56

Part of subcall function 00007FF77D69A47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D69A490

Part of subcall function 00007FF77D69871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D698783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688AE6
CreateProcessW.KERNEL32 ref: 00007FF77D688B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688B28

Part of subcall function 00007FF77D682C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF77D683706,?,00007FF77D683804), ref: 00007FF77D682C9E
Part of subcall function 00007FF77D682C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF77D683706,?,00007FF77D683804), ref: 00007FF77D682D63
Part of subcall function 00007FF77D682C50: MessageBoxW.USER32 ref: 00007FF77D682D99

RegisterClassW.USER32 ref: 00007FF77D688B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688B8B
CreateWindowExW.USER32 ref: 00007FF77D688BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688C15
PeekMessageW.USER32 ref: 00007FF77D688C39
TranslateMessage.USER32 ref: 00007FF77D688C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688C51
PeekMessageW.USER32 ref: 00007FF77D688C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688E04
GetExitCodeProcess.KERNEL32 ref: 00007FF77D688E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF77D683F77), ref: 00007FF77D688E2F

Strings

PyInstallerOnefileHiddenWindow, xrefs: 00007FF77D688B54
CreateProcessW, xrefs: 00007FF77D688B37
PyInstaller Onefile Hidden Window, xrefs: 00007FF77D688B95
Failed to create child process!, xrefs: 00007FF77D688B30

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: 34e00377a7c517d4f3711e910cfb026c9c9e8db004f15c7c2e3c4c669b66cad1
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: BCD15533E3CA8286E710AF34E8542AABB62FF84B94F800335DA5D87695EF3CD5458750

Function 00007FFE13333B20 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 181networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FFE13333B4A

Part of subcall function 00007FFE13334B14: _Py_BuildValue_SizeT.PYTHON312(?,?,?,00007FFE13333B5A), ref: 00007FFE13334B2F
Part of subcall function 00007FFE13334B14: PyErr_SetObject.PYTHON312(?,?,?,00007FFE13333B5A), ref: 00007FFE13334B44
Part of subcall function 00007FFE13334B14: _Py_Dealloc.PYTHON312(?,?,?,00007FFE13333B5A), ref: 00007FFE13334B58

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13333B6E
PyErr_SetFromErrno.PYTHON312 ref: 00007FFE13333B84

Strings

NOO, xrefs: 00007FFE13333D43
surrogatepass, xrefs: 00007FFE13333D2E
unsupported address family, xrefs: 00007FFE13333D62

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Err_$BuildDeallocErrnoErrorFromLastObjectSizeValue__errno
String ID: NOO$surrogatepass$unsupported address family
API String ID: 316901363-472101058
Opcode ID: b91f96f39c30ed59f8962875126381abc059683d57aa2602eb85b04b624b84c7
Instruction ID: 407dead9bf38496847ba8c84407135c9e545c47bef09f57d6d523f07ff94e995
Opcode Fuzzy Hash: b91f96f39c30ed59f8962875126381abc059683d57aa2602eb85b04b624b84c7
Instruction Fuzzy Hash: C5816021E09E4689EA558F22A444279E3A0FF65FB5F04C175DA6D637B4EF3CE481C704

Function 00007FFE00451880 Relevance: 13.9, APIs: 9, Instructions: 425COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON312 ref: 00007FFE004518E3
PyType_IsSubtype.PYTHON312 ref: 00007FFE004519D6
PyType_IsSubtype.PYTHON312 ref: 00007FFE00451A33
PyUnicode_FromKindAndData.PYTHON312 ref: 00007FFE00451B04
PyMem_Free.PYTHON312 ref: 00007FFE00451B12
PyMem_Realloc.PYTHON312 ref: 00007FFE00451BF8
PyMem_Free.PYTHON312 ref: 00007FFE00453B1A
PyErr_NoMemory.PYTHON312 ref: 00007FFE00453B20

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Mem_$FreeSubtypeType_$DataErr_FromKindMallocMemoryReallocUnicode_
String ID:
API String ID: 3719493655-0
Opcode ID: 0b61fa8abd9dfcdf7751d429d18c280f61a1d7a5a4373fae919a70ebd3257318
Instruction ID: 4fa7ae44544d6461abb3095b6afa45663efd54d19575fb4517c2f3d43d72559f
Opcode Fuzzy Hash: 0b61fa8abd9dfcdf7751d429d18c280f61a1d7a5a4373fae919a70ebd3257318
Instruction Fuzzy Hash: 13020372B0CA9282EB258F14E45477927A1FB85786F584131D78E867BAEE3DF944C308

Function 00007FFE13333328 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFE13333344
memset.VCRUNTIME140 ref: 00007FFE13333368
RtlCaptureContext.KERNEL32 ref: 00007FFE13333371
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE1333338B
RtlVirtualUnwind.KERNEL32 ref: 00007FFE133333CC
memset.VCRUNTIME140 ref: 00007FFE133333FF
IsDebuggerPresent.KERNEL32 ref: 00007FFE13333420
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE1333343D
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE13333448

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 5130b0c2a8b4ddc3ad2379c44f9e6e14e4431d38d65cb8e8484721bef110eafb
Instruction ID: 2bee7c634e848ba860b70c4efc3d09a5c8cd37528dfe8bb370483b3e27ef7693
Opcode Fuzzy Hash: 5130b0c2a8b4ddc3ad2379c44f9e6e14e4431d38d65cb8e8484721bef110eafb
Instruction Fuzzy Hash: 7C313B72609F818AEB608F61E8803EDB364FB94B64F44803ADA5E57BA5DF3CD548C704

Function 00007FFE00453028 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFE00453044
memset.VCRUNTIME140 ref: 00007FFE00453068
RtlCaptureContext.KERNEL32 ref: 00007FFE00453071
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE0045308B
RtlVirtualUnwind.KERNEL32 ref: 00007FFE004530CC
memset.VCRUNTIME140 ref: 00007FFE004530FF
IsDebuggerPresent.KERNEL32 ref: 00007FFE00453120
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE0045313D
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE00453148

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 077b0f214cb87451efc13930c849abf149ec882450af492fe5d50a1ac414abff
Instruction ID: 4078ca2cf40a8712100cdaf5ce872dc258a52ac47d6736011578d35cc5faec49
Opcode Fuzzy Hash: 077b0f214cb87451efc13930c849abf149ec882450af492fe5d50a1ac414abff
Instruction Fuzzy Hash: 44312C72609B819AEB608F60E8503FE7364FB84746F44443ADB4E47BAADF38D648C714

Function 00007FFE148E1AA0 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFE148E1ABC
memset.VCRUNTIME140 ref: 00007FFE148E1AE0
RtlCaptureContext.KERNEL32 ref: 00007FFE148E1AE9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE148E1B03
RtlVirtualUnwind.KERNEL32 ref: 00007FFE148E1B44
memset.VCRUNTIME140 ref: 00007FFE148E1B77
IsDebuggerPresent.KERNEL32 ref: 00007FFE148E1B98
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE148E1BB5
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE148E1BC0

Memory Dump Source

Source File: 00000001.00000002.2667804984.00007FFE148E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000001.00000002.2667789447.00007FFE148E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667822402.00007FFE148E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667838554.00007FFE148E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667854016.00007FFE148E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe148e0000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 99395305cdb11cdb041beb820624a25ea4585affacafc0dcd255409337a1a2bc
Instruction ID: c4dff98e0cc2426d8c08e78b8292b3360ced648ed605492f40c6d5a7c958929d
Opcode Fuzzy Hash: 99395305cdb11cdb041beb820624a25ea4585affacafc0dcd255409337a1a2bc
Instruction Fuzzy Hash: DB311B72609F8186EB609F61E8803F9B364FB85754F44447AEA4E57BA8EF38D64C8710

Function 00007FF77D6883C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF77D688919,00007FF77D683F9D), ref: 00007FF77D68842B
RemoveDirectoryW.KERNEL32(?,00007FF77D688919,00007FF77D683F9D), ref: 00007FF77D6884AE
DeleteFileW.KERNEL32(?,00007FF77D688919,00007FF77D683F9D), ref: 00007FF77D6884CD
FindNextFileW.KERNEL32(?,00007FF77D688919,00007FF77D683F9D), ref: 00007FF77D6884DB
FindClose.KERNEL32(?,00007FF77D688919,00007FF77D683F9D), ref: 00007FF77D6884EC
RemoveDirectoryW.KERNEL32(?,00007FF77D688919,00007FF77D683F9D), ref: 00007FF77D6884F5

Strings

%s\*, xrefs: 00007FF77D6883F2

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction ID: c07d5cb395715dd410a49aadce718f7da0e29f8871393ed39e3004db75572869
Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction Fuzzy Hash: 3A410F23E3C642C5EA60AB64B4441BBA7A2FB98BD4FD00332E69DC2695FF3CD5458750

Function 00007FFE004512F0 Relevance: 10.8, APIs: 7, Instructions: 343COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE00451880: PyMem_Malloc.PYTHON312 ref: 00007FFE004518E3
Part of subcall function 00007FFE00451880: PyType_IsSubtype.PYTHON312 ref: 00007FFE004519D6
Part of subcall function 00007FFE00451880: PyType_IsSubtype.PYTHON312 ref: 00007FFE00451A33

PyMem_Malloc.PYTHON312 ref: 00007FFE00451376
PyMem_Free.PYTHON312 ref: 00007FFE0045147C
PyErr_NoMemory.PYTHON312 ref: 00007FFE00453989
_Py_Dealloc.PYTHON312 ref: 00007FFE0045399D

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Mem_$MallocSubtypeType_$DeallocErr_FreeMemory
String ID:
API String ID: 4139299733-0
Opcode ID: bb7a1583b311f9023fc161d2ea2417430d383a05e2e7d543d3dd2600494f88aa
Instruction ID: 0d22f4a137b36585a2124edee999a806dac0a99209667b3ff869187a07288b90
Opcode Fuzzy Hash: bb7a1583b311f9023fc161d2ea2417430d383a05e2e7d543d3dd2600494f88aa
Instruction Fuzzy Hash: 43E1BDB2E0CA5382EB248F15D054B7D27A1EB51786F140131EB4F837BAEE6CEA41C704

Function 00007FF77D68D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF77D68D148
RtlCaptureContext.KERNEL32 ref: 00007FF77D68D175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF77D68D18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF77D68D1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF77D68D224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF77D68D241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF77D68D24C

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: 7d1036c6c82a6052f7ed7e1c180a54b758027f9c70dad95328147599a9ae7eed
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: C3311273A28B8185EB60DF64E8503EE6765FB84744F44413ADB8D87B94EF38D548C720

Function 00007FFE133350C0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47threadnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13333DD0: PyErr_Format.PYTHON312 ref: 00007FFE13334154

PySys_Audit.PYTHON312 ref: 00007FFE13335118
PyEval_SaveThread.PYTHON312 ref: 00007FFE1333512A
bind.WS2_32 ref: 00007FFE13335141
PyEval_RestoreThread.PYTHON312 ref: 00007FFE1333514C

Strings

bind, xrefs: 00007FFE133350DF
socket.bind, xrefs: 00007FFE13335111

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Eval_Thread$AuditErr_FormatRestoreSaveSys_bind
String ID: bind$socket.bind
API String ID: 1695574521-187351271
Opcode ID: c772f091d13961e78706c3e49babb2eae7ea45e540c7b9e2188f6b33e05915ab
Instruction ID: 50bb82d91c76d9e78f8e6753514f46ef3fcf7c032cf1a7e501cf7d51a2025156
Opcode Fuzzy Hash: c772f091d13961e78706c3e49babb2eae7ea45e540c7b9e2188f6b33e05915ab
Instruction Fuzzy Hash: B111DB21A09E82C5FA209B52F4443AAB364FF68FA4F048171DA5D67B64DE3CE5458708

Function 00007FF77D6A5C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF77D6A5C45

Part of subcall function 00007FF77D6A5598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A55AC

Part of subcall function 00007FF77D69A948: HeapFree.KERNEL32(?,?,?,00007FF77D6A2D22,?,?,?,00007FF77D6A2D5F,?,?,00000000,00007FF77D6A3225,?,?,?,00007FF77D6A3157), ref: 00007FF77D69A95E
Part of subcall function 00007FF77D69A948: GetLastError.KERNEL32(?,?,?,00007FF77D6A2D22,?,?,?,00007FF77D6A2D5F,?,?,00000000,00007FF77D6A3225,?,?,?,00007FF77D6A3157), ref: 00007FF77D69A968

Part of subcall function 00007FF77D69A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF77D69A8DF,?,?,?,?,?,00007FF77D69A7CA), ref: 00007FF77D69A909
Part of subcall function 00007FF77D69A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF77D69A8DF,?,?,?,?,?,00007FF77D69A7CA), ref: 00007FF77D69A92E

_get_daylight.LIBCMT ref: 00007FF77D6A5C34

Part of subcall function 00007FF77D6A55F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A560C

_get_daylight.LIBCMT ref: 00007FF77D6A5EAA
_get_daylight.LIBCMT ref: 00007FF77D6A5EBB
_get_daylight.LIBCMT ref: 00007FF77D6A5ECC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF77D6A610C), ref: 00007FF77D6A5EF3

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
Instruction ID: 84a1d99538c7b729871c4fd621ae15e0faac0752d833767e992d1e87c2e3ead1
Opcode Fuzzy Hash: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
Instruction Fuzzy Hash: E0D18F33E3C25245E724FF2595411BAA792EB947C4FC48236EA8D87A99FF3CE4418760

Function 00007FF77D69A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF77D69A68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF77D69A6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF77D69A6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF77D69A719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF77D69A723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF77D69A72E

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: 2168f0251e0edc82cf9c3ff9d270d03f838ae3f58a0b4a548375ef2d03e2967c
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: D6317437A28B8185DB60DB24E8402BF77A5FB84798F940236EA9D83B55EF3CC155CB10

Function 00007FFE133360CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE133360EF
PyEval_SaveThread.PYTHON312 ref: 00007FFE13336107
listen.WS2_32 ref: 00007FFE13336122
PyEval_RestoreThread.PYTHON312 ref: 00007FFE1333612D

Strings

|i:listen, xrefs: 00007FFE133360E8

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Eval_Thread$Arg_ParseRestoreSaveSizeTuple_listen
String ID: |i:listen
API String ID: 3610171639-1087349693
Opcode ID: e8d47ebe0e10a6c5cc8300ffc03bcd4294c79b16c36a614c1882deaffce03895
Instruction ID: 7d71855075454d5161dfa195fa9e40390847241e36c1d68978340be76b02f034
Opcode Fuzzy Hash: e8d47ebe0e10a6c5cc8300ffc03bcd4294c79b16c36a614c1882deaffce03895
Instruction Fuzzy Hash: 9A012D21E18E41CBEA558B17E88416AA370FFA4FA0F148171DA6E53B64DF3CE4958708

Function 00007FF77D6A1874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A18C0
FindFirstFileExW.KERNEL32 ref: 00007FF77D6A19CA

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
Instruction ID: 125be0b080765887eaaac8652f811729fe6dc44776966959b9e78c55322146d3
Opcode Fuzzy Hash: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
Instruction Fuzzy Hash: 38B1A963F3C69641EA61AB2195001BBE392EB94BE4F845236DADD87785FF3CE441C320

Function 00007FF77D6A5E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF77D6A5EAA

Part of subcall function 00007FF77D6A55F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A560C

_get_daylight.LIBCMT ref: 00007FF77D6A5EBB

Part of subcall function 00007FF77D6A5598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A55AC

_get_daylight.LIBCMT ref: 00007FF77D6A5ECC

Part of subcall function 00007FF77D6A55C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A55DC

Part of subcall function 00007FF77D69A948: HeapFree.KERNEL32(?,?,?,00007FF77D6A2D22,?,?,?,00007FF77D6A2D5F,?,?,00000000,00007FF77D6A3225,?,?,?,00007FF77D6A3157), ref: 00007FF77D69A95E
Part of subcall function 00007FF77D69A948: GetLastError.KERNEL32(?,?,?,00007FF77D6A2D22,?,?,?,00007FF77D6A2D5F,?,?,00000000,00007FF77D6A3225,?,?,?,00007FF77D6A3157), ref: 00007FF77D69A968

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF77D6A610C), ref: 00007FF77D6A5EF3

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
Instruction ID: b288ef16ba4581bc56b0ebfd55469ac10e8c2754b8a98275d16c27a205f8ae34
Opcode Fuzzy Hash: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
Instruction Fuzzy Hash: D6513033E3C64286E710FF25D5815AAE762BB987C4F804236EA8DC7695EF3CE4418760

Function 00007FFE133365E8 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFE13336605
recvfrom.WS2_32 ref: 00007FFE13336642

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: memsetrecvfrom
String ID:
API String ID: 3853191257-0
Opcode ID: f031a1c2a463a518b847baec274cdf4d934d90cae8577544affea3f0f72a4b2a
Instruction ID: 94fd41cdad84d617df0d6043dd33423bf33e90b12e5fd7e019f0f371e1c1a457
Opcode Fuzzy Hash: f031a1c2a463a518b847baec274cdf4d934d90cae8577544affea3f0f72a4b2a
Instruction Fuzzy Hash: B5F019B6A14F8586DB208F26E080169B3B1F798FE8F248221DF6C577A8DF38C491C744

Function 00007FF77D685830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D685840
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D685852
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D685889
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D68589B
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D6858B4
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D6858C6
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D6858DF
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D6858F1
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D68590D
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D68591F
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D68593B
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D68594D
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D685969
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D68597B
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D685997
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D6859A9
GetProcAddress.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D6859C5
GetLastError.KERNEL32(?,00007FF77D6864CF,?,00007FF77D68336E), ref: 00007FF77D6859D7

Strings

PyObject_CallFunction, xrefs: 00007FF77D685CF7, 00007FF77D685D19
PyErr_Clear, xrefs: 00007FF77D685AA1, 00007FF77D685AC3
PyImport_AddModule, xrefs: 00007FF77D685BE3, 00007FF77D685C05
PyErr_NormalizeException, xrefs: 00007FF77D685AFD, 00007FF77D685B1F
GetProcAddress, xrefs: 00007FF77D685868
PyErr_Restore, xrefs: 00007FF77D685B87, 00007FF77D685BA9
Py_DecodeLocale, xrefs: 00007FF77D68587F, 00007FF77D6858A1
PyUnicode_Replace, xrefs: 00007FF77D685FD7, 00007FF77D685FF9
PyRun_SimpleStringFlags, xrefs: 00007FF77D685E0B, 00007FF77D685E2D
PyUnicode_FromString, xrefs: 00007FF77D685F7B, 00007FF77D685F9D
PyConfig_InitIsolatedConfig, xrefs: 00007FF77D6859BB, 00007FF77D6859DD
Py_DecRef, xrefs: 00007FF77D685836, 00007FF77D685858
Failed to get address for %hs, xrefs: 00007FF77D685861
PyUnicode_FromFormat, xrefs: 00007FF77D685F4D, 00007FF77D685F6F
PyEval_EvalCode, xrefs: 00007FF77D685BB5, 00007FF77D685BD7
PyErr_Print, xrefs: 00007FF77D685B59, 00007FF77D685B7B
PyConfig_Clear, xrefs: 00007FF77D68598D, 00007FF77D6859AF
Py_InitializeFromConfig, xrefs: 00007FF77D685903, 00007FF77D685925
PyUnicode_Decode, xrefs: 00007FF77D685EF1, 00007FF77D685F13
PyConfig_Read, xrefs: 00007FF77D6859E9, 00007FF77D685A0B
PyConfig_SetWideStringList, xrefs: 00007FF77D685A73, 00007FF77D685A95
PyConfig_SetBytesString, xrefs: 00007FF77D685A17, 00007FF77D685A39
PyUnicode_Join, xrefs: 00007FF77D685FA9, 00007FF77D685FCB
PyStatus_Exception, xrefs: 00007FF77D685E39, 00007FF77D685E5B
PyModule_GetDict, xrefs: 00007FF77D685CC9, 00007FF77D685CEB
PyImport_ImportModule, xrefs: 00007FF77D685C3F, 00007FF77D685C61
PyUnicode_DecodeFSDefault, xrefs: 00007FF77D685F1F, 00007FF77D685F41
Py_IsInitialized, xrefs: 00007FF77D685931, 00007FF77D685953
PyMem_RawFree, xrefs: 00007FF77D685C9B, 00007FF77D685CBD
PySys_SetObject, xrefs: 00007FF77D685E95, 00007FF77D685EB7
PyObject_GetAttrString, xrefs: 00007FF77D685D53, 00007FF77D685D75
PySys_GetObject, xrefs: 00007FF77D685E67, 00007FF77D685E89
PyObject_CallFunctionObjArgs, xrefs: 00007FF77D685D25, 00007FF77D685D47
PyMarshal_ReadObjectFromString, xrefs: 00007FF77D685C6D, 00007FF77D685C8F
Py_PreInitialize, xrefs: 00007FF77D68595F, 00007FF77D685981
PyImport_ExecCodeModule, xrefs: 00007FF77D685C11, 00007FF77D685C33
PyErr_Occurred, xrefs: 00007FF77D685B2B, 00007FF77D685B4D
Py_Finalize, xrefs: 00007FF77D6858D5, 00007FF77D6858F7
PyObject_Str, xrefs: 00007FF77D685DAF, 00007FF77D685DD1
PyObject_SetAttrString, xrefs: 00007FF77D685D81, 00007FF77D685DA3
PyConfig_SetString, xrefs: 00007FF77D685A45, 00007FF77D685A67
PyErr_Fetch, xrefs: 00007FF77D685ACF, 00007FF77D685AF1
PyUnicode_AsUTF8, xrefs: 00007FF77D685EC3, 00007FF77D685EE5
Py_ExitStatusException, xrefs: 00007FF77D6858AA, 00007FF77D6858CC
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF77D685DDD, 00007FF77D685DFF

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: 79a2aa684798d68db572ee7fe86d9353dcc48203dacf02854a67bea2127dd6c7
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: 90229266E3DB17D1FA05BB69A814577A7A2AF847C1BC51336C49E82364FF3CB5488230

Function 00007FF77D6876C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF77D6876D7
GetLastError.KERNEL32 ref: 00007FF77D6876E9
GetProcAddress.KERNEL32 ref: 00007FF77D687725
GetLastError.KERNEL32 ref: 00007FF77D687737
GetProcAddress.KERNEL32 ref: 00007FF77D687750
GetLastError.KERNEL32 ref: 00007FF77D687762
GetProcAddress.KERNEL32 ref: 00007FF77D68777B
GetLastError.KERNEL32 ref: 00007FF77D68778D
GetProcAddress.KERNEL32 ref: 00007FF77D6877A9
GetLastError.KERNEL32 ref: 00007FF77D6877BB
GetProcAddress.KERNEL32 ref: 00007FF77D6877D7
GetLastError.KERNEL32 ref: 00007FF77D6877E9
GetProcAddress.KERNEL32 ref: 00007FF77D687805
GetLastError.KERNEL32 ref: 00007FF77D687817
GetProcAddress.KERNEL32 ref: 00007FF77D687833
GetLastError.KERNEL32 ref: 00007FF77D687845
GetProcAddress.KERNEL32 ref: 00007FF77D687861
GetLastError.KERNEL32 ref: 00007FF77D687873

Strings

Tk_GetNumMainWindows, xrefs: 00007FF77D687CA7, 00007FF77D687CC9
Tcl_JoinThread, xrefs: 00007FF77D687885, 00007FF77D6878A7
Tcl_ConditionNotify, xrefs: 00007FF77D68796B, 00007FF77D68798D
Tcl_SetVar2, xrefs: 00007FF77D687A51, 00007FF77D687A73
Tcl_CreateInterp, xrefs: 00007FF77D68771B, 00007FF77D68773D
Tk_Init, xrefs: 00007FF77D687C79, 00007FF77D687C9B
Tcl_EvalFile, xrefs: 00007FF77D687B93, 00007FF77D687BB5
Tcl_MutexLock, xrefs: 00007FF77D6878B3, 00007FF77D6878D5
GetProcAddress, xrefs: 00007FF77D6876FF
Tcl_EvalEx, xrefs: 00007FF77D687BC1, 00007FF77D687BE3
Tcl_GetCurrentThread, xrefs: 00007FF77D687857, 00007FF77D687879
Tcl_ThreadAlert, xrefs: 00007FF77D6879F5, 00007FF77D687A17
Tcl_Free, xrefs: 00007FF77D687C4B, 00007FF77D687C6D
Tcl_FindExecutable, xrefs: 00007FF77D687746, 00007FF77D687768
Tcl_Init, xrefs: 00007FF77D6876D0, 00007FF77D6876EF
Tcl_ConditionWait, xrefs: 00007FF77D687999, 00007FF77D6879BB
Tcl_DoOneEvent, xrefs: 00007FF77D687771, 00007FF77D687793
Failed to get address for %hs, xrefs: 00007FF77D6876F8
Tcl_ConditionFinalize, xrefs: 00007FF77D68793D, 00007FF77D68795F
Tcl_DeleteInterp, xrefs: 00007FF77D6877FB, 00007FF77D68781D
Tcl_SetVar2Ex, xrefs: 00007FF77D687B37, 00007FF77D687B59
Tcl_CreateThread, xrefs: 00007FF77D687829, 00007FF77D68784B
Tcl_MutexFinalize, xrefs: 00007FF77D68790F, 00007FF77D687931
Tcl_EvalObjv, xrefs: 00007FF77D687BEF, 00007FF77D687C11
Tcl_GetObjResult, xrefs: 00007FF77D687B65, 00007FF77D687B87
Tcl_GetString, xrefs: 00007FF77D687AAD, 00007FF77D687ACF
Tcl_NewStringObj, xrefs: 00007FF77D687ADB, 00007FF77D687AFD
Tcl_NewByteArrayObj, xrefs: 00007FF77D687B09, 00007FF77D687B2B
Tcl_MutexUnlock, xrefs: 00007FF77D6878E1, 00007FF77D687903
Tcl_FinalizeThread, xrefs: 00007FF77D6877CD, 00007FF77D6877EF
Tcl_Alloc, xrefs: 00007FF77D687C1D, 00007FF77D687C3F
Tcl_CreateObjCommand, xrefs: 00007FF77D687A7F, 00007FF77D687AA1
Tcl_GetVar2, xrefs: 00007FF77D687A23, 00007FF77D687A45
Tcl_Finalize, xrefs: 00007FF77D68779F, 00007FF77D6877C1
Tcl_ThreadQueueEvent, xrefs: 00007FF77D6879C7, 00007FF77D6879E9

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: e2cd111523718ad98217b7b84b7b650eb24fd88aca6d7889f8e3b3a670434045
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: 8E02B762D3DB07D1EA14BB59A8105B7A7A3AF857C5FC41331D5AE82260FF7CB5898230

Function 00007FFE1A4594B8 Relevance: 58.1, APIs: 4, Strings: 29, Instructions: 382COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459A29
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459A5E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459A97

Strings

__int32, xrefs: 00007FFE1A45976E
char, xrefs: 00007FFE1A459588
float, xrefs: 00007FFE1A45960A
short, xrefs: 00007FFE1A459576
volatile, xrefs: 00007FFE1A4598CF
auto, xrefs: 00007FFE1A4597EB
int, xrefs: 00007FFE1A459564
__int8, xrefs: 00007FFE1A4596D2
wchar_t, xrefs: 00007FFE1A45994A
volatile, xrefs: 00007FFE1A4598A2
__int128, xrefs: 00007FFE1A459750
double, xrefs: 00007FFE1A4595DE
long , xrefs: 00007FFE1A4595C7
char8_t, xrefs: 00007FFE1A4597D9
const, xrefs: 00007FFE1A459887
char16_t, xrefs: 00007FFE1A4597B8
__int16, xrefs: 00007FFE1A4596C0
long, xrefs: 00007FFE1A459552
UNKNOWN, xrefs: 00007FFE1A45992C
decltype(auto), xrefs: 00007FFE1A459900
<unknown>, xrefs: 00007FFE1A4597CA
unsigned , xrefs: 00007FFE1A4599E6
bool, xrefs: 00007FFE1A459780
this , xrefs: 00007FFE1A459971
__w64 , xrefs: 00007FFE1A4596FC
signed , xrefs: 00007FFE1A4599F6
__int64, xrefs: 00007FFE1A45975F
void, xrefs: 00007FFE1A45961C
char32_t, xrefs: 00007FFE1A4599AB

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1482988683
Opcode ID: 9af3000e46094686c92b09a1ab6ba282d3ea35f814097fcec630d6e6c72122d6
Instruction ID: 5c88346a1f5f333869e985466dc0456801a4d5599bf480a8075749a0f3c82d9e
Opcode Fuzzy Hash: 9af3000e46094686c92b09a1ab6ba282d3ea35f814097fcec630d6e6c72122d6
Instruction Fuzzy Hash: 810262B6F18E1288FB14AB66D9501FC27B1BB06B64F5441F7CA0D93ABADF2C9564C340

Function 00007FFE13333DD0 Relevance: 58.0, APIs: 19, Strings: 14, Instructions: 244networkCOMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312 ref: 00007FFE13333E4C
PyErr_Format.PYTHON312 ref: 00007FFE13334154
_Py_Dealloc.PYTHON312 ref: 00007FFE133341B2
htons.WS2_32 ref: 00007FFE133341CF

Strings

%s(): unsupported AF_HYPERV protocol: %d, xrefs: 00007FFE13333E3E
%s(): AF_INET address must be tuple, not %.500s, xrefs: 00007FFE133340F7
UU;AF_HYPERV address must be a str tuple (vm_id, service_id), xrefs: 00007FFE13333EB9
%s(): AF_HYPERV address vm_id is not a valid UUID string, xrefs: 00007FFE13333EE9
O&i|II;AF_INET6 address must be a tuple (host, port[, flowinfo[, scopeid]]), xrefs: 00007FFE1333402A
%s(): unknown Bluetooth protocol, xrefs: 00007FFE13333F72
%s(): AF_HYPERV address must be tuple, not %.500s, xrefs: 00007FFE13333E8A
%s(): wrong format, xrefs: 00007FFE13333FA7
%s(): AF_INET6 address must be tuple, not %.500s, xrefs: 00007FFE13333FFA
%s(): AF_HYPERV address service_id is not a valid UUID string, xrefs: 00007FFE13333F2C
%s(): bad family, xrefs: 00007FFE13333E21
%s(): flowinfo must be 0-1048575., xrefs: 00007FFE133340A3
%s(): port must be 0-65535., xrefs: 00007FFE1333413F
O&i;AF_INET address must be a pair (host, port), xrefs: 00007FFE1333411A

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Err_Format$Deallochtons
String ID: %s(): AF_HYPERV address must be tuple, not %.500s$%s(): AF_HYPERV address service_id is not a valid UUID string$%s(): AF_HYPERV address vm_id is not a valid UUID string$%s(): AF_INET address must be tuple, not %.500s$%s(): AF_INET6 address must be tuple, not %.500s$%s(): bad family$%s(): flowinfo must be 0-1048575.$%s(): port must be 0-65535.$%s(): unknown Bluetooth protocol$%s(): unsupported AF_HYPERV protocol: %d$%s(): wrong format$O&i;AF_INET address must be a pair (host, port)$O&i|II;AF_INET6 address must be a tuple (host, port[, flowinfo[, scopeid]])$UU;AF_HYPERV address must be a str tuple (vm_id, service_id)
API String ID: 2819711985-3631354148
Opcode ID: 45b9cbe3931565f39d19f7ca0834f8d3210d56543519b54c99f57147fbdc8962
Instruction ID: d5ac2b6c49ca719d282243b67acb9f24d8f67bab467bca62badb96a3fdb3e5f4
Opcode Fuzzy Hash: 45b9cbe3931565f39d19f7ca0834f8d3210d56543519b54c99f57147fbdc8962
Instruction Fuzzy Hash: 7EC11A76A08E46C9EB108F67D8442B9A3A0FB64FA8F508172DA6D67774DF3CE554C308

Function 00007FFE1333718C Relevance: 54.5, APIs: 24, Strings: 7, Instructions: 260threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON312 ref: 00007FFE13337228
PyUnicode_AsEncodedString.PYTHON312 ref: 00007FFE13337262
PyObject_Str.PYTHON312 ref: 00007FFE133372A5
PyUnicode_AsUTF8.PYTHON312 ref: 00007FFE133372CB
PySys_Audit.PYTHON312 ref: 00007FFE13337329
PyEval_SaveThread.PYTHON312 ref: 00007FFE1333735F
getaddrinfo.WS2_32 ref: 00007FFE13337376
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13337382
PyList_New.PYTHON312 ref: 00007FFE133373A4
_Py_BuildValue_SizeT.PYTHON312 ref: 00007FFE1333740F
_Py_Dealloc.PYTHON312 ref: 00007FFE13337429
PyList_Append.PYTHON312 ref: 00007FFE1333743E
_Py_Dealloc.PYTHON312 ref: 00007FFE13337457
_Py_Dealloc.PYTHON312 ref: 00007FFE1333747D
_Py_Dealloc.PYTHON312 ref: 00007FFE13337496
freeaddrinfo.WS2_32 ref: 00007FFE133374A5
_Py_Dealloc.PYTHON312 ref: 00007FFE133374C0
_Py_Dealloc.PYTHON312 ref: 00007FFE133374D5
PyErr_SetString.PYTHON312 ref: 00007FFE133374EE
_Py_Dealloc.PYTHON312 ref: 00007FFE13337507
_Py_Dealloc.PYTHON312 ref: 00007FFE13337520
freeaddrinfo.WS2_32 ref: 00007FFE1333752F
PyErr_SetString.PYTHON312 ref: 00007FFE13337548

Strings

Int or String expected, xrefs: 00007FFE133374E4
iiisO, xrefs: 00007FFE13337404
getaddrinfo() argument 1 must be string or None, xrefs: 00007FFE1333753E
socket.getaddrinfo, xrefs: 00007FFE13337317
idna, xrefs: 00007FFE1333725B
OOiii, xrefs: 00007FFE13337306
OO|iiii:getaddrinfo, xrefs: 00007FFE133371DC

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Dealloc$String$Err_Eval_List_SizeThreadUnicode_freeaddrinfo$AppendArg_AuditBuildEncodedKeywords_Object_ParseRestoreSaveSys_TupleValue_getaddrinfo
String ID: Int or String expected$OOiii$OO|iiii:getaddrinfo$getaddrinfo() argument 1 must be string or None$idna$iiisO$socket.getaddrinfo
API String ID: 3469260611-1074899869
Opcode ID: 2f423c6ffa71151a3adb167c7cdb8e101b5c9d8c3bce7bb13a85d95737d9847a
Instruction ID: ecbd25fa9b85a6c27ef499063b4676d8086b4bce4410224a1b4a3b6114d2cb28
Opcode Fuzzy Hash: 2f423c6ffa71151a3adb167c7cdb8e101b5c9d8c3bce7bb13a85d95737d9847a
Instruction Fuzzy Hash: 2BC14E32A08E42CEEB55CF62D4446B8B7A0BB68FA4F0081B5DD6D62664DF3CE585C308

Function 00007FFE133378C8 Relevance: 45.7, APIs: 16, Strings: 10, Instructions: 162threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE1333791F
PyErr_SetString.PYTHON312 ref: 00007FFE1333794F
_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13337997
PySys_Audit.PYTHON312 ref: 00007FFE133379CE
PyOS_snprintf.PYTHON312 ref: 00007FFE13337A01
PyEval_SaveThread.PYTHON312 ref: 00007FFE13337A2F
getaddrinfo.WS2_32 ref: 00007FFE13337A4B
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13337A56
PyErr_SetString.PYTHON312 ref: 00007FFE13337A91
htonl.WS2_32 ref: 00007FFE13337AB1
PyEval_SaveThread.PYTHON312 ref: 00007FFE13337AC1
getnameinfo.WS2_32 ref: 00007FFE13337AF9
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13337B04
PyUnicode_DecodeMBCS.PYTHON312 ref: 00007FFE13337B52
_Py_BuildValue_SizeT.PYTHON312 ref: 00007FFE13337B6B
freeaddrinfo.WS2_32 ref: 00007FFE13337B8E

Strings

getnameinfo(): flowinfo must be 0-1048575., xrefs: 00007FFE133379B2
IPv4 sockaddr must be 2 tuple, xrefs: 00007FFE13337B27
socket.getnameinfo, xrefs: 00007FFE133379C7
getnameinfo() argument 1 must be a tuple, xrefs: 00007FFE13337945
(O), xrefs: 00007FFE133379C0
surrogatepass, xrefs: 00007FFE13337B47
sockaddr resolved to multiple addresses, xrefs: 00007FFE13337A80
si|II;getnameinfo(): illegal sockaddr argument, xrefs: 00007FFE13337990
, xrefs: 00007FFE13337ADF
Oi:getnameinfo, xrefs: 00007FFE13337914

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Eval_Thread$Size$Arg_Err_ParseRestoreSaveStringTuple_$AuditBuildDecodeS_snprintfSys_Unicode_Value_freeaddrinfogetaddrinfogetnameinfohtonl
String ID: $(O)$IPv4 sockaddr must be 2 tuple$Oi:getnameinfo$getnameinfo() argument 1 must be a tuple$getnameinfo(): flowinfo must be 0-1048575.$si|II;getnameinfo(): illegal sockaddr argument$sockaddr resolved to multiple addresses$socket.getnameinfo$surrogatepass
API String ID: 2526741257-243639936
Opcode ID: 04604c1635eafd80c084e70278c0c195183a3ebb5ddeaecdd157658cd547c5cb
Instruction ID: ddb83d2b85cab8a96cfefdccebe505b7838e3767ccc60cb37d8764de4ed3476f
Opcode Fuzzy Hash: 04604c1635eafd80c084e70278c0c195183a3ebb5ddeaecdd157658cd547c5cb
Instruction Fuzzy Hash: 59813D72A08E468AE710CF26E4402A9B3B0FB94FA4F108176DA6D67774DF7CE545CB44

Function 00007FFE148E22F8 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 206timethreadnetworkCOMMON

Download Yara Rule

APIs

_PyTime_FromSecondsObject.PYTHON312(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E2356
PyErr_ExceptionMatches.PYTHON312(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E236A
PyErr_SetString.PYTHON312(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E23B6

Part of subcall function 00007FFE148E266C: PySequence_Fast.PYTHON312(00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E2694

_PyDeadline_Init.PYTHON312(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E2471
PyEval_SaveThread.PYTHON312(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E24AB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E24B4
select.WS2_32(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E24CD
PyEval_RestoreThread.PYTHON312(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E24D9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E24DF
PyErr_CheckSignals.PYTHON312(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E24EE
_PyDeadline_Get.PYTHON312(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E250B
_PyTime_AsTimeval_clamp.PYTHON312(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E2529
PyErr_Occurred.PYTHON312(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E2584
PyTuple_Pack.PYTHON312(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E259D
_Py_Dealloc.PYTHON312(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E25BA
_Py_Dealloc.PYTHON312(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E25D3
_Py_Dealloc.PYTHON312(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E25EC
WSAGetLastError.WS2_32(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E2652
PyErr_SetExcFromWindowsErr.PYTHON312(?,?,?,00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E2664

Part of subcall function 00007FFE148E266C: PyObject_AsFileDescriptor.PYTHON312(?,?,00007FFE148E22E5), ref: 00007FFE148E2709
Part of subcall function 00007FFE148E266C: PyErr_SetString.PYTHON312(?,?,00007FFE148E22E5), ref: 00007FFE148E278F
Part of subcall function 00007FFE148E266C: _Py_Dealloc.PYTHON312(?,?,00007FFE148E22E5), ref: 00007FFE148E27A3
Part of subcall function 00007FFE148E266C: _Py_Dealloc.PYTHON312(?,?,00007FFE148E22E5), ref: 00007FFE148E27B7

Part of subcall function 00007FFE148E266C: _Py_Dealloc.PYTHON312(?,?,00007FFE148E22E5), ref: 00007FFE148E27D2

Strings

timeout must be non-negative, xrefs: 00007FFE148E23AC
timeout must be a float or None, xrefs: 00007FFE148E237B

Memory Dump Source

Source File: 00000001.00000002.2667804984.00007FFE148E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000001.00000002.2667789447.00007FFE148E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667822402.00007FFE148E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667838554.00007FFE148E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667854016.00007FFE148E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe148e0000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: DeallocErr_$Deadline_Eval_FromStringThreadTime__errno$CheckDescriptorErrorExceptionFastFileInitLastMatchesObjectObject_OccurredPackRestoreSaveSecondsSequence_SignalsTimeval_clampTuple_Windowsselect
String ID: timeout must be a float or None$timeout must be non-negative
API String ID: 1581318368-2150404077
Opcode ID: d788fc8d8f2c4c3425777ff2c68e582025ccc74bbe31b0ae76aafc8d094d01c2
Instruction ID: f4c3cf032189b3248589dc517d5033da8ee389644114b3521e5d41e3600ff92f
Opcode Fuzzy Hash: d788fc8d8f2c4c3425777ff2c68e582025ccc74bbe31b0ae76aafc8d094d01c2
Instruction Fuzzy Hash: E0912F61A08E8399EB219F26D8941B9A3A0FF46BA4F400175FA4E677B8DF3DD54DC700

Function 00007FFE13334864 Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 134COMMON

Download Yara Rule

APIs

_Py_BuildValue_SizeT.PYTHON312 ref: 00007FFE133348C0

Strings

Unknown Bluetooth protocol, xrefs: 00007FFE1333498A
iy#, xrefs: 00007FFE133348B9
OiII, xrefs: 00007FFE13334A1B

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: BuildSizeValue_
String ID: OiII$Unknown Bluetooth protocol$iy#
API String ID: 1740464280-1931379703
Opcode ID: 902a55de1e61e57d9b75f782d95346036916bf3d28d7f19c3b677d66217b6a38
Instruction ID: 0da0ff9ca4f501d822c01c8c4d00017b7cc5c5b3e3ba7b6c1d9b492d1b1b64ac
Opcode Fuzzy Hash: 902a55de1e61e57d9b75f782d95346036916bf3d28d7f19c3b677d66217b6a38
Instruction Fuzzy Hash: 7C514F25A0CE429AEA649B53E544179E360BF65FB1F40C1B1DA7E736B4EF2CE484C308

Function 00007FFE1A45CDBC Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 290COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE4D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE86
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CF5A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CF6B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CFCE
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CFDE
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D02A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D03C
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D1B1

Part of subcall function 00007FFE1A45ED94: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A45EDEE

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D233
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D242

Strings

`anonymous namespace', xrefs: 00007FFE1A45D10E

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID: `anonymous namespace'
API String ID: 3863519203-3062148218
Opcode ID: c2c563be3abc2cd025459880134dd91d33137c93c5547e13454a58e5101b2a40
Instruction ID: b0aecc6a5b2ee625eb65b6c04eb6cd1c2b65b4eb29808fc0c3c241776bc2e4aa
Opcode Fuzzy Hash: c2c563be3abc2cd025459880134dd91d33137c93c5547e13454a58e5101b2a40
Instruction Fuzzy Hash: A2E16DB2B08F8299EB10EF26D8801BD77A0FB45B58F4081B6EA8D17B65DF38D565C700

Function 00007FFE13338270 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE1333829D
PyErr_SetString.PYTHON312 ref: 00007FFE133382C9
PyBuffer_Release.PYTHON312 ref: 00007FFE133382D4
PyErr_SetString.PYTHON312 ref: 00007FFE13338303
PyBuffer_Release.PYTHON312 ref: 00007FFE1333830E
inet_ntop.WS2_32 ref: 00007FFE13338335
PyErr_SetFromErrno.PYTHON312 ref: 00007FFE1333834D
PyBuffer_Release.PYTHON312 ref: 00007FFE13338358
PyBuffer_Release.PYTHON312 ref: 00007FFE13338385
PyUnicode_FromString.PYTHON312 ref: 00007FFE1333838E
PyErr_Format.PYTHON312 ref: 00007FFE133383AA
PyBuffer_Release.PYTHON312 ref: 00007FFE133383B5

Strings

iy*:inet_ntop, xrefs: 00007FFE13338291
invalid length of packed IP address string, xrefs: 00007FFE133382BF, 00007FFE133382F9
unknown address family %d, xrefs: 00007FFE1333839D

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Buffer_Release$Err_$String$From$Arg_ErrnoFormatParseSizeTuple_Unicode_inet_ntop
String ID: invalid length of packed IP address string$iy*:inet_ntop$unknown address family %d
API String ID: 1507301079-2822559286
Opcode ID: 53b98e0b39da5fdef2c7c0ee4bcb4f09635da776308b6f8e1f3f5746954ec4bc
Instruction ID: 37ea05d13dd3faf9a72bbc1d09545028be3070e5ac5b9bff6f81c3023bcc27c8
Opcode Fuzzy Hash: 53b98e0b39da5fdef2c7c0ee4bcb4f09635da776308b6f8e1f3f5746954ec4bc
Instruction Fuzzy Hash: B9317E21A1CE43C9EA50CB16E8507B9A3A0FFA8F64F408071D56EA7274DF3CE488C708

Function 00007FF77D6881D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77D689390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF77D6845F4,00000000,00007FF77D681985), ref: 00007FF77D6893C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF77D6886B7,?,?,00000000,00007FF77D683CBB), ref: 00007FF77D68822C

Part of subcall function 00007FF77D682810: MessageBoxW.USER32 ref: 00007FF77D6828EA

Strings

%.*s, xrefs: 00007FF77D68830C
CreateDirectory, xrefs: 00007FF77D68837C
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF77D6882D9
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF77D688240
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF77D688373
\, xrefs: 00007FF77D688261
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF77D688203
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF77D68829D

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
Instruction ID: 13f5c94b32422a94e6a83ed4de74b14c0ac98d3864a61f303e0d215e65f1d957
Opcode Fuzzy Hash: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
Instruction Fuzzy Hash: E7514113E3C642C1EA50FB65A8516BBE393AF94BC0FC44636D64EC26D5FE2CE5058760

Function 00007FFE13336C9C Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13336CCC
setsockopt.WS2_32 ref: 00007FFE13336CF6
PyErr_Clear.PYTHON312 ref: 00007FFE13336D03
_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13336D47
PyErr_Clear.PYTHON312 ref: 00007FFE13336D5E
_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13336D88
PyBuffer_Release.PYTHON312 ref: 00007FFE13336DA4
PyErr_Format.PYTHON312 ref: 00007FFE13336DC1
setsockopt.WS2_32 ref: 00007FFE13336DE7
PyBuffer_Release.PYTHON312 ref: 00007FFE13336DF4

Strings

socket option is larger than %i bytes, xrefs: 00007FFE13336DB1
iiO!I:setsockopt, xrefs: 00007FFE13336D20
iii:setsockopt, xrefs: 00007FFE13336CC5
iiy*:setsockopt, xrefs: 00007FFE13336D81

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_Err_ParseSizeTuple_$Buffer_ClearReleasesetsockopt$Format
String ID: iiO!I:setsockopt$iii:setsockopt$iiy*:setsockopt$socket option is larger than %i bytes
API String ID: 418579395-1608436615
Opcode ID: e5620e990f8220b448d5b59fe45baab9dc0f6dbd4740d24abe31777b74632af3
Instruction ID: 37eb83a0043176d8e38104c07592b3e53788ef4d317d5b53fc7912319d67e3dc
Opcode Fuzzy Hash: e5620e990f8220b448d5b59fe45baab9dc0f6dbd4740d24abe31777b74632af3
Instruction Fuzzy Hash: 4A412C31A08E86DAEB208F12E4447A9B360FB98FA4F508171DA6D53B74DF3CD549C748

Function 00007FFE13332950 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

PySys_Audit.PYTHON312 ref: 00007FFE1333296C
GetComputerNameExW.KERNEL32 ref: 00007FFE1333298D
PyUnicode_FromWideChar.PYTHON312 ref: 00007FFE133329A4
GetLastError.KERNEL32 ref: 00007FFE13333A6E
PyErr_SetFromWindowsErr.PYTHON312 ref: 00007FFE13333A7D

Strings

socket.gethostname, xrefs: 00007FFE13332965

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: From$AuditCharComputerErr_ErrorLastNameSys_Unicode_WideWindows
String ID: socket.gethostname
API String ID: 1075394898-2650736202
Opcode ID: 25ae612990bab75232c8daec9245eaa7fbb0b38a1306ba03551d9cdaf76ece37
Instruction ID: af14e5011c33825234d4c61409a6e7881f5d319c55ee4b89cf652ba1ac2598af
Opcode Fuzzy Hash: 25ae612990bab75232c8daec9245eaa7fbb0b38a1306ba03551d9cdaf76ece37
Instruction Fuzzy Hash: 4231F021A0CE42CAE7249B22E85437AE365FFA8FA5F44C075D95E966B4DE3CE044C604

Function 00007FFE13337F30 Relevance: 24.1, APIs: 16, Instructions: 106COMMON

Download Yara Rule

APIs

PyList_New.PYTHON312 ref: 00007FFE13337F4D
GetIfTable2Ex.IPHLPAPI ref: 00007FFE13337F71
_Py_Dealloc.PYTHON312 ref: 00007FFE13337F8B
PyErr_SetFromWindowsErr.PYTHON312 ref: 00007FFE13337F93
memcpy.VCRUNTIME140 ref: 00007FFE13337FD1
ConvertInterfaceLuidToNameW.IPHLPAPI ref: 00007FFE13337FE9
_Py_BuildValue_SizeT.PYTHON312 ref: 00007FFE1333800C
PyList_Append.PYTHON312 ref: 00007FFE13338020
_Py_Dealloc.PYTHON312 ref: 00007FFE1333803A
FreeMibTable.IPHLPAPI ref: 00007FFE13338053
_Py_Dealloc.PYTHON312 ref: 00007FFE13338092
_Py_Dealloc.PYTHON312 ref: 00007FFE133380A6
FreeMibTable.IPHLPAPI ref: 00007FFE133380B1
_Py_Dealloc.PYTHON312 ref: 00007FFE133380C9
FreeMibTable.IPHLPAPI ref: 00007FFE133380D4
PyErr_SetFromWindowsErr.PYTHON312 ref: 00007FFE133380DC

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Dealloc$FreeTable$Err_FromList_Windows$AppendBuildConvertInterfaceLuidNameSizeTable2Value_memcpy
String ID:
API String ID: 1684791173-0
Opcode ID: 6e5f08eccdd5b29cfe341dff8070fb2ed0092c75082b83863e899f864d342429
Instruction ID: 5d2f2c753f9d539958950d76ca20bc391bc37e335e80b0c7acdac5b89442db22
Opcode Fuzzy Hash: 6e5f08eccdd5b29cfe341dff8070fb2ed0092c75082b83863e899f864d342429
Instruction Fuzzy Hash: 7C413131E0CF42CAEA545B22E8543B9B3A0FFA5F65F048075C96E666B4DF2CE4498744

Function 00007FFE1A45DC24 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 359COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FFE1A4590F4), ref: 00007FFE1A45E08A
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45E0C9
swprintf_s.PGOCR ref: 00007FFE1A45E0E9
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45E0F9
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45E149

Strings

`generic-method-parameter-, xrefs: 00007FFE1A45E116
NULL, xrefs: 00007FFE1A45DCF1
nullptr, xrefs: 00007FFE1A45DE0D
lambda, xrefs: 00007FFE1A45DFE8
`template-type-parameter-, xrefs: 00007FFE1A45E16A
`generic-class-parameter-, xrefs: 00007FFE1A45E15A

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: NameName::$Name::operator+atolswprintf_s
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
API String ID: 2331677841-2441609178
Opcode ID: 04052d8e5626c1f24672c52f4d573e3506f88365006a7f318b5907256fbad706
Instruction ID: 93562e20a7cb230eb50f8f01d2e8e48d429b6c114f72410326a843cfe3031cc9
Opcode Fuzzy Hash: 04052d8e5626c1f24672c52f4d573e3506f88365006a7f318b5907256fbad706
Instruction Fuzzy Hash: 3FF1AEE2F08E1284FB25FB66D5551BC27A1AF45F64F4040F7CA4E16AB6DF3CA5698300

Function 00007FF77D681600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON

Download Yara Rule

Strings

fwrite, xrefs: 00007FF77D6817D1
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF77D6816DA
Failed to extract %s: failed to open target file!, xrefs: 00007FF77D68165C
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF77D681742
Failed to create symbolic link %s!, xrefs: 00007FF77D681622
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF77D6817DF
fseek, xrefs: 00007FF77D6816E1
Failed to extract %s: failed to open archive file!, xrefs: 00007FF77D6816A2
fopen, xrefs: 00007FF77D681663
fread, xrefs: 00007FF77D6817E6
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF77D6817CA
malloc, xrefs: 00007FF77D681749

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: e8f7eb8be34c1f40e570a1d721804810372ce1450404f1b708da05039a63d225
Instruction ID: 2d90dc93eb87c9af10278bff285bdb620f9fc7c968573217592183f3775d7416
Opcode Fuzzy Hash: e8f7eb8be34c1f40e570a1d721804810372ce1450404f1b708da05039a63d225
Instruction Fuzzy Hash: D25166A2E3C64392EA10BB2594001BBA393BF947D4FC44735EE4D87696FE3CE5858320

Function 00007FFE13335EDC Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 113networkCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13335F1E
PyErr_Format.PYTHON312 ref: 00007FFE13335F60
_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13335F9B
WSAIoctl.WS2_32 ref: 00007FFE13335FD4
_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13336008
WSAIoctl.WS2_32 ref: 00007FFE13336045
PyLong_FromUnsignedLong.PYTHON312 ref: 00007FFE13336053
_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13336077
WSAIoctl.WS2_32 ref: 00007FFE133360B4

Strings

kO:ioctl, xrefs: 00007FFE13335F17
invalid ioctl command %lu, xrefs: 00007FFE13335F56
kI:ioctl, xrefs: 00007FFE13335F94, 00007FFE13336070
k(kkk):ioctl, xrefs: 00007FFE13336001

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_ParseSizeTuple_$Ioctl$Err_FormatFromLongLong_Unsigned
String ID: invalid ioctl command %lu$k(kkk):ioctl$kI:ioctl$kO:ioctl
API String ID: 1148432870-4238462244
Opcode ID: 3f76204c42d358388be91a2e0fa01af582f79ca479d8e6d2f391cea6ebf1b823
Instruction ID: 4ae6b5c1d392135578ce423187629574e72613d274bd158fb832f65f8b88a671
Opcode Fuzzy Hash: 3f76204c42d358388be91a2e0fa01af582f79ca479d8e6d2f391cea6ebf1b823
Instruction Fuzzy Hash: 2E516F71A18E02CDE710CB66E8406ED73B0FB58B68F548276EA6DA3AA4DF3CD154C744

Function 00007FFE13334284 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

PyBytes_AsString.PYTHON312 ref: 00007FFE133342C5
PyBytes_Size.PYTHON312 ref: 00007FFE133342D2
PyErr_SetString.PYTHON312 ref: 00007FFE13334374
_Py_Dealloc.PYTHON312 ref: 00007FFE133343FB

Strings

host name must not contain null character, xrefs: 00007FFE13334401
str, bytes or bytearray expected, not %s, xrefs: 00007FFE13334399
idna, xrefs: 00007FFE1333434B
encoding of hostname failed, xrefs: 00007FFE13334363

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Bytes_String$DeallocErr_Size
String ID: encoding of hostname failed$host name must not contain null character$idna$str, bytes or bytearray expected, not %s
API String ID: 2522550923-2120988924
Opcode ID: 4bff7bdefa987b91148ee3b18d677af03c6520adca83e4b60bb055ec74d24b36
Instruction ID: 21b4f9791c90663e4762bbdcdfb830996afbe1037831761cb9b853560844b421
Opcode Fuzzy Hash: 4bff7bdefa987b91148ee3b18d677af03c6520adca83e4b60bb055ec74d24b36
Instruction Fuzzy Hash: 78414C69A08F0289EB548B17E450378A360EF64FB4F54D0B1DA3E673B0DF2CE4A18309

Function 00007FFE13336A44 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 95COMMON

Download Yara Rule

APIs

PyTuple_Size.PYTHON312 ref: 00007FFE13336A7A
PyErr_Format.PYTHON312 ref: 00007FFE13336AA3
_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13336ACB
_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13336AEE
PySys_Audit.PYTHON312 ref: 00007FFE13336B3C
PyBuffer_Release.PYTHON312 ref: 00007FFE13336BB0
PyLong_FromSsize_t.PYTHON312 ref: 00007FFE13336BBB
PyBuffer_Release.PYTHON312 ref: 00007FFE13336BC7

Strings

socket.sendto, xrefs: 00007FFE13336B35
sendto, xrefs: 00007FFE13336B01
y*iO:sendto, xrefs: 00007FFE13336AC4
y*O:sendto, xrefs: 00007FFE13336AE7
sendto() takes 2 or 3 arguments (%zd given), xrefs: 00007FFE13336A96

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: SizeTuple_$Arg_Buffer_ParseRelease$AuditErr_FormatFromLong_Ssize_tSys_
String ID: sendto$sendto() takes 2 or 3 arguments (%zd given)$socket.sendto$y*O:sendto$y*iO:sendto
API String ID: 3528750861-2448770124
Opcode ID: 88304e7169643b13afbf15443212dc575dcb254fe66de0b973b6d6862d59c8aa
Instruction ID: d9ce175c4e31859b7e69567d8986d1d224341ce656ea70bca5143f0f22c15824
Opcode Fuzzy Hash: 88304e7169643b13afbf15443212dc575dcb254fe66de0b973b6d6862d59c8aa
Instruction Fuzzy Hash: 49412F71A08E46C9E710CF66E8442AAB3B4FB98BA4F408172DA5D63778DF3CD544CB44

Function 00007FFE004524B0 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

PyModule_AddStringConstant.PYTHON312 ref: 00007FFE004524D0
PyType_FromSpec.PYTHON312 ref: 00007FFE004524E5
PyModule_AddType.PYTHON312 ref: 00007FFE004524FD
_Py_Dealloc.PYTHON312 ref: 00007FFE00453F76

Part of subcall function 00007FFE004525A0: _PyObject_GC_New.PYTHON312(?,?,00000000,00007FFE00452513), ref: 00007FFE004525A6
Part of subcall function 00007FFE004525A0: PyObject_GC_Track.PYTHON312(?,?,00000000,00007FFE00452513), ref: 00007FFE004525D8

PyModule_AddObject.PYTHON312 ref: 00007FFE00452537
PyModule_AddObjectRef.PYTHON312 ref: 00007FFE0045255F
_Py_Dealloc.PYTHON312 ref: 00007FFE00453F85

Strings

ucd_3_2_0, xrefs: 00007FFE0045252D
8`G, xrefs: 00007FFE004524DE
15.0.0, xrefs: 00007FFE004524BF
_ucnhash_CAPI, xrefs: 00007FFE00452555
unidata_version, xrefs: 00007FFE004524C9

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Module_$DeallocObjectObject_$ConstantFromSpecStringTrackTypeType_
String ID: 15.0.0$8`G$_ucnhash_CAPI$ucd_3_2_0$unidata_version
API String ID: 2663085338-2601521091
Opcode ID: 35f2a36de3bf8fc04aa01d781381661ddda8c4355416510f682401fb826b2ab5
Instruction ID: 9c6ba3e57d7c500ab3d83d1d0a78685e5ee48f25cb300148464b805f6faf78c8
Opcode Fuzzy Hash: 35f2a36de3bf8fc04aa01d781381661ddda8c4355416510f682401fb826b2ab5
Instruction Fuzzy Hash: B7311221E0CA0792F6155F21E92437926A1AF4ABD7F985431DB0D467BFEFACF5448308

Function 00007FFE13337CE8 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 50threadnetworkCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13337D09
PySys_Audit.PYTHON312 ref: 00007FFE13337D3C
PyEval_SaveThread.PYTHON312 ref: 00007FFE13337D54
htons.WS2_32 ref: 00007FFE13337D62
getservbyport.WS2_32 ref: 00007FFE13337D70
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13337D7C
PyErr_SetString.PYTHON312 ref: 00007FFE13337D9D
PyUnicode_FromString.PYTHON312 ref: 00007FFE13337DB2
PyErr_SetString.PYTHON312 ref: 00007FFE13337DCB

Strings

port/proto not found, xrefs: 00007FFE13337D93
getservbyport: port must be 0-65535., xrefs: 00007FFE13337DC1
socket.getservbyport, xrefs: 00007FFE13337D35
i|s:getservbyport, xrefs: 00007FFE13337CF8

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: String$Err_Eval_Thread$Arg_AuditFromParseRestoreSaveSizeSys_Tuple_Unicode_getservbyporthtons
String ID: getservbyport: port must be 0-65535.$i|s:getservbyport$port/proto not found$socket.getservbyport
API String ID: 3420281234-2618607128
Opcode ID: df385e0b112e720f1497a781268f28e1972b04836732b04ec17d0f334ba274de
Instruction ID: 81017025f3777f8872d61529cf199f8f8287dd8fbd06277b772a5282bc76bd5a
Opcode Fuzzy Hash: df385e0b112e720f1497a781268f28e1972b04836732b04ec17d0f334ba274de
Instruction Fuzzy Hash: 60213E61A18E07C9EA40DB17E894279A371FF99FA4F508071DA5E67674DF3DE048C708

Function 00007FFE00454910 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 93COMMON

Download Yara Rule

APIs

PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFE00454955
PyUnicode_Compare.PYTHON312 ref: 00007FFE004549B8
_Py_Dealloc.PYTHON312 ref: 00007FFE004549CE

Strings

NFKD, xrefs: 00007FFE00454A10
invalid normalization form, xrefs: 00007FFE00454A32
NFC, xrefs: 00007FFE00454941
NFD, xrefs: 00007FFE004549F8
NFKC, xrefs: 00007FFE004549D8

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CompareUnicode_$DeallocStringWith
String ID: NFC$NFD$NFKC$NFKD$invalid normalization form
API String ID: 1004266020-3528878251
Opcode ID: 1585b7f006c3bc3ef317b73109392006e48ef7fb1c9bb5363a1940f6ac4bfac5
Instruction ID: 570a17308d29e61a0bdee7ad3f2084434c93d36e7f26920a2c383c8d6a25ee52
Opcode Fuzzy Hash: 1585b7f006c3bc3ef317b73109392006e48ef7fb1c9bb5363a1940f6ac4bfac5
Instruction Fuzzy Hash: 50415F61A0CE0391EB549B21E86437967A1BF85BCAF844035DB8E4B77ADF3DE4849308

Function 00007FFE1A45B280 Relevance: 19.9, APIs: 13, Instructions: 361COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45B2D1
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45B39A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45B3E3
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45B3F4

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 9a3856515ab70ac0cbef49cb78169d28014df4ca819d0bec0dbbb0bc7461e156
Instruction ID: 2e7bae8358ff074180c73b1976c0d414eba33ed367bfbf5dccadc2b75fdc8e4b
Opcode Fuzzy Hash: 9a3856515ab70ac0cbef49cb78169d28014df4ca819d0bec0dbbb0bc7461e156
Instruction Fuzzy Hash: 62F1AEB6B08A829EF711EF66D4501FC37B0EB04B5CB4044B3EA4D57AA9EE38D566C740

Function 00007FFE004511B0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 153COMMON

Download Yara Rule

APIs

PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFE004511E2
PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFE004511FA
PyType_IsSubtype.PYTHON312 ref: 00007FFE0045121D

Part of subcall function 00007FFE004512F0: PyMem_Malloc.PYTHON312 ref: 00007FFE00451376
Part of subcall function 00007FFE004512F0: PyMem_Free.PYTHON312 ref: 00007FFE0045147C

PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFE0045377B

Strings

NFKD, xrefs: 00007FFE004537B7
invalid normalization form, xrefs: 00007FFE00453813
NFC, xrefs: 00007FFE004511D8
NFD, xrefs: 00007FFE00453771
NFKC, xrefs: 00007FFE004511F0

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CompareStringUnicode_With$Mem_$FreeMallocSubtypeType_
String ID: NFC$NFD$NFKC$NFKD$invalid normalization form
API String ID: 1723213316-3528878251
Opcode ID: 0183ee75f38b3d9b4e000f242270cd4c61522a137d2eba0fb5a9939ca12be486
Instruction ID: e2650e245481f322360354a0dcb3cc0f553687f6a543d9e720396b35562a03a8
Opcode Fuzzy Hash: 0183ee75f38b3d9b4e000f242270cd4c61522a137d2eba0fb5a9939ca12be486
Instruction Fuzzy Hash: 1051B161E0CA4382FB608B26A5607792790AF56BC2F045171EB4E97BBFDF2CF5418708

Function 00007FFE004544E4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 109COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON312 ref: 00007FFE00454514
PyType_IsSubtype.PYTHON312 ref: 00007FFE00454577
PyUnicode_FromString.PYTHON312 ref: 00007FFE00454593

Strings

a unicode character, xrefs: 00007FFE004544FF
argument, xrefs: 00007FFE00454506
decomposition, xrefs: 00007FFE0045450D
%04X, xrefs: 00007FFE0045463C
, xrefs: 00007FFE00454627

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_ArgumentFromStringSubtypeType_Unicode_
String ID: $%04X$a unicode character$argument$decomposition
API String ID: 1318908108-4056541097
Opcode ID: 2aa5bcb769f9567ef44792d0b8645ff4acf96607a2464068c30a17cc2bf935c6
Instruction ID: 9ae14673202e9e47b64824f51da9fab5d3c1504cd594c92e8e18b17b983a1158
Opcode Fuzzy Hash: 2aa5bcb769f9567ef44792d0b8645ff4acf96607a2464068c30a17cc2bf935c6
Instruction Fuzzy Hash: 9F41DE71E08A8692EB258B15E4143B92361FF85B9AF440235DB5E4B7EEEF3CE585C304

Function 00007FFE133375A4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE133375E0
PySys_Audit.PYTHON312 ref: 00007FFE13337602
PyErr_SetString.PYTHON312 ref: 00007FFE13337668
PyMem_Free.PYTHON312 ref: 00007FFE133376D5

Strings

et:gethostbyaddr, xrefs: 00007FFE133375D7
socket.gethostbyaddr, xrefs: 00007FFE133375FB
idna, xrefs: 00007FFE133375CD
unsupported address family, xrefs: 00007FFE1333765E

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_AuditErr_FreeMem_ParseSizeStringSys_Tuple_
String ID: et:gethostbyaddr$idna$socket.gethostbyaddr$unsupported address family
API String ID: 1738687268-1751716127
Opcode ID: c83d73dceb3c4610a70c8c8e411a58869078ba58085a6a2956745bc7e2575713
Instruction ID: 78835616520ce2abf2d078c122d675ba06901deff97d13e26615ef8c8fa5fd6c
Opcode Fuzzy Hash: c83d73dceb3c4610a70c8c8e411a58869078ba58085a6a2956745bc7e2575713
Instruction Fuzzy Hash: 5A316F61A08E86C9E6209B17E8547EAA360FBA8FE0F448072DEAD67774DE3CD445C744

Function 00007FFE13336660 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON312 ref: 00007FFE133366AF
PyBuffer_Release.PYTHON312 ref: 00007FFE133366C8
PyErr_SetString.PYTHON312 ref: 00007FFE133366DF
PyBuffer_Release.PYTHON312 ref: 00007FFE13336728
_Py_Dealloc.PYTHON312 ref: 00007FFE13336743
PyBuffer_Release.PYTHON312 ref: 00007FFE13336757
PyBuffer_Release.PYTHON312 ref: 00007FFE13336769
_Py_BuildValue_SizeT.PYTHON312 ref: 00007FFE1333677E

Strings

nbytes is greater than the length of the buffer, xrefs: 00007FFE1333675D
negative buffersize in recvfrom_into, xrefs: 00007FFE133366CE
w*|ni:recvfrom_into, xrefs: 00007FFE1333667E

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Buffer_Release$Size$Arg_BuildDeallocErr_Keywords_ParseStringTupleValue_
String ID: nbytes is greater than the length of the buffer$negative buffersize in recvfrom_into$w*|ni:recvfrom_into
API String ID: 252658603-4033050226
Opcode ID: cbd05dbb59b33da20bee7d15abf173420b95374231d8228cad919bc37cd99a43
Instruction ID: d8dad086dd6eefa33f9a1186e6bda3f7011f7940ac23b52999b015d6c1852d62
Opcode Fuzzy Hash: cbd05dbb59b33da20bee7d15abf173420b95374231d8228cad919bc37cd99a43
Instruction Fuzzy Hash: 04311A71A08F42C9EA108B52E4942B9B364FBA9FB4F408176DAAD63670DF7DD588C704

Function 00007FFE13337C20 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 44threadnetworkCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13337C41
PySys_Audit.PYTHON312 ref: 00007FFE13337C67
PyEval_SaveThread.PYTHON312 ref: 00007FFE13337C7B
getservbyname.WS2_32 ref: 00007FFE13337C8E
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13337C9A
PyErr_SetString.PYTHON312 ref: 00007FFE13337CBB
htons.WS2_32 ref: 00007FFE13337CD1
PyLong_FromLong.PYTHON312 ref: 00007FFE13337CDA

Strings

socket.getservbyname, xrefs: 00007FFE13337C60
service/proto not found, xrefs: 00007FFE13337CB1
s|s:getservbyname, xrefs: 00007FFE13337C30

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Eval_Thread$Arg_AuditErr_FromLongLong_ParseRestoreSaveSizeStringSys_Tuple_getservbynamehtons
String ID: service/proto not found$socket.getservbyname$s|s:getservbyname
API String ID: 1135235387-1257235949
Opcode ID: 3b5f47b3c7fe93ff51d3c351ac1364b9cc3afc28ca2730272accc108aa8dca2c
Instruction ID: a3521df37f8b0e18942634b39b465b1e070e9cd60ea21b4056d3c916d8bd3ce9
Opcode Fuzzy Hash: 3b5f47b3c7fe93ff51d3c351ac1364b9cc3afc28ca2730272accc108aa8dca2c
Instruction Fuzzy Hash: C311FE65A08E42C9EA408B13E854379A370FB69FA5F508071DA9D63674DF3CD485C704

Function 00007FFE1A453334 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 309COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFE1A453390

Part of subcall function 00007FFE1A455768: __GetUnwindTryBlock.LIBCMT ref: 00007FFE1A4557AB
Part of subcall function 00007FFE1A455768: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFE1A4557D0

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A453468
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453475
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFE1A4536B9
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4536E7

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4537AD
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A4537E2

Strings

csm, xrefs: 00007FFE1A45348D
csm, xrefs: 00007FFE1A4533AA
csm, xrefs: 00007FFE1A453411

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 4223619315-393685449
Opcode ID: dcb3548c504605ccad87c1df068e82445ce8bfed626f824eb2c4e809fdb80efd
Instruction ID: e48452420167fd4016481dcbd2d7482d51d7b7028674ea83e554c8d18ca61680
Opcode Fuzzy Hash: dcb3548c504605ccad87c1df068e82445ce8bfed626f824eb2c4e809fdb80efd
Instruction Fuzzy Hash: FFD1B3B2B08B4186EB60AF66D4502BD77A0FB45FA8F1041B6EE4D57B65DF38E1A0C700

Function 00007FFE1A45ED94 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 192COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A45EDEE

Strings

`generic-type-, xrefs: 00007FFE1A45EECA
generic-type-, xrefs: 00007FFE1A45EE97
template-parameter-, xrefs: 00007FFE1A45EE50
`template-parameter-, xrefs: 00007FFE1A45EE83

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Replicator::operator[]
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 3676697650-3207858774
Opcode ID: 73310b6c18e80224c33410df5d9c8b136be81ee7f088e8962b8740eac16092a6
Instruction ID: b5c5640df7dcb937c0033f08ff8f980e5b36e6882d1b4293bf9711aad441de39
Opcode Fuzzy Hash: 73310b6c18e80224c33410df5d9c8b136be81ee7f088e8962b8740eac16092a6
Instruction Fuzzy Hash: A591AEA2B18E8699FB21EF22D4512B833B1AB54F68F4481F3DA5D036A5DF3CE565C340

Function 00007FF77D682180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF77D6821AB
SelectObject.GDI32 ref: 00007FF77D6821F2
DrawTextW.USER32 ref: 00007FF77D682215
SelectObject.GDI32 ref: 00007FF77D68222B
ReleaseDC.USER32 ref: 00007FF77D68223B
MoveWindow.USER32 ref: 00007FF77D68228B
MoveWindow.USER32 ref: 00007FF77D6822CB
MoveWindow.USER32 ref: 00007FF77D68231E
MoveWindow.USER32 ref: 00007FF77D682366

Strings

P%, xrefs: 00007FF77D6821FF

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 324a2019fd3fd77a4f37da7bbf7c37a1025943420115d161faca1770fff69cc4
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: E751CC265287A186D6349F25E4181BBFBA2F7987A1F404135DFDE83654EF3CD045D720

Function 00007FFE13335850 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13335884
getsockopt.WS2_32 ref: 00007FFE133358BF
PyLong_FromLong.PYTHON312 ref: 00007FFE133358CD
PyBytes_FromStringAndSize.PYTHON312 ref: 00007FFE133358E7
getsockopt.WS2_32 ref: 00007FFE13335912
_Py_Dealloc.PYTHON312 ref: 00007FFE1333592C
_PyBytes_Resize.PYTHON312 ref: 00007FFE13335941

Strings

ii|i:getsockopt, xrefs: 00007FFE13335870
getsockopt buflen out of range, xrefs: 00007FFE13335955

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Bytes_FromSizegetsockopt$Arg_DeallocLongLong_ParseResizeStringTuple_
String ID: getsockopt buflen out of range$ii|i:getsockopt
API String ID: 3532181676-2750947780
Opcode ID: 9b7346a9f4b417b4410470c21b5fb1116251040c05f54305fa742b3d80924aa3
Instruction ID: fe9158ab8376717cd0d34a5079c65de3665ebb21e471ed6b6f02d392223fcf21
Opcode Fuzzy Hash: 9b7346a9f4b417b4410470c21b5fb1116251040c05f54305fa742b3d80924aa3
Instruction Fuzzy Hash: 15316D72A0DE46CAEB14CF26E440569B3A0FB94F64F504175EA9E93AB4DF3CD445CB04

Function 00007FF77D6880C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF77D6880FF
GetWindowLongPtrW.USER32 ref: 00007FF77D68817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF77D688192
GetLastError.KERNEL32 ref: 00007FF77D68819C
SetWindowLongPtrW.USER32 ref: 00007FF77D6881B3

Strings

Needs to remove its temporary files., xrefs: 00007FF77D688185

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: 8f05c8cd3f3a5116c4117493b49271758d2e5c89a6cadda8ec4540b80e3b5054
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: D7215522E3CA43C1E641AB79F84416AA752EF85FD1F984331DA5DC3394FE2CD5558220

Function 00007FFE133362FC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON312 ref: 00007FFE13336347
PyBuffer_Release.PYTHON312 ref: 00007FFE13336360
PyErr_SetString.PYTHON312 ref: 00007FFE13336377
PyBuffer_Release.PYTHON312 ref: 00007FFE133363AF
PyBuffer_Release.PYTHON312 ref: 00007FFE133363C3
PyBuffer_Release.PYTHON312 ref: 00007FFE133363D2
PyLong_FromSsize_t.PYTHON312 ref: 00007FFE133363DB

Strings

w*|ni:recv_into, xrefs: 00007FFE1333631A
negative buffersize in recv_into, xrefs: 00007FFE13336366
buffer too small for requested bytes, xrefs: 00007FFE133363C9

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Buffer_Release$Arg_Err_FromKeywords_Long_ParseSizeSsize_tStringTuple
String ID: buffer too small for requested bytes$negative buffersize in recv_into$w*|ni:recv_into
API String ID: 1544103690-1758107600
Opcode ID: 673946159e8f77a6d26c868030c16ac5463a28c82a9e80c6b2633c18a65d49cd
Instruction ID: 7d25c0bdc4e1763afbc16a9482783694a6ed131dade767381b67f77e7cd08689
Opcode Fuzzy Hash: 673946159e8f77a6d26c868030c16ac5463a28c82a9e80c6b2633c18a65d49cd
Instruction Fuzzy Hash: 0E21D961A08E42C9EB108B52E4542B9A364BB69BB0F408176D96E63674DF3CE588C709

Function 00007FFE1A459164 Relevance: 16.7, APIs: 11, Instructions: 158COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4591CC
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4592C9
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459322
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45934E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459360
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45938F

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 3cac31fbce2037cca8b65a6457a1f6e1f72e09754060cc87a73fdfbcf94b07ef
Instruction ID: 6fb72a7b33907f36b10538f7b77f9c94779bffe61cc6cabd7b9bce20e22d6a9b
Opcode Fuzzy Hash: 3cac31fbce2037cca8b65a6457a1f6e1f72e09754060cc87a73fdfbcf94b07ef
Instruction Fuzzy Hash: 797140B2B05E46ADFB11EF62D4501FC33B1AB45B9CB4048B2DA0D57AAADF34D625C390

Function 00007FFE1A45AAC8 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45AB22
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45AC58

Strings

class , xrefs: 00007FFE1A45AC6D
cointerface , xrefs: 00007FFE1A45ABFF
`unknown ecsu', xrefs: 00007FFE1A45AAEE
enum , xrefs: 00007FFE1A45AC35
coclass , xrefs: 00007FFE1A45AC11
struct , xrefs: 00007FFE1A45AC7C
union , xrefs: 00007FFE1A45AC85

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Name::operator+
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 2943138195-1464470183
Opcode ID: 50e8110e92645124a6d82ffc9330fdaa6dc52167fa44e73d911cd3f80f86a47a
Instruction ID: 6fc5acf3494eeb3f8701cc411fabb80c64b441b178f4a56e7a5f9de271fbf314
Opcode Fuzzy Hash: 50e8110e92645124a6d82ffc9330fdaa6dc52167fa44e73d911cd3f80f86a47a
Instruction Fuzzy Hash: 89518CB2F08F52C9FB11EB66E8841BC27B1BB05B64F5040F6DA5D13AA9DF28E564C340

Function 00007FFE133368DC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE1333691E
_PyDeadline_Get.PYTHON312 ref: 00007FFE13336956
PyErr_CheckSignals.PYTHON312 ref: 00007FFE133369C6
PyBuffer_Release.PYTHON312 ref: 00007FFE133369DE
PyBuffer_Release.PYTHON312 ref: 00007FFE133369F9
PyErr_SetString.PYTHON312 ref: 00007FFE13336A3C

Strings

y*|i:sendall, xrefs: 00007FFE13336904
timed out, xrefs: 00007FFE13336A32

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Buffer_Err_Release$Arg_CheckDeadline_ParseSignalsSizeStringTuple_
String ID: timed out$y*|i:sendall
API String ID: 1463051379-3431350491
Opcode ID: 6a75edbffb958b18a743e733ce9c1f25ab04acde408a5ac49f293f7a7651ded7
Instruction ID: 63bf0a88489103a88b28e1f46e019c30fdbe789cfc2ca04519b9adbae9778e3e
Opcode Fuzzy Hash: 6a75edbffb958b18a743e733ce9c1f25ab04acde408a5ac49f293f7a7651ded7
Instruction Fuzzy Hash: 49410C32A08A82C9E7109F16E8403A9B364FB54FA4F448075DE6D63765DF3CE4459704

Function 00007FFE133363EC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE1333641B
PyErr_SetString.PYTHON312 ref: 00007FFE13336440
PyBytes_FromStringAndSize.PYTHON312 ref: 00007FFE13336455
_PyBytes_Resize.PYTHON312 ref: 00007FFE1333649E
PyTuple_Pack.PYTHON312 ref: 00007FFE133364B5
_Py_Dealloc.PYTHON312 ref: 00007FFE133364D3
_Py_Dealloc.PYTHON312 ref: 00007FFE133364EC

Strings

negative buffersize in recvfrom, xrefs: 00007FFE13336436
n|i:recvfrom, xrefs: 00007FFE13336408

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Bytes_DeallocSizeStringTuple_$Arg_Err_FromPackParseResize
String ID: negative buffersize in recvfrom$n|i:recvfrom
API String ID: 3092067012-1867657612
Opcode ID: 73346fe6d78f416ddd0d404cc1eab1bd50427c101807ce8ae55e63a2c3ceedcf
Instruction ID: 1bc7ce6837107091dbf164da3f225ca84d5be819b4ff7ad6c24a2809cdcea0aa
Opcode Fuzzy Hash: 73346fe6d78f416ddd0d404cc1eab1bd50427c101807ce8ae55e63a2c3ceedcf
Instruction Fuzzy Hash: B8313E71E09F428EEA458B16E484279A3A0FFA4FB0F048075DA5E57775DE3CE084D708

Function 00007FFE004546A8 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 62COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFE004546E7
_PyArg_BadArgument.PYTHON312 ref: 00007FFE00454720
_PyUnicode_ToDigit.PYTHON312 ref: 00007FFE00454740
PyErr_SetString.PYTHON312 ref: 00007FFE00454760
PyLong_FromLong.PYTHON312 ref: 00007FFE00454778

Strings

a unicode character, xrefs: 00007FFE0045470B
argument 1, xrefs: 00007FFE00454719
digit, xrefs: 00007FFE004546D7, 00007FFE00454712
not a digit, xrefs: 00007FFE00454756

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_$ArgumentCheckDigitErr_FromLongLong_PositionalStringUnicode_
String ID: a unicode character$argument 1$digit$not a digit
API String ID: 4245020737-4278345224
Opcode ID: d2c025be6f32e1fa96eb3f1c6703f3e18d3fbf46a97c983d3ea169cd79d16b21
Instruction ID: bd3323611e4bf2da7ba8db35e1984f09f8b00b63baaaee2d13687cc6b1b172bc
Opcode Fuzzy Hash: d2c025be6f32e1fa96eb3f1c6703f3e18d3fbf46a97c983d3ea169cd79d16b21
Instruction Fuzzy Hash: 3D213C35F08A4281EB508B15D4542792364FF99B8AF544036DB4E8BB7EDF3DE585C704

Function 00007FFE133377C0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60threadnetworkCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13337802
PySys_Audit.PYTHON312 ref: 00007FFE13337824
PyEval_SaveThread.PYTHON312 ref: 00007FFE13337856
gethostbyname.WS2_32 ref: 00007FFE13337864
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13337870
PyMem_Free.PYTHON312 ref: 00007FFE13337897

Strings

et:gethostbyname_ex, xrefs: 00007FFE133377F9
socket.gethostbyname, xrefs: 00007FFE1333781D
idna, xrefs: 00007FFE133377EF

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Eval_Thread$Arg_AuditFreeMem_ParseRestoreSaveSizeSys_Tuple_gethostbyname
String ID: et:gethostbyname_ex$idna$socket.gethostbyname
API String ID: 646687969-574663143
Opcode ID: ec482da62ace3c18e29763a798791d74dcac66a763997dd1372a643aceded0d3
Instruction ID: efa7706a075720c3c6c72e364b19ca93856ddf8ab8d93a1e25c7eb4a3602fd6c
Opcode Fuzzy Hash: ec482da62ace3c18e29763a798791d74dcac66a763997dd1372a643aceded0d3
Instruction Fuzzy Hash: 7E217161B18E828AEB509B23F8043AAA360FB98FE0F448172DE6D67764DF3CD005C744

Function 00007FFE133383C0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE133383E7
inet_pton.WS2_32 ref: 00007FFE133383FF
PyErr_SetFromErrno.PYTHON312 ref: 00007FFE13338413
PyErr_SetString.PYTHON312 ref: 00007FFE13338469

Strings

illegal IP address string passed to inet_pton, xrefs: 00007FFE1333841D
is:inet_pton, xrefs: 00007FFE133383DB
unknown address family, xrefs: 00007FFE13338458

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Err_$Arg_ErrnoFromParseSizeStringTuple_inet_pton
String ID: illegal IP address string passed to inet_pton$is:inet_pton$unknown address family
API String ID: 907464-903159468
Opcode ID: 5f6f26fc013610328acae758eccd67dd248d553df625ba587abfcb104ef9a032
Instruction ID: b76e9215b4284225cf9aeec324e66977c13c1936b399a34afe4365bb69ecda2c
Opcode Fuzzy Hash: 5f6f26fc013610328acae758eccd67dd248d553df625ba587abfcb104ef9a032
Instruction Fuzzy Hash: 28212461A1CD42CAEA50DB12E450279A761FFA4F74F508071E56EA79B4CF3CE548C705

Function 00007FFE13332A20 Relevance: 15.2, APIs: 10, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE13332A48
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE13332A9A
_RTC_Initialize.LIBCMT ref: 00007FFE13332AC8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE13332AEE
__scrt_release_startup_lock.LIBCMT ref: 00007FFE13332B19

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 91504536c4c753e82cdbe588412995d0809db0d3d25c664ce5a0f1fe9eeb7b4f
Instruction ID: 540efc5eb9ea3d922e966a49d67bfd45b57e3b77f7500925d7f5168edf133533
Opcode Fuzzy Hash: 91504536c4c753e82cdbe588412995d0809db0d3d25c664ce5a0f1fe9eeb7b4f
Instruction Fuzzy Hash: FF816F20E0CE438EFA50AB57D4412B9A290AF65FB0F54C0B5D96DA77B2DE3CE845C708

Function 00007FFE00452720 Relevance: 15.2, APIs: 10, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE00452748
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE0045279A
_RTC_Initialize.LIBCMT ref: 00007FFE004527C8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE004527EE
__scrt_release_startup_lock.LIBCMT ref: 00007FFE00452819

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: bc53fe8a0eda1481b36a314380ac74b5aff62c5ee69524d86cd6bd6c99e3d1c0
Instruction ID: f1d6aefaa9ecd11a99e0152788eae0eb2e804b6a750f8c6fada09de7cdcf2a0c
Opcode Fuzzy Hash: bc53fe8a0eda1481b36a314380ac74b5aff62c5ee69524d86cd6bd6c99e3d1c0
Instruction Fuzzy Hash: CB81CF21F0C64346FB65AB65A64127922A0AF87782F548136EB0C533BFDFBCF9458708

Function 00007FFE148E1190 Relevance: 15.2, APIs: 10, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE148E11B8
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE148E120A
_RTC_Initialize.LIBCMT ref: 00007FFE148E1238
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE148E125E
__scrt_release_startup_lock.LIBCMT ref: 00007FFE148E1289

Memory Dump Source

Source File: 00000001.00000002.2667804984.00007FFE148E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000001.00000002.2667789447.00007FFE148E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667822402.00007FFE148E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667838554.00007FFE148E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667854016.00007FFE148E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe148e0000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: b57b117b731fe6fadf01a2aa5e6dfd03c7664753ee25818152bc9f2dcd8646e2
Instruction ID: 4f114a5d4cb9a870bf8768fd905f01e2966f9acb4107f974a0e85a711d135814
Opcode Fuzzy Hash: b57b117b731fe6fadf01a2aa5e6dfd03c7664753ee25818152bc9f2dcd8646e2
Instruction Fuzzy Hash: B4815E21E08E4386FA509B6798C12F9E291AF47BA4F4481B5F94D677B7DF2CE84D8700

Function 00007FFE13337090 Relevance: 15.1, APIs: 10, Instructions: 60networkCOMMON

Download Yara Rule

APIs

PyLong_AsLongLong.PYTHON312 ref: 00007FFE133370AE
PyErr_Occurred.PYTHON312 ref: 00007FFE133370BD
GetCurrentProcessId.KERNEL32 ref: 00007FFE133370C8
WSADuplicateSocketW.WS2_32 ref: 00007FFE133370D8
WSASocketW.WS2_32 ref: 00007FFE1333710B
SetHandleInformation.KERNEL32 ref: 00007FFE13337125
PyErr_SetFromWindowsErr.PYTHON312 ref: 00007FFE13337131
closesocket.WS2_32 ref: 00007FFE1333713A
PyLong_FromLongLong.PYTHON312 ref: 00007FFE1333714F
closesocket.WS2_32 ref: 00007FFE13337160

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Long$Err_FromLong_Socketclosesocket$CurrentDuplicateHandleInformationOccurredProcessWindows
String ID:
API String ID: 3394293678-0
Opcode ID: 4c347251b0cb3e997720691e5f1e8047ee37cb6823bc12014edeb51918814818
Instruction ID: 3be6c8a792d505c79f87e68736eaf3eedf94f288b355b5f08a482d1ffbc9f993
Opcode Fuzzy Hash: 4c347251b0cb3e997720691e5f1e8047ee37cb6823bc12014edeb51918814818
Instruction Fuzzy Hash: 26214921F18E4285FA555B23A8183B5A250AF64FB5F0482B4D87E667F4DF3CE0448604

Function 00007FF77D696290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6962D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6966C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D69695C

Strings

p, xrefs: 00007FF77D6963FD
f, xrefs: 00007FF77D6963F5
-, xrefs: 00007FF77D696369
:, xrefs: 00007FF77D69648C
p, xrefs: 00007FF77D696385

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: d9aab633c8f04de42bd4728b457c556a7bdbb2263cd69309181dd9a70507b33f
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 48127273E3C34386FB247A94D25427BB693EB50794FC44279E689876C4EB3CE5809B21

Function 00007FF77D690FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D691008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6913D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D69166F

Strings

p, xrefs: 00007FF77D691112
p, xrefs: 00007FF77D6910AD
f, xrefs: 00007FF77D6910A0
f, xrefs: 00007FF77D69110A
f, xrefs: 00007FF77D691255

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 1fc66d006c6cbfe357807823516de38c13e5d618623b1bb0c58bbff24acb8589
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 571252A3E3C5438AFB207A15D05467BB6A3FB407D4FE44279D699866C4EB7CE5408B30

Function 00007FFE1A4537F8 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A453996
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4539A3

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453C57
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453CA2
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A453CD7

Strings

csm, xrefs: 00007FFE1A4539BF
csm, xrefs: 00007FFE1A45393F
csm, xrefs: 00007FFE1A4538DD

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: aad8d4203d0b1849c4fce47835e3c613ec0ba3b35d99662ed70f641d37e67567
Instruction ID: 84db0f3033635d0a868e712f29b609f6a017eeff5fc66594e5dbf62a63eb592f
Opcode Fuzzy Hash: aad8d4203d0b1849c4fce47835e3c613ec0ba3b35d99662ed70f641d37e67567
Instruction Fuzzy Hash: 60E1D2B3B08B828AE751AF36D4903BD77A0FB45B68F1401B6DA4D57666CF38E5A1C700

Function 00007FF77D681050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF77D6810CC
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF77D6811F6
fseek, xrefs: 00007FF77D6810D3
Failed to extract %s: failed to open archive file!, xrefs: 00007FF77D681098
fread, xrefs: 00007FF77D6811FD
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF77D681108
malloc, xrefs: 00007FF77D68110F

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: b335e3e51a8458dc0a826c3b61de4e36bd76f5e9c0fd9c19ac7df80fec457176
Instruction ID: 01ad64ff8b063d00765917566a35483823c59f4bff9c8d3f0c7078e534128e88
Opcode Fuzzy Hash: b335e3e51a8458dc0a826c3b61de4e36bd76f5e9c0fd9c19ac7df80fec457176
Instruction Fuzzy Hash: 70415C63E3C65285EA10FB16A8006BBE797BB84BC4FC44631ED8C87785EE3CE5458320

Function 00007FF77D688660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF77D683CBB), ref: 00007FF77D688704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF77D683CBB), ref: 00007FF77D68870A
CreateDirectoryW.KERNEL32(?,00000000,00007FF77D683CBB), ref: 00007FF77D68874C

Part of subcall function 00007FF77D688830: GetEnvironmentVariableW.KERNEL32(00007FF77D68388E), ref: 00007FF77D688867
Part of subcall function 00007FF77D688830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF77D688889

Part of subcall function 00007FF77D698238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D698251

Part of subcall function 00007FF77D682810: MessageBoxW.USER32 ref: 00007FF77D6828EA

Strings

LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF77D68877E
LOADER: failed to set the TMP environment variable., xrefs: 00007FF77D6886DC
_MEI%d, xrefs: 00007FF77D688712
TMP, xrefs: 00007FF77D6886C2
TMP, xrefs: 00007FF77D68869C, 00007FF77D6887A3

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
Instruction ID: 50204aff8da51a422479435c137203fc0330067df22e64af5479c5e94f38ef68
Opcode Fuzzy Hash: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
Instruction Fuzzy Hash: FF418E13E3D64284EA10B765A8552BB9393AF85BC4FC40336ED4EC769AFE3CE5018760

Function 00007FFE148E266C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

PySequence_Fast.PYTHON312(00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E2694
PyObject_AsFileDescriptor.PYTHON312(?,?,00007FFE148E22E5), ref: 00007FFE148E2709
PyErr_SetString.PYTHON312(?,?,00007FFE148E22E5), ref: 00007FFE148E278F
_Py_Dealloc.PYTHON312(?,?,00007FFE148E22E5), ref: 00007FFE148E27A3
_Py_Dealloc.PYTHON312(?,?,00007FFE148E22E5), ref: 00007FFE148E27B7

Strings

arguments 1-3 must be sequences, xrefs: 00007FFE148E268D
too many file descriptors in select(), xrefs: 00007FFE148E2785

Memory Dump Source

Source File: 00000001.00000002.2667804984.00007FFE148E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000001.00000002.2667789447.00007FFE148E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667822402.00007FFE148E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667838554.00007FFE148E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667854016.00007FFE148E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe148e0000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Dealloc$DescriptorErr_FastFileObject_Sequence_String
String ID: arguments 1-3 must be sequences$too many file descriptors in select()
API String ID: 3320488554-3996108163
Opcode ID: 663c9d7e54148f1ae31ea019f9802c07c2ccdac2675d68113b08dfc84bed29b7
Instruction ID: 0ff7c6baa9bbed62cc43e5876c8b7d189be9f88e30ceaee73e99b7e41936ac1f
Opcode Fuzzy Hash: 663c9d7e54148f1ae31ea019f9802c07c2ccdac2675d68113b08dfc84bed29b7
Instruction Fuzzy Hash: 98419136A08F0289EB158F16E884178B7A1FB86BB4F1442B5EA5E537B4DF3CE459C300

Function 00007FFE1A45C7F8 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C9AC

Part of subcall function 00007FFE1A4594B8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459A29
Part of subcall function 00007FFE1A4594B8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459A5E

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C95E

Strings

cli::array<, xrefs: 00007FFE1A45C92B
std::nullptr_t, xrefs: 00007FFE1A45C8D7
std::nullptr_t , xrefs: 00007FFE1A45C8EA
void , xrefs: 00007FFE1A45C86A
void, xrefs: 00007FFE1A45C842
cli::pin_ptr<, xrefs: 00007FFE1A45C975

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: 0e84257edd8271f32b759845b73cd3eefe07970f5e22a962a9d02e38f5861642
Instruction ID: a50961141b2aa76dd593645c823cb9b5a686f9e17db93be2c79e1738c74976c0
Opcode Fuzzy Hash: 0e84257edd8271f32b759845b73cd3eefe07970f5e22a962a9d02e38f5861642
Instruction Fuzzy Hash: C2513BA2F18F5298FB519B62D8402BD37B0BB08B68F4442F7DA4D13AA5DF3C91A4C754

Function 00007FFE1333855C Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

_PyTime_FromSeconds.PYTHON312(?,?,?,00007FFE13336E2F), ref: 00007FFE13338573
_PyTime_FromSecondsObject.PYTHON312(?,?,?,00007FFE13336E2F), ref: 00007FFE1333858A
PyErr_SetString.PYTHON312(?,?,?,00007FFE13336E2F), ref: 00007FFE133385AD
_PyTime_AsTimeval.PYTHON312(?,?,?,00007FFE13336E2F), ref: 00007FFE133385CA
_PyTime_AsMilliseconds.PYTHON312(?,?,?,00007FFE13336E2F), ref: 00007FFE133385DD
PyErr_SetString.PYTHON312(?,?,?,00007FFE13336E2F), ref: 00007FFE1333860B

Strings

Timeout value out of range, xrefs: 00007FFE133385A3
timeout doesn't fit into C timeval, xrefs: 00007FFE13338601

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Time_$Err_FromSecondsString$MillisecondsObjectTimeval
String ID: Timeout value out of range$timeout doesn't fit into C timeval
API String ID: 4240314503-2798848688
Opcode ID: c3110628e0ff8c45ed48e6e42bc6a9de53dce8f64d393fbe66996934f00f37bc
Instruction ID: aba4c75471e18ba74472538c44d124be78e372bf3501378d249909cc0ec465a3
Opcode Fuzzy Hash: c3110628e0ff8c45ed48e6e42bc6a9de53dce8f64d393fbe66996934f00f37bc
Instruction Fuzzy Hash: 9B113021B08E02C6FB508B6AD4502346651AF64FB0F00C271E93E977F0DF6CD5948308

Function 00007FFE133355C4 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

PyErr_GetRaisedException.PYTHON312 ref: 00007FFE133355D1
PyErr_ResourceWarning.PYTHON312 ref: 00007FFE133355F8
PyErr_ExceptionMatches.PYTHON312 ref: 00007FFE1333560C
PyErr_WriteUnraisable.PYTHON312 ref: 00007FFE13335619
PyEval_SaveThread.PYTHON312 ref: 00007FFE1333562B
closesocket.WS2_32 ref: 00007FFE13335637
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13335640

Strings

unclosed %R, xrefs: 00007FFE133355E9

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Err_$Eval_ExceptionThread$MatchesRaisedResourceRestoreSaveUnraisableWarningWriteclosesocket
String ID: unclosed %R
API String ID: 1660182617-2306019038
Opcode ID: 25b85fd08a291e67ea72e71a9db263f5598e99ae11a4cc00c223ef1659b4300f
Instruction ID: 98d7c8b02308405061e7f1421defa732938bddca374bab55db80ed546b1eeefa
Opcode Fuzzy Hash: 25b85fd08a291e67ea72e71a9db263f5598e99ae11a4cc00c223ef1659b4300f
Instruction Fuzzy Hash: 4D01A525A18F42C6E6149B23A8041A4A364BF59FB4B049371DE7F677E5CF3CD4958314

Function 00007FFE13337B9C Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 32threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13337BAF
PyEval_SaveThread.PYTHON312 ref: 00007FFE13337BC7
getprotobyname.WS2_32 ref: 00007FFE13337BD5
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13337BE1
PyErr_SetString.PYTHON312 ref: 00007FFE13337C02

Strings

protocol not found, xrefs: 00007FFE13337BF8
s:getprotobyname, xrefs: 00007FFE13337BA8

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Eval_Thread$Arg_Err_ParseRestoreSaveSizeStringTuple_getprotobyname
String ID: protocol not found$s:getprotobyname
API String ID: 862796068-630402058
Opcode ID: 5e26fb8bbdc9310467d939e6e5269e35e791270880cd3d67430df1cfafc901d3
Instruction ID: 283ad89f4b40581c1f8a40fdcd7203a89890ee5eba45b2518ad00daba6d815da
Opcode Fuzzy Hash: 5e26fb8bbdc9310467d939e6e5269e35e791270880cd3d67430df1cfafc901d3
Instruction Fuzzy Hash: 79012165A18E42CAEA159B13E984179A360FFA8FA1F448071C96E63734DF3CD094C708

Function 00007FFE13338170 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 29stringCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13338183
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE13338199
PyBytes_FromStringAndSize.PYTHON312 ref: 00007FFE133381B4
inet_addr.WS2_32 ref: 00007FFE133381C4
PyErr_SetString.PYTHON312 ref: 00007FFE133381E4

Strings

s:inet_aton, xrefs: 00007FFE1333817C
illegal IP address string passed to inet_aton, xrefs: 00007FFE133381DA
255.255.255.255, xrefs: 00007FFE13338192

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: SizeString$Arg_Bytes_Err_FromParseTuple_inet_addrstrcmp
String ID: 255.255.255.255$illegal IP address string passed to inet_aton$s:inet_aton
API String ID: 717551241-4110412280
Opcode ID: 084e9850ab497b4604530a89a794d3b40a20c62355ffc3e93d442b1fc817a547
Instruction ID: 401e1b2d96862767ed8d7254ded9b5f96b36c91421951c8761cb7f9cfede639c
Opcode Fuzzy Hash: 084e9850ab497b4604530a89a794d3b40a20c62355ffc3e93d442b1fc817a547
Instruction Fuzzy Hash: 34014F61E08D03C9EA00AB26EC541B9A771EFA1FB4F6081B1D63DA66B4DF2DD449C708

Function 00007FFE133381F0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13338203
PyErr_SetString.PYTHON312 ref: 00007FFE13338226
PyBuffer_Release.PYTHON312 ref: 00007FFE13338231
PyBuffer_Release.PYTHON312 ref: 00007FFE1333824C
inet_ntoa.WS2_32 ref: 00007FFE13338254
PyUnicode_FromString.PYTHON312 ref: 00007FFE1333825D

Strings

y*:inet_ntoa, xrefs: 00007FFE133381FC
packed IP wrong length for inet_ntoa, xrefs: 00007FFE1333821C

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Buffer_ReleaseString$Arg_Err_FromParseSizeTuple_Unicode_inet_ntoa
String ID: packed IP wrong length for inet_ntoa$y*:inet_ntoa
API String ID: 1492101624-3027498899
Opcode ID: a37c0709ab42e32b6aa69015115254f28bf8fa2c783f834efdb7c9b9a77bb895
Instruction ID: fc017d22836e0abad56760b925e388ea7e70d94ec8e8e9011c2a214c67bed505
Opcode Fuzzy Hash: a37c0709ab42e32b6aa69015115254f28bf8fa2c783f834efdb7c9b9a77bb895
Instruction Fuzzy Hash: E3017131A0CE02CAEB10CF26E8941B9A360FB98F64F408171C55E63274CF3CD149C704

Function 00007FFE13334F14 Relevance: 13.6, APIs: 9, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE133341EC: PyErr_SetString.PYTHON312 ref: 00007FFE1333422F

memset.VCRUNTIME140 ref: 00007FFE13334F56

Part of subcall function 00007FFE13335190: WSAGetLastError.WS2_32 ref: 00007FFE13335237
Part of subcall function 00007FFE13335190: WSAGetLastError.WS2_32 ref: 00007FFE1333523F
Part of subcall function 00007FFE13335190: PyErr_CheckSignals.PYTHON312 ref: 00007FFE13335250

SetHandleInformation.KERNEL32 ref: 00007FFE13334FB7
PyErr_SetFromWindowsErr.PYTHON312 ref: 00007FFE13334FC3
closesocket.WS2_32 ref: 00007FFE13334FCC
PyLong_FromLongLong.PYTHON312 ref: 00007FFE13334FE2
closesocket.WS2_32 ref: 00007FFE13334FF3

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Err_$ErrorFromLastLongclosesocket$CheckHandleInformationLong_SignalsStringWindowsmemset
String ID:
API String ID: 205095079-0
Opcode ID: 63de80f4fcd19a662b9f0a98f01459b248b276ca4dd52e658008932bb04675d9
Instruction ID: 25029d9899dbde9f28ddc4f4961df2840276cc4c5275ebf48c66f48399be87ff
Opcode Fuzzy Hash: 63de80f4fcd19a662b9f0a98f01459b248b276ca4dd52e658008932bb04675d9
Instruction Fuzzy Hash: 7C412231A0CF82C9FA649B12E4443F9A3A0FF69FA4F048171DA9D66BA5DF7DD0418744

Function 00007FF77D68EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF77D68EA65

Part of subcall function 00007FF77D68F9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF77D68F9FF
Part of subcall function 00007FF77D68F9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF77D68FA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF77D68EB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF77D68ED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF77D68EE98

Strings

csm, xrefs: 00007FF77D68EB60
csm, xrefs: 00007FF77D68EA7F
csm, xrefs: 00007FF77D68EAE6

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: 3513ea4b6d242e8808e2c46404d92e596a2edcbc03762cb966261ad0d9c977c0
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: FFD18E27E2C741CAEB20AB2494403AEA7A1FB557D8F900235DE4D97B96EF3DE494C710

Function 00007FFE1A45662A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456B10: RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A456B60
Part of subcall function 00007FFE1A456B10: RaiseException.KERNEL32 ref: 00007FFE1A456BA1

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A4566C7
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FFE1A456723

Strings

Bad dynamic_cast!, xrefs: 00007FFE1A456792
Attempted a typeid of nullptr pointer!, xrefs: 00007FFE1A456805
Bad read pointer - no RTTI data!, xrefs: 00007FFE1A456828
Access violation - no RTTI data!, xrefs: 00007FFE1A45662A, 00007FFE1A45684B

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: 4ef8ad2c729168d00ef0645f383a1968f42c4eb1f6a8b3717fe5ffb80b324514
Instruction ID: 94ed81efe7f57d1ae8c2a69ed7d50f2aa5380855d6dfe5f07c6e85ae284c8123
Opcode Fuzzy Hash: 4ef8ad2c729168d00ef0645f383a1968f42c4eb1f6a8b3717fe5ffb80b324514
Instruction Fuzzy Hash: 7B5190A2B19E8692DA20EB12F8502B9A360FF44FA4F0445B3DA5D43778DF3CE525C700

Function 00007FF77D69ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF77D69F0AA,?,?,-00000018,00007FF77D69AD53,?,?,?,00007FF77D69AC4A,?,?,?,00007FF77D695F3E), ref: 00007FF77D69EE8C
GetProcAddress.KERNEL32(?,?,?,00007FF77D69F0AA,?,?,-00000018,00007FF77D69AD53,?,?,?,00007FF77D69AC4A,?,?,?,00007FF77D695F3E), ref: 00007FF77D69EE98

Strings

api-ms-, xrefs: 00007FF77D69EDD6
ext-ms-, xrefs: 00007FF77D69EDE9

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: 3f419700d9c87f4cc518c828b84b93490e374cb9828bfc36d435b36294ff061f
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: D041C127F3EA1281EA15AB169800577A293BF49BD0FD84639DD1DC7785FE3CE4098220

Function 00007FF77D682C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF77D683706,?,00007FF77D683804), ref: 00007FF77D682C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF77D683706,?,00007FF77D683804), ref: 00007FF77D682D63
MessageBoxW.USER32 ref: 00007FF77D682D99

Strings

Error, xrefs: 00007FF77D682D8C
[PYI-%d:ERROR] , xrefs: 00007FF77D682CA6
<FormatMessageW failed.>, xrefs: 00007FF77D682D70
%ls: , xrefs: 00007FF77D682D22

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: 537b623d01a84f08960f518e141ccaae2c50135e1e60a1aeec94eae88f1fe8c7
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: 8531B863B2C64192E620B715A8106ABA693BB887D4F810235EF4E93759EF3CD546C310

Function 00007FFE1A456FE4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A4571A3,?,?,00000000,00007FFE1A456FD4,?,?,?,?,00007FFE1A456D11), ref: 00007FFE1A457069
GetLastError.KERNEL32(?,?,?,00007FFE1A4571A3,?,?,00000000,00007FFE1A456FD4,?,?,?,?,00007FFE1A456D11), ref: 00007FFE1A457077
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A4571A3,?,?,00000000,00007FFE1A456FD4,?,?,?,?,00007FFE1A456D11), ref: 00007FFE1A457090
LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A4571A3,?,?,00000000,00007FFE1A456FD4,?,?,?,?,00007FFE1A456D11), ref: 00007FFE1A4570A2
FreeLibrary.KERNEL32(?,?,?,00007FFE1A4571A3,?,?,00000000,00007FFE1A456FD4,?,?,?,?,00007FFE1A456D11), ref: 00007FFE1A457110
GetProcAddress.KERNEL32(?,?,?,00007FFE1A4571A3,?,?,00000000,00007FFE1A456FD4,?,?,?,?,00007FFE1A456D11), ref: 00007FFE1A45711C

Strings

api-ms-, xrefs: 00007FFE1A457089

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: 76e9ed00015fa7378e2762435fe1c6674923b12dca3248f544122840abba5d3b
Instruction ID: 6664a0b00e140a49ea41bd201f55bccb93ae670519e61bde195a6ec51cb72521
Opcode Fuzzy Hash: 76e9ed00015fa7378e2762435fe1c6674923b12dca3248f544122840abba5d3b
Instruction Fuzzy Hash: D4316F61B1AF8295EE11EB03A8005B563E4BF44FB4F5949B6DD2E4B3A4EF3CE5648300

Function 00007FFE13336198 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE133361C0
PyErr_SetString.PYTHON312 ref: 00007FFE133361E5
PyBytes_FromStringAndSize.PYTHON312 ref: 00007FFE133361F5
_Py_Dealloc.PYTHON312 ref: 00007FFE13336230
_PyBytes_Resize.PYTHON312 ref: 00007FFE13336247

Strings

n|i:recv, xrefs: 00007FFE133361B9
negative buffersize in recv, xrefs: 00007FFE133361DB

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Bytes_SizeString$Arg_DeallocErr_FromParseResizeTuple_
String ID: negative buffersize in recv$n|i:recv
API String ID: 1342606314-3647384195
Opcode ID: 29fb8dffb30c6af5d72d23fc4fc4b8e2e26d01538630a85b1ae85e9e50577ef5
Instruction ID: b1cd865dc43c1dd7e4a7d870e57943864af4146083a3e79a0f280404c4fa4bf6
Opcode Fuzzy Hash: 29fb8dffb30c6af5d72d23fc4fc4b8e2e26d01538630a85b1ae85e9e50577ef5
Instruction Fuzzy Hash: E7114D71A09E42C9EA108B52E4842BAE370FFA4FB4F008172D99D667B5DF7CE144D704

Function 00007FFE133380E8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13338102
if_nametoindex.IPHLPAPI ref: 00007FFE1333811E
_Py_Dealloc.PYTHON312 ref: 00007FFE13338136
PyErr_SetString.PYTHON312 ref: 00007FFE13338151

Strings

O&:if_nametoindex, xrefs: 00007FFE133380FB
no interface with this name, xrefs: 00007FFE13338147

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_DeallocErr_ParseSizeStringTuple_if_nametoindex
String ID: O&:if_nametoindex$no interface with this name
API String ID: 3052430728-3835682882
Opcode ID: 3ac5c3a51fb341192d0c4d14695c2bd4c19b6b6ccdf855b40aa773fc1d6a75dc
Instruction ID: 51c7a5b8833b9d4733ae7585523635fc511548edc086eadc5e1a6a9e75d54220
Opcode Fuzzy Hash: 3ac5c3a51fb341192d0c4d14695c2bd4c19b6b6ccdf855b40aa773fc1d6a75dc
Instruction Fuzzy Hash: 58011261E0CE03C9E7109F23E880279A360FFA9F64F508471C96E66270CE7DD4488708

Function 00007FFE13337E48 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 25networkCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13337E5B
PyErr_SetString.PYTHON312 ref: 00007FFE13337E7E
htons.WS2_32 ref: 00007FFE13337E99
PyLong_FromUnsignedLong.PYTHON312 ref: 00007FFE13337EA2

Strings

i:htons, xrefs: 00007FFE13337E54
htons: Python int too large to convert to C 16-bit unsigned integer, xrefs: 00007FFE13337E90
htons: can't convert negative Python int to C 16-bit unsigned integer, xrefs: 00007FFE13337E6D

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_Err_FromLongLong_ParseSizeStringTuple_Unsignedhtons
String ID: htons: Python int too large to convert to C 16-bit unsigned integer$htons: can't convert negative Python int to C 16-bit unsigned integer$i:htons
API String ID: 1102113319-997571130
Opcode ID: 6fe04cd82cc3000d18dcf2e81bb2daf4d1c2563f8a0b84c539f7a4416ede929e
Instruction ID: 0f9e5c28411b88c61817ce67de4d69ac38933b6c1c4934cc4231e32bf5fb8f46
Opcode Fuzzy Hash: 6fe04cd82cc3000d18dcf2e81bb2daf4d1c2563f8a0b84c539f7a4416ede929e
Instruction Fuzzy Hash: 7EF09661E0DD43D9EA158B17E890274B360BF64F61F90C4B1C46EA6170CF2CE804D318

Function 00007FFE133384F4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 25networkCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13338507
PyErr_SetString.PYTHON312 ref: 00007FFE1333852A
htons.WS2_32 ref: 00007FFE13338545
PyLong_FromUnsignedLong.PYTHON312 ref: 00007FFE1333854E

Strings

ntohs: Python int too large to convert to C 16-bit unsigned integer, xrefs: 00007FFE1333853C
i:ntohs, xrefs: 00007FFE13338500
ntohs: can't convert negative Python int to C 16-bit unsigned integer, xrefs: 00007FFE13338519

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_Err_FromLongLong_ParseSizeStringTuple_Unsignedhtons
String ID: i:ntohs$ntohs: Python int too large to convert to C 16-bit unsigned integer$ntohs: can't convert negative Python int to C 16-bit unsigned integer
API String ID: 1102113319-2476431691
Opcode ID: 89a767ad913e0f8faf4df47f62d0b46607f468db7b7541010cbad5f5dbaaabd7
Instruction ID: 605603c2b073f10162f0a3f75e8a67b74d5270de95776ad46c55917bc1c0e904
Opcode Fuzzy Hash: 89a767ad913e0f8faf4df47f62d0b46607f468db7b7541010cbad5f5dbaaabd7
Instruction Fuzzy Hash: AAF0FF65E0CD43C9FA549B17E8502B4A360AF64F61F9084B5C56E6A174DE2CE548D318

Function 00007FFE1A452C38 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452CF0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452D0E
__AdjustPointer.LIBCMT ref: 00007FFE1A452D4F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452D5C
__AdjustPointer.LIBCMT ref: 00007FFE1A452D98
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452DAD
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452DF2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452DF9

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 65b26e5f074ca0aafdff43cbb52cf6556557cf4e92b090b05be647d0b4ff5bec
Instruction ID: a4978e7ee7698631ff501eb76c3296e22e32bc2b5e6074913a1a1f1cd7a594c8
Opcode Fuzzy Hash: 65b26e5f074ca0aafdff43cbb52cf6556557cf4e92b090b05be647d0b4ff5bec
Instruction Fuzzy Hash: 6B51B4A1B09F4281FAA6AB13944467863A4AF44FB4B0944F7EE5D077B5DF3CE466C700

Function 00007FFE1A452E1C Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452ED6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452EF5
__AdjustPointer.LIBCMT ref: 00007FFE1A452F36
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452F43
__AdjustPointer.LIBCMT ref: 00007FFE1A452F7F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452F94
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452FD9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452FE0

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: d568fcbafcd5d9e8e83e95e63f5b62363508f79f2b2b670005157146ca98b55e
Instruction ID: e40670b8eb57816f2c1d056eca00c665782a1e9bb4590be741aafe81845a1856
Opcode Fuzzy Hash: d568fcbafcd5d9e8e83e95e63f5b62363508f79f2b2b670005157146ca98b55e
Instruction Fuzzy Hash: E451D8A2B09E4281EEA5EB53A44463C63A4AF54FB4F0584F7EA5D077B4DF3CE4619700

Function 00007FFE1A45EB88 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45EBFC
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45EC0B

Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE4D
Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE86
Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D1B1

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45ECAB
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45ECBB
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45ED67

Strings

{for , xrefs: 00007FFE1A45EC34

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Name::operator+
String ID: {for
API String ID: 2943138195-864106941
Opcode ID: ad201dfe96a96ae0dc6555201844fc758e8e36effd4b63a30410ed7392a88b68
Instruction ID: a7c774f889c1db850d00febc479d16f6673b4272eb53b0ad85fbbb64df639d16
Opcode Fuzzy Hash: ad201dfe96a96ae0dc6555201844fc758e8e36effd4b63a30410ed7392a88b68
Instruction Fuzzy Hash: 4B513CB2B08E45A9F711AF26D4413F837A1EB45B58F4084B2EA4C07BA5DF7CD564C700

Function 00007FFE004516D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FFE004517A8
PyUnicode_FromString.PYTHON312 ref: 00007FFE0045180C
_PyArg_BadArgument.PYTHON312 ref: 00007FFE004539C2

Strings

category, xrefs: 00007FFE004539BB
a unicode character, xrefs: 00007FFE004539AD
argument, xrefs: 00007FFE004539B4

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_ArgumentFromStringSubtypeType_Unicode_
String ID: a unicode character$argument$category
API String ID: 1318908108-2068800536
Opcode ID: c31e599aff6ce8fd118d7930930d13bb61e4023c7ccaaddb711cf16cebfbc0cd
Instruction ID: 8fa94afedb5c7c33744dbbb0e421c6cfe28aa9f5efef4a2c4ba5cd3ca844851e
Opcode Fuzzy Hash: c31e599aff6ce8fd118d7930930d13bb61e4023c7ccaaddb711cf16cebfbc0cd
Instruction Fuzzy Hash: 2551CBA2F19A5682EF648B09D4603792361FB44B86F440035DB8F477B9DF3CE891C304

Function 00007FFE00451000 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 106COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FFE004510D3
PyUnicode_FromString.PYTHON312 ref: 00007FFE004510F8
_PyArg_BadArgument.PYTHON312 ref: 00007FFE00453690

Strings

a unicode character, xrefs: 00007FFE0045367B
bidirectional, xrefs: 00007FFE00453689
argument, xrefs: 00007FFE00453682

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_ArgumentFromStringSubtypeType_Unicode_
String ID: a unicode character$argument$bidirectional
API String ID: 1318908108-2110215792
Opcode ID: 2be184d8cc6ee1ee00809d45acc887d572eb9887141ab2374770304697e252f3
Instruction ID: cac4205d5816d135a4be173deb98e53c4222853bda58ea10acadcceb51c9cbea
Opcode Fuzzy Hash: 2be184d8cc6ee1ee00809d45acc887d572eb9887141ab2374770304697e252f3
Instruction Fuzzy Hash: A741E766B18A9382EB688B15D4613792361FB04BD2F445039DB5E47BFACF2DE890C308

Function 00007FFE1A45E174 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE1A45D86D), ref: 00007FFE1A45E238
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45E257

Strings

`template-parameter, xrefs: 00007FFE1A45E265
void, xrefs: 00007FFE1A45E1BA

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: 1a349dcf90f4e371f1810c8875e562b3843b42aeee856190ba29246ab6ec8260
Instruction ID: 65f398a89f83fb43c1b66a9be4ed9a392c78d19a3d9c7cbe8bf1b71a77ebed61
Opcode Fuzzy Hash: 1a349dcf90f4e371f1810c8875e562b3843b42aeee856190ba29246ab6ec8260
Instruction Fuzzy Hash: 7A414BA2F08F5688FB11DBA2D8512FC23B1BB48BA4F5441B6DE0C17669DF7CA565C340

Function 00007FF77D68DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF77D68DF7A,?,?,?,00007FF77D68DC6C,?,?,?,00007FF77D68D869), ref: 00007FF77D68DD4D
GetLastError.KERNEL32(?,?,?,00007FF77D68DF7A,?,?,?,00007FF77D68DC6C,?,?,?,00007FF77D68D869), ref: 00007FF77D68DD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF77D68DF7A,?,?,?,00007FF77D68DC6C,?,?,?,00007FF77D68D869), ref: 00007FF77D68DD85
FreeLibrary.KERNEL32(?,?,?,00007FF77D68DF7A,?,?,?,00007FF77D68DC6C,?,?,?,00007FF77D68D869), ref: 00007FF77D68DDF3
GetProcAddress.KERNEL32(?,?,?,00007FF77D68DF7A,?,?,?,00007FF77D68DC6C,?,?,?,00007FF77D68D869), ref: 00007FF77D68DDFF

Strings

api-ms-, xrefs: 00007FF77D68DD6D

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: 1fb76656279d9900e4032762bbedfd79774d37c0b2462908baf8b221a47c4ba4
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: C9318F23F3E642D5EE11AB1694005AAA7D6FF48BE4F994635DE1D86380FE3CE4488730

Function 00007FFE1A458EC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A458D3C: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A458DFD

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458F72

Strings

<ellipsis>, xrefs: 00007FFE1A458FBF
,<ellipsis>, xrefs: 00007FFE1A458F50
,..., xrefs: 00007FFE1A458F40
..., xrefs: 00007FFE1A458FAF
void, xrefs: 00007FFE1A458FE4

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Name::operator+Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 1405650943-2211150622
Opcode ID: cc95b6719b0dfac949915fa95283a824f9a94d2610a8c8b5f10b5de908d24d67
Instruction ID: a452b16370b518dbc48d18b56aeada359cb9f7a9f502f39c13c0ae49ebffb65d
Opcode Fuzzy Hash: cc95b6719b0dfac949915fa95283a824f9a94d2610a8c8b5f10b5de908d24d67
Instruction Fuzzy Hash: A64126B2B08E469CF7029BA6D8502B837B1BB08B68F9445F2CA5C13765DF7CA564D700

Function 00007FFE1A45ACC4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45ADA7

Strings

char , xrefs: 00007FFE1A45AD4D
long , xrefs: 00007FFE1A45AD26
int , xrefs: 00007FFE1A45AD35
unsigned , xrefs: 00007FFE1A45AD7B
short , xrefs: 00007FFE1A45AD44

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: 041e2dffe1b489bc893f09ff0a4f423b3d9eca273271e83df22d622629981137
Instruction ID: 1401689a4dfaf7cc22e032df7bb4adae8887ced41eef325a4d0b7d3a7c4ee6aa
Opcode Fuzzy Hash: 041e2dffe1b489bc893f09ff0a4f423b3d9eca273271e83df22d622629981137
Instruction Fuzzy Hash: FA3151B2B18F5188FB01AF6AD8541BC27B2BB09B55F4481F2DA4C07779DE3C9568CB10

Function 00007FF77D682A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF77D68351A,?,00000000,00007FF77D683F1B), ref: 00007FF77D682AA0

Strings

Warning, xrefs: 00007FF77D682B1E
0, xrefs: 00007FF77D682B16
[PYI-%d:%s] , xrefs: 00007FF77D682AA8
Warning [ANSI Fallback], xrefs: 00007FF77D682B0F
WARNING, xrefs: 00007FF77D682AAF

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: 1b3b05edfa342a6c7f06649f5716d58dd1f984ecc9c62e1f30ffa5f348c703cd
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: 9A217173A3C78192E620AB55B8417E7A795FB887C4F800236EE8D93659EF3CD245C650

Function 00007FF77D688570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF77D688590
OpenProcessToken.ADVAPI32 ref: 00007FF77D6885A3
GetTokenInformation.ADVAPI32 ref: 00007FF77D6885C8
GetLastError.KERNEL32 ref: 00007FF77D6885D2
GetTokenInformation.ADVAPI32 ref: 00007FF77D688612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF77D68862E
CloseHandle.KERNEL32 ref: 00007FF77D688646

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
Instruction ID: 94258746bd98367c86d28a0d08f67c62ef3f8c4008dd103b7e33b55fc64fbf5b
Opcode Fuzzy Hash: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
Instruction Fuzzy Hash: CF21F422E2C64381EA50AB55B54423BE7A2EBC5BE4FD00335E6AD83AD5EE6CD8458710

Function 00007FF77D69B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF77D69B15F
FlsGetValue.KERNEL32 ref: 00007FF77D69B174
FlsSetValue.KERNEL32 ref: 00007FF77D69B195
FlsSetValue.KERNEL32 ref: 00007FF77D69B1C2
FlsSetValue.KERNEL32 ref: 00007FF77D69B1D3
FlsSetValue.KERNEL32 ref: 00007FF77D69B1E4
SetLastError.KERNEL32 ref: 00007FF77D69B1FF

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
Instruction ID: 174cf1dcc9d109f80b6433a43d60c4efc33aa519a9ace5c3c236834d7e1bb264
Opcode Fuzzy Hash: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
Instruction Fuzzy Hash: AD214F26E3C24241F9587729669113BE6835F447F0F94477CE97EC7AC6FD2CA4408320

Function 00007FF77D6A7D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF77D6A7D9D
GetLastError.KERNEL32 ref: 00007FF77D6A7DA9
CloseHandle.KERNEL32 ref: 00007FF77D6A7DC1
CreateFileW.KERNEL32 ref: 00007FF77D6A7DEC
WriteConsoleW.KERNEL32 ref: 00007FF77D6A7E0B

Strings

CONOUT$, xrefs: 00007FF77D6A7DCD

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: 93fa2b00c20efc0f7774d803c743df272006ca24b00337319647b22d24ae8da6
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: D9118422E3CA4186E750AB16F85433AA7A1FB88BE4F500334D99DC7794EF3CD8148750

Function 00007FFE00451150 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 40COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFE004536E7
_PyArg_BadArgument.PYTHON312 ref: 00007FFE0045371A

Part of subcall function 00007FFE004511B0: PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFE004511E2
Part of subcall function 00007FFE004511B0: PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFE004511FA
Part of subcall function 00007FFE004511B0: PyType_IsSubtype.PYTHON312 ref: 00007FFE0045121D

Strings

str, xrefs: 00007FFE0045370C
argument 1, xrefs: 00007FFE004536F9
normalize, xrefs: 00007FFE004536DA, 00007FFE00453713
argument 2, xrefs: 00007FFE00453705

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_CompareStringUnicode_With$ArgumentCheckPositionalSubtypeType_
String ID: argument 1$argument 2$normalize$str
API String ID: 4101545800-1320425463
Opcode ID: 6a3206665d50624963465f038f79663c2d3d68664346081dad0779ef5a43a2b4
Instruction ID: cc004fb67dd9a989c02c314886d3232b8b7a078a2e9b057c8f66ac527758f1e6
Opcode Fuzzy Hash: 6a3206665d50624963465f038f79663c2d3d68664346081dad0779ef5a43a2b4
Instruction Fuzzy Hash: F11161A1B08A8691EB60CF55E4517B92760AF08FC6F588036DB0D0B7BEDE2CE584C745

Function 00007FFE00454870 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFE0045489C
_PyArg_BadArgument.PYTHON312 ref: 00007FFE004548D1

Strings

is_normalized, xrefs: 00007FFE0045488F, 00007FFE004548CA
str, xrefs: 00007FFE004548C3
argument 1, xrefs: 00007FFE004548BC
argument 2, xrefs: 00007FFE004548F2

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositional
String ID: argument 1$argument 2$is_normalized$str
API String ID: 3876575403-184702317
Opcode ID: 7c950a274d1c530a4e2b2ee5c75bc666441a244dd8d061769435580234d1272f
Instruction ID: 2408cda255180eb9a92560bc21179e21e299031d70e3f510792eb2e972041d12
Opcode Fuzzy Hash: 7c950a274d1c530a4e2b2ee5c75bc666441a244dd8d061769435580234d1272f
Instruction Fuzzy Hash: 70016D60F08A86A5EB509B12E491BB52360EF84FC9F488031DB4D0B77DCF2CE489C744

Function 00007FFE13338484 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

PyLong_AsUnsignedLong.PYTHON312 ref: 00007FFE133384A1
PyErr_Occurred.PYTHON312 ref: 00007FFE133384AE
htonl.WS2_32 ref: 00007FFE133384C7
PyLong_FromUnsignedLong.PYTHON312 ref: 00007FFE133384CF
PyErr_Format.PYTHON312 ref: 00007FFE133384EC

Strings

expected int, %s found, xrefs: 00007FFE133384DE

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Err_LongLong_Unsigned$FormatFromOccurredhtonl
String ID: expected int, %s found
API String ID: 3347179618-1178442907
Opcode ID: 1cbb25d059c373463275cb9141ec41ce007bb3d03350516039de7c41e169b97a
Instruction ID: c67dd3cc2a3891f4490e3df3a97f7e80c9a7637687c85c13e46c8692403fb1bc
Opcode Fuzzy Hash: 1cbb25d059c373463275cb9141ec41ce007bb3d03350516039de7c41e169b97a
Instruction Fuzzy Hash: 6FF03661E08E42C9E6549B239884279A760BF65F75F148575D56E676B0CF3CD48CC304

Function 00007FFE13337DD8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

PyLong_AsUnsignedLong.PYTHON312 ref: 00007FFE13337DF5
PyErr_Occurred.PYTHON312 ref: 00007FFE13337E02
htonl.WS2_32 ref: 00007FFE13337E1B
PyLong_FromUnsignedLong.PYTHON312 ref: 00007FFE13337E23
PyErr_Format.PYTHON312 ref: 00007FFE13337E40

Strings

expected int, %s found, xrefs: 00007FFE13337E32

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Err_LongLong_Unsigned$FormatFromOccurredhtonl
String ID: expected int, %s found
API String ID: 3347179618-1178442907
Opcode ID: b2daa29250e1f6628aa8a96a2420fefb0829875c2a9b427d46b77ebb6b88cbc8
Instruction ID: f56613d29fb0fb63b9b2251ac243b593e00e62e04733a1c8765ba8077c7c56c2
Opcode Fuzzy Hash: b2daa29250e1f6628aa8a96a2420fefb0829875c2a9b427d46b77ebb6b88cbc8
Instruction Fuzzy Hash: 5AF0A921E0DE42CAEA559B23E885278A360BF68F75F148575D56F632B0CF3CD858C304

Function 00007FFE1A45ADEC Relevance: 9.2, APIs: 6, Instructions: 161COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A45AE9E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45AEAE
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45AECB
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45AF3E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45AF67

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: 80a690cc5bf4571957900b2ba371d1f0df44bd22a0b18b914ff66e25afa9163e
Instruction ID: 24c0c3a8ebe99c137ac6d4cd598463d31257035ead3d87dccea6baa833f6595b
Opcode Fuzzy Hash: 80a690cc5bf4571957900b2ba371d1f0df44bd22a0b18b914ff66e25afa9163e
Instruction Fuzzy Hash: FB7169B2B08F4289F711DBA2E8902BC37A1BB44B64F5080F6DA1D176A5DF79E462C740

Function 00007FF77D688ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF77D683FA9), ref: 00007FF77D688EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF77D683FA9), ref: 00007FF77D688F5A

Part of subcall function 00007FF77D689390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF77D6845F4,00000000,00007FF77D681985), ref: 00007FF77D6893C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF77D683FA9), ref: 00007FF77D688FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF77D683FA9), ref: 00007FF77D689044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF77D683FA9), ref: 00007FF77D689055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF77D683FA9), ref: 00007FF77D68906A

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
Instruction ID: 77824dc5bf1fcac4117a58aed5dc672a675f41ae0319790c727e635c5f256a75
Opcode Fuzzy Hash: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
Instruction Fuzzy Hash: FC415467E3D682C1EA30AB11A5402BBA396EB85BD4F854239DF4D97789FE3CE501C710

Function 00007FFE1A4569F0 Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FFE1A456A43
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A456A86
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE1A456AB0
InterlockedPushEntrySList.KERNEL32 ref: 00007FFE1A456ACD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A456AD9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A456AE2

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: 0fa2fcead297943da074142d2fbec92c84cd60449e30d9ad217028345c3eb4d3
Instruction ID: 2c22617a3d5710520fa0a9b58cdcc255bf9f470f33cf0513c182b61d8dba4c76
Opcode Fuzzy Hash: 0fa2fcead297943da074142d2fbec92c84cd60449e30d9ad217028345c3eb4d3
Instruction Fuzzy Hash: 2631A462B19F9151EA15EB27A80457973A0FF49FF0B5985B2DD2D033A0EE7DE865C300

Function 00007FF77D6890E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77D688570: GetCurrentProcess.KERNEL32 ref: 00007FF77D688590
Part of subcall function 00007FF77D688570: OpenProcessToken.ADVAPI32 ref: 00007FF77D6885A3
Part of subcall function 00007FF77D688570: GetTokenInformation.ADVAPI32 ref: 00007FF77D6885C8
Part of subcall function 00007FF77D688570: GetLastError.KERNEL32 ref: 00007FF77D6885D2
Part of subcall function 00007FF77D688570: GetTokenInformation.ADVAPI32 ref: 00007FF77D688612
Part of subcall function 00007FF77D688570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF77D68862E
Part of subcall function 00007FF77D688570: CloseHandle.KERNEL32 ref: 00007FF77D688646

LocalFree.KERNEL32(?,00007FF77D683C55), ref: 00007FF77D68916C
LocalFree.KERNEL32(?,00007FF77D683C55), ref: 00007FF77D689175

Strings

Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF77D689183
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF77D689142
S-1-3-4, xrefs: 00007FF77D689121
D:(A;;FA;;;%s), xrefs: 00007FF77D689157

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction ID: 2dce878d88bfbae65d5177f2ef36d88d8a86a456530baf3d0837dc4e58a400d1
Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction Fuzzy Hash: E7211462E3C74181E650BB10E5152EBA262FB887C0FC44236EA8D93796FF3CE5458760

Function 00007FF77D69B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF77D694F11,?,?,?,?,00007FF77D69A48A,?,?,?,?,00007FF77D69718F), ref: 00007FF77D69B2D7
FlsSetValue.KERNEL32(?,?,?,00007FF77D694F11,?,?,?,?,00007FF77D69A48A,?,?,?,?,00007FF77D69718F), ref: 00007FF77D69B30D
FlsSetValue.KERNEL32(?,?,?,00007FF77D694F11,?,?,?,?,00007FF77D69A48A,?,?,?,?,00007FF77D69718F), ref: 00007FF77D69B33A
FlsSetValue.KERNEL32(?,?,?,00007FF77D694F11,?,?,?,?,00007FF77D69A48A,?,?,?,?,00007FF77D69718F), ref: 00007FF77D69B34B
FlsSetValue.KERNEL32(?,?,?,00007FF77D694F11,?,?,?,?,00007FF77D69A48A,?,?,?,?,00007FF77D69718F), ref: 00007FF77D69B35C
SetLastError.KERNEL32(?,?,?,00007FF77D694F11,?,?,?,?,00007FF77D69A48A,?,?,?,?,00007FF77D69718F), ref: 00007FF77D69B377

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
Instruction ID: a96e01a7bef85c33d27e2799890d1b277947c484131ebdca5929970c70d9a0e1
Opcode Fuzzy Hash: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
Instruction Fuzzy Hash: F4116D26E3C64282FA54B329569113FE6879F457F0F948778E83EC76D6FE2CA4414320

Function 00007FFE1333701C Relevance: 9.0, APIs: 6, Instructions: 32threadnetworkCOMMON

Download Yara Rule

APIs

PyLong_AsLongLong.PYTHON312 ref: 00007FFE13337025
PyErr_Occurred.PYTHON312 ref: 00007FFE13337034
PyEval_SaveThread.PYTHON312 ref: 00007FFE13337048
closesocket.WS2_32 ref: 00007FFE13337054
PyEval_RestoreThread.PYTHON312 ref: 00007FFE1333705F
WSAGetLastError.WS2_32 ref: 00007FFE1333706E

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Eval_LongThread$Err_ErrorLastLong_OccurredRestoreSaveclosesocket
String ID:
API String ID: 586723380-0
Opcode ID: 88cad95bcb5dfa4951526296af0bf2ff21b88eb4dabe66cc17352eaa9c495d40
Instruction ID: 25f9106cce97fb6ff3476657ae54d6f7f53136f3ab109ebe8b65cf80bb6b52d8
Opcode Fuzzy Hash: 88cad95bcb5dfa4951526296af0bf2ff21b88eb4dabe66cc17352eaa9c495d40
Instruction Fuzzy Hash: 48F0E110E1CE07D9FA5567A3A5481B4D255AF38FB1F0496B5C97E623F0DE2CE5C48218

Function 00007FFE1A453F60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

EncodePointer.KERNEL32 ref: 00007FFE1A453FD0
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A45401B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45424E

Strings

MOC, xrefs: 00007FFE1A453FE4
RCC, xrefs: 00007FFE1A453FEC

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 93ffbb8a8c38b724cb13d32310db34e78531563cac4ba1370c621256939a6833
Instruction ID: 817ccf16e5f614c8ae2b0fa91b85b32bd61ce66d1facdc8703b5e3ccb96781d0
Opcode Fuzzy Hash: 93ffbb8a8c38b724cb13d32310db34e78531563cac4ba1370c621256939a6833
Instruction Fuzzy Hash: 8591B3B3B08B918AE750DB66E4402BD77B1F744B98F1041AAEE8D4BB65DF38D165C700

Function 00007FFE1A45C540 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C7E0

Strings

std::nullptr_t, xrefs: 00007FFE1A45C799
volatile, xrefs: 00007FFE1A45C5B6, 00007FFE1A45C6E7
std::nullptr_t , xrefs: 00007FFE1A45C770
volatile , xrefs: 00007FFE1A45C5A7, 00007FFE1A45C6D8

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: 01adbf8b940f63687fb8b05ad2c3f4aee868cfabe9c87335b9cb2bee01f92b8d
Instruction ID: 7a7b97423d2f4e3aed724f1d9a5f055a775e46facd1498bf98c907ba038ee296
Opcode Fuzzy Hash: 01adbf8b940f63687fb8b05ad2c3f4aee868cfabe9c87335b9cb2bee01f92b8d
Instruction Fuzzy Hash: C6714AB2B08E4688FB14AB2699500B867B5BB05BA4F8446F7DA4D53AA5DF2CE170C344

Function 00007FFE1A453CF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

EncodePointer.KERNEL32 ref: 00007FFE1A453D4F
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A453D9B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453F57

Strings

MOC, xrefs: 00007FFE1A453D63
RCC, xrefs: 00007FFE1A453D6B

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 8e034f92e989b9960bc08160daca0ef1833c14a7b13808a87468da7d70181806
Instruction ID: e71589378b1fe1701979186732e1bc8cec8fc63fd15ceeb90e19ffd39fffeafd
Opcode Fuzzy Hash: 8e034f92e989b9960bc08160daca0ef1833c14a7b13808a87468da7d70181806
Instruction Fuzzy Hash: 16619773A08FC581D7619B16E4403B9B7A0FB85BA4F0442A6EB9D43765DF3CE1A4CB00

Function 00007FFE1A455C50 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 135COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A455D22

Strings

RCC, xrefs: 00007FFE1A455C9C
MOC, xrefs: 00007FFE1A455C90
csm, xrefs: 00007FFE1A455CB2
csm, xrefs: 00007FFE1A455DDF

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: FileHeader
String ID: MOC$RCC$csm$csm
API String ID: 104395404-1441736206
Opcode ID: 5815091cf7d4bf77be2b6452b49c3696097c0f3c73df3e225fc204c9d15c1510
Instruction ID: 0498f6a2c30bcfe646609de0339eedfc56350870012fcedeb6dc47dcf2698f5c
Opcode Fuzzy Hash: 5815091cf7d4bf77be2b6452b49c3696097c0f3c73df3e225fc204c9d15c1510
Instruction Fuzzy Hash: 2F5190B2B09A4296EAA0AB27914417D76A0FF44F65F1440F3EE4D87761DF3CE4718B82

Function 00007FF77D682910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF77D681B6A), ref: 00007FF77D68295E

Strings

%s: %s, xrefs: 00007FF77D6829E8
Error [ANSI Fallback], xrefs: 00007FF77D6829FF
[PYI-%d:ERROR] , xrefs: 00007FF77D682966
Error, xrefs: 00007FF77D682A0E

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction ID: 73ec6bf89455a57c58b06fa0ae3ab1c5e2a7bc309814cbec61ad3786700b431e
Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction Fuzzy Hash: 1831B763F3C68192E710B765A8406E7A696BF887D4F810236EE8DC3759FF3CD5468210

Function 00007FF77D682390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF77D6823C8
DialogBoxIndirectParamW.USER32 ref: 00007FF77D68248E
DeleteObject.GDI32 ref: 00007FF77D6824C1
DestroyIcon.USER32 ref: 00007FF77D6824D3

Strings

Unhandled exception in script, xrefs: 00007FF77D6823F8

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
Instruction ID: 446fb72b4d02c4236079d394fb0ed5ce25fc5d267de1381daf6e25d45655badc
Opcode Fuzzy Hash: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
Instruction Fuzzy Hash: EC315363A3D68285E710AB21E8552FAA752FF887C4F840235EA4D87B49EF3CD1048710

Function 00007FF77D682B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF77D68918F,?,00007FF77D683C55), ref: 00007FF77D682BA0
MessageBoxW.USER32 ref: 00007FF77D682C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF77D682BA8
WARNING, xrefs: 00007FF77D682BAF
Warning, xrefs: 00007FF77D682C1D

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: f63257a47553c2032eff2fe4cf6b8ec4a3197cfdd41733b07804cf9f15422fb3
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: 3021A663B2CB4182E710AB14F4447ABA766FB887C4F800236EA8D97659EF3CD255C750

Function 00007FF77D682710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF77D681B99), ref: 00007FF77D682760

Strings

Error [ANSI Fallback], xrefs: 00007FF77D6827CF
Error, xrefs: 00007FF77D6827DE
[PYI-%d:%s] , xrefs: 00007FF77D682768
ERROR, xrefs: 00007FF77D68276F

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction ID: 01d34c8c1c0404b22cbe3ae83f56b1663057af70ef693a0824993ba038dc5048
Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction Fuzzy Hash: F3217F73E3C78182E720AB55B8417E7A7A5EB883C4F800236EA8D93659EF7CD1458750

Function 00007FFE0045479C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON312 ref: 00007FFE004547CC
PyType_IsSubtype.PYTHON312 ref: 00007FFE0045482C

Strings

a unicode character, xrefs: 00007FFE004547B7
argument, xrefs: 00007FFE004547BE
east_asian_width, xrefs: 00007FFE004547C5

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_ArgumentSubtypeType_
String ID: a unicode character$argument$east_asian_width
API String ID: 1522575347-3913127203
Opcode ID: 7b891638b4a45313673a93616f0d216ddcfc167a757208e07fea525010fbe4c5
Instruction ID: 13e012abcce93fd39a42a6e7be8276b237c1d5a7b7cdb2b68fd7b6e2a4b3213e
Opcode Fuzzy Hash: 7b891638b4a45313673a93616f0d216ddcfc167a757208e07fea525010fbe4c5
Instruction Fuzzy Hash: D821C025E08E8291EB549B22D46027D2BA1FF88B8AF448035D70D4B77EDF2CE5D5C308

Function 00007FFE00454D6C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FFE00454D98
_PyUnicode_ToNumeric.PYTHON312 ref: 00007FFE00454DCB
PyErr_SetString.PYTHON312 ref: 00007FFE00454DF3
PyFloat_FromDouble.PYTHON312 ref: 00007FFE00454E0B

Strings

not a numeric character, xrefs: 00007FFE00454DE9

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: DoubleErr_Float_FromNumericStringSubtypeType_Unicode_
String ID: not a numeric character
API String ID: 1034370217-2058156748
Opcode ID: 8a252d4494416c01de2789638a4ecad70e8503ee6f61509ac703bcac1011aaf0
Instruction ID: c40aa3938edad6da05e6df974d900c46434ed1174543448c0f9eb54a9c87a452
Opcode Fuzzy Hash: 8a252d4494416c01de2789638a4ecad70e8503ee6f61509ac703bcac1011aaf0
Instruction Fuzzy Hash: 06216021E08D42C5EB658B25E42413967A1FF84B8AF148531DB1E4BBBEDF2CF8C58748

Function 00007FFE00454448 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FFE00454474
_PyUnicode_ToDecimalDigit.PYTHON312 ref: 00007FFE00454493
PyErr_SetString.PYTHON312 ref: 00007FFE004544B3
PyLong_FromLong.PYTHON312 ref: 00007FFE004544CD

Strings

not a decimal, xrefs: 00007FFE004544A9

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: DecimalDigitErr_FromLongLong_StringSubtypeType_Unicode_
String ID: not a decimal
API String ID: 3750391552-3590249192
Opcode ID: 30abf5ee6eb06e173e75edeec379c503cf6988d9432b31e93c7c03d97c2bbd6f
Instruction ID: 4546d90a88596dd1d909e384785519a291017e7d6947988237aefc61a6d0331d
Opcode Fuzzy Hash: 30abf5ee6eb06e173e75edeec379c503cf6988d9432b31e93c7c03d97c2bbd6f
Instruction Fuzzy Hash: 94115121F48A4291FB54CB65E42433927A1AF85B8AF488430DB4E4B77EDF2CE8808748

Function 00007FFE00454390 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFE004543CF
_PyArg_BadArgument.PYTHON312 ref: 00007FFE00454404

Strings

a unicode character, xrefs: 00007FFE004543EF
argument 1, xrefs: 00007FFE004543FD
decimal, xrefs: 00007FFE004543BF, 00007FFE004543F6

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositional
String ID: a unicode character$argument 1$decimal
API String ID: 3876575403-2474051849
Opcode ID: d3484de5ee44d7a33ec5e53d5364025946576caca118cb4f9bd9e3e7fb1b6d42
Instruction ID: b404335b7f66874474a558b0bccd46cc82b971cf4837ccbb239a8114cbe35a76
Opcode Fuzzy Hash: d3484de5ee44d7a33ec5e53d5364025946576caca118cb4f9bd9e3e7fb1b6d42
Instruction Fuzzy Hash: 5F115A31B08A8295EA509F42E4802A96360EB85BC9F588436DF4D4B77EDF7DE696C304

Function 00007FFE00454CB4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFE00454CF3
_PyArg_BadArgument.PYTHON312 ref: 00007FFE00454D28

Strings

a unicode character, xrefs: 00007FFE00454D13
argument 1, xrefs: 00007FFE00454D21
numeric, xrefs: 00007FFE00454CE3, 00007FFE00454D1A

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositional
String ID: a unicode character$argument 1$numeric
API String ID: 3876575403-2385192657
Opcode ID: f2c4218ba94db24fb659ccbfd3ee4767c89f092abad47c48dbe9f437d0b50517
Instruction ID: 38cfeac6abde39e19d719b493601317b381da845676b8778ee80f2fcefc6dddc
Opcode Fuzzy Hash: f2c4218ba94db24fb659ccbfd3ee4767c89f092abad47c48dbe9f437d0b50517
Instruction Fuzzy Hash: F4115E31F08A4295EA509B46E4402A96370EB84FC9F584436DF1D4B77ECF6DE599C304

Function 00007FFE00454B70 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFE00454BAF
_PyArg_BadArgument.PYTHON312 ref: 00007FFE00454BE4

Strings

a unicode character, xrefs: 00007FFE00454BCF
argument 1, xrefs: 00007FFE00454BDD
name, xrefs: 00007FFE00454B9F, 00007FFE00454BD6

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositional
String ID: a unicode character$argument 1$name
API String ID: 3876575403-4190364640
Opcode ID: ab7f7404489c6aefaed3bb65c109ab607c61dcc8bacd4a48ace643e301676b9f
Instruction ID: b8f962f648a6ca76bbd9d4643b5d657622ed7763dc9d87224629ba89f75b6e59
Opcode Fuzzy Hash: ab7f7404489c6aefaed3bb65c109ab607c61dcc8bacd4a48ace643e301676b9f
Instruction Fuzzy Hash: 5C119E35F08A8285EA50DF42E4402A92360EB84BC9F588032DB4D4B77ECF2DE695C304

Function 00007FFE133367E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE1333680B

Part of subcall function 00007FFE13335190: WSAGetLastError.WS2_32 ref: 00007FFE13335237
Part of subcall function 00007FFE13335190: WSAGetLastError.WS2_32 ref: 00007FFE1333523F
Part of subcall function 00007FFE13335190: PyErr_CheckSignals.PYTHON312 ref: 00007FFE13335250

PyBuffer_Release.PYTHON312 ref: 00007FFE13336870
PyBuffer_Release.PYTHON312 ref: 00007FFE1333687A
PyLong_FromSsize_t.PYTHON312 ref: 00007FFE13336885

Strings

y*|i:send, xrefs: 00007FFE13336804

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Buffer_ErrorLastRelease$Arg_CheckErr_FromLong_ParseSignalsSizeSsize_tTuple_
String ID: y*|i:send
API String ID: 3302300731-3140140677
Opcode ID: 70f7d7a80c76ac7ebf331995eccc1240174c4d9e6f46aa044d17b734aac3d8e0
Instruction ID: 63d5cfc674a0e753bd760138dba467adf999a1431e1f9cd352f48dece86d6020
Opcode Fuzzy Hash: 70f7d7a80c76ac7ebf331995eccc1240174c4d9e6f46aa044d17b734aac3d8e0
Instruction Fuzzy Hash: F6115E72608F45CAE710CF66E4443AAB3A0FB98BA4F104072EA9D97764DF3DD484CB54

Function 00007FFE004542A4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON312 ref: 00007FFE004542D4
PyErr_Occurred.PYTHON312 ref: 00007FFE00454303

Strings

a unicode character, xrefs: 00007FFE004542BF
argument, xrefs: 00007FFE004542C6
combining, xrefs: 00007FFE004542CD

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_ArgumentErr_Occurred
String ID: a unicode character$argument$combining
API String ID: 3979797681-4202047184
Opcode ID: f57a56bca3f03315399802cbb188705c8f0221a3905f8c719d86b24713be5e96
Instruction ID: 6fb646e48418979c65c7e90b7783516da0c63ada046e592f59a8da2e2f841c42
Opcode Fuzzy Hash: f57a56bca3f03315399802cbb188705c8f0221a3905f8c719d86b24713be5e96
Instruction Fuzzy Hash: 15018460F08A4381EA249B51E4501B923A0FF8879AF800535EB0D4B3BEDE3CE5D58708

Function 00007FFE00454A7C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON312 ref: 00007FFE00454AAC
PyErr_Occurred.PYTHON312 ref: 00007FFE00454ADB

Strings

a unicode character, xrefs: 00007FFE00454A97
mirrored, xrefs: 00007FFE00454AA5
argument, xrefs: 00007FFE00454A9E

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Arg_ArgumentErr_Occurred
String ID: a unicode character$argument$mirrored
API String ID: 3979797681-4001128513
Opcode ID: 9496c058ca4f3a92d16c11e0dea8752c802f91a4b5f675f0277ed2c6365c313a
Instruction ID: 6f7469f7d8c9fffca2b4c78233b85cda653bafb309843b3fc69968309c8f0545
Opcode Fuzzy Hash: 9496c058ca4f3a92d16c11e0dea8752c802f91a4b5f675f0277ed2c6365c313a
Instruction Fuzzy Hash: 26018F60E08A4385EA64DB61E8601B923A0FF8879AF400531D74D4B3BEDE2CEAD4C309

Function 00007FFE13331060 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

PyCapsule_GetPointer.PYTHON312 ref: 00007FFE1333106D
_Py_Dealloc.PYTHON312 ref: 00007FFE133310AD

Strings

_socket.CAPI, xrefs: 00007FFE13331066

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Capsule_DeallocPointer
String ID: _socket.CAPI
API String ID: 898671391-3774308389
Opcode ID: 147324779042020adf52fa7f054c0f0e2125f6212a673ba3a80a163640bf1b1a
Instruction ID: 47ca38d90de03ec488765a910bddb146b960cd4dd2b43f1edd7e832ec1ede28b
Opcode Fuzzy Hash: 147324779042020adf52fa7f054c0f0e2125f6212a673ba3a80a163640bf1b1a
Instruction Fuzzy Hash: 4C01C432E0DD42CDE6555F27C8543B8A264AB65F36F54C0B0CA6D652B0CF7DA8818308

Function 00007FFE00452610 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON312(?,?,00000000,00007FFE0045254A), ref: 00007FFE0045261B
PyCapsule_New.PYTHON312(?,?,00000000,00007FFE0045254A), ref: 00007FFE00452658
PyErr_NoMemory.PYTHON312(?,?,00000000,00007FFE0045254A), ref: 00007FFE00453FB8
PyMem_Free.PYTHON312(?,?,00000000,00007FFE0045254A), ref: 00007FFE00453FC8

Strings

unicodedata._ucnhash_CAPI, xrefs: 00007FFE0045264D

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Mem_$Capsule_Err_FreeMallocMemory
String ID: unicodedata._ucnhash_CAPI
API String ID: 3673501854-3989975041
Opcode ID: 04962b3129ec8039d4574c2b15526bc82bf072c2335504b47079f601afa57e40
Instruction ID: f34ee44884af9c74f2ce9aced05fbd04dc363518c8dea4b1c129870dbbc2b8c0
Opcode Fuzzy Hash: 04962b3129ec8039d4574c2b15526bc82bf072c2335504b47079f601afa57e40
Instruction Fuzzy Hash: 53F04F21E19F4795EB058B21E92427863A4BF09B83F481432CA4E0637EEF3CF144C348

Function 00007FF77D699A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF77D699AAD
GetProcAddress.KERNEL32 ref: 00007FF77D699AC3
FreeLibrary.KERNEL32 ref: 00007FF77D699AEA

Strings

CorExitProcess, xrefs: 00007FF77D699ABC
mscoree.dll, xrefs: 00007FF77D699AA4

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: 1770cd55ac1beb024a4d0b1099aa99eea230b739e2cc4ce52add5c26bad3d860
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 5DF04422E3D60681EA10AB24A45437B9762EF897E5F941339D56E851E4FF2CD444C720

Function 00007FFE148E10E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON312 ref: 00007FFE148E10ED
PyUnicode_InternFromString.PYTHON312 ref: 00007FFE148E10FD
PyModule_AddObjectRef.PYTHON312 ref: 00007FFE148E111F

Strings

error, xrefs: 00007FFE148E1112
close, xrefs: 00007FFE148E10F3

Memory Dump Source

Source File: 00000001.00000002.2667804984.00007FFE148E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000001.00000002.2667789447.00007FFE148E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667822402.00007FFE148E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667838554.00007FFE148E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667854016.00007FFE148E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe148e0000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Module_$FromInternObjectStateStringUnicode_
String ID: close$error
API String ID: 4029360594-371397155
Opcode ID: 0a630f88c3fb29b6303c131d10015d5f25b4110c9ff69da5c0eced729275bb56
Instruction ID: 5a5c8490eae02023ed23b346299fd354d2a9bcfa568464483b5ffa0ce4f04df6
Opcode Fuzzy Hash: 0a630f88c3fb29b6303c131d10015d5f25b4110c9ff69da5c0eced729275bb56
Instruction Fuzzy Hash: F8F03A21A09F4791EA008B66F8840B9A360BF0ABA5B4441BAFA1D663B1DE3DD85D8300

Function 00007FFE13334ABC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

_Py_BuildValue_SizeT.PYTHON312(?,?,00000002,00007FFE13334E84), ref: 00007FFE13334AD7
PyErr_SetObject.PYTHON312(?,?,00000002,00007FFE13334E84), ref: 00007FFE13334AEC
_Py_Dealloc.PYTHON312(?,?,00000002,00007FFE13334E84), ref: 00007FFE13334B00

Strings

(is), xrefs: 00007FFE13334AD0
getaddrinfo failed, xrefs: 00007FFE13334AC9

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: BuildDeallocErr_ObjectSizeValue_
String ID: (is)$getaddrinfo failed
API String ID: 3413694139-582941868
Opcode ID: c34809af6fe48c3d98dc105baad316adadc833bdd741b3991c46394a393d3a53
Instruction ID: c47b404452dc8df0da604ffe09783ecb7f9479d98c86410f8fd2a839539e95ec
Opcode Fuzzy Hash: c34809af6fe48c3d98dc105baad316adadc833bdd741b3991c46394a393d3a53
Instruction Fuzzy Hash: 37F0FE25A08E47CAFA058B62E9482A5A3A0EF68FA5F448071CA6D66674EF3CD494C304

Function 00007FFE13334B14 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

_Py_BuildValue_SizeT.PYTHON312(?,?,?,00007FFE13333B5A), ref: 00007FFE13334B2F
PyErr_SetObject.PYTHON312(?,?,?,00007FFE13333B5A), ref: 00007FFE13334B44
_Py_Dealloc.PYTHON312(?,?,?,00007FFE13333B5A), ref: 00007FFE13334B58

Strings

host not found, xrefs: 00007FFE13334B21
(is), xrefs: 00007FFE13334B28

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: BuildDeallocErr_ObjectSizeValue_
String ID: (is)$host not found
API String ID: 3413694139-3306034047
Opcode ID: e90ec528a1d937703f33ea49ca5fade7d46b30f37fbc55b9918f483f3cce63c4
Instruction ID: 06b694e0996952b7a1fecde6b1e7d4c6ba59bacb2aa8333d9499282f50ca61eb
Opcode Fuzzy Hash: e90ec528a1d937703f33ea49ca5fade7d46b30f37fbc55b9918f483f3cce63c4
Instruction Fuzzy Hash: F3F0FE25A08E4689FA154B63E8482A4E3A0EF68FA5F4480B1CA7D66674DE3CD4858308

Function 00007FFE1A45A920 Relevance: 7.6, APIs: 5, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A99B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A9BD
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A9CC
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45AA03
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45AA0E

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: f125dc20a4fc2cff283c2e4d5124f38be857c51718d1d3c9008137230ed817e4
Instruction ID: c27719cab2395f36c17cfd406b8932f99f659b90677ac9e23bdfdc20e0fe4823
Opcode Fuzzy Hash: f125dc20a4fc2cff283c2e4d5124f38be857c51718d1d3c9008137230ed817e4
Instruction Fuzzy Hash: 54414CA2B19F5298EB10EB22E8541B827B4BF15FA4F9444F3DA4D537A5DF38E865C300

Function 00007FFE148E27F8 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

__WSAFDIsSet.WS2_32 ref: 00007FFE148E281E
PyList_New.PYTHON312(00007FFDFB75D250,?,?,00007FFE148E22E5), ref: 00007FFE148E2844
__WSAFDIsSet.WS2_32 ref: 00007FFE148E2870
PyList_SetItem.PYTHON312(?,?,00007FFE148E22E5), ref: 00007FFE148E288A
_Py_Dealloc.PYTHON312(?,?,00007FFE148E22E5), ref: 00007FFE148E28D1

Memory Dump Source

Source File: 00000001.00000002.2667804984.00007FFE148E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000001.00000002.2667789447.00007FFE148E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667822402.00007FFE148E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667838554.00007FFE148E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667854016.00007FFE148E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe148e0000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: List_$DeallocItem
String ID:
API String ID: 1559017468-0
Opcode ID: a3b86cd28f5a00db1039b6b37618db01fe58124a87f1d68f694451c2dc2a1ca4
Instruction ID: 797b4fc11bc49a3f34eb1eb327b8ea40920b88627532fb40d4adebaa683886d4
Opcode Fuzzy Hash: a3b86cd28f5a00db1039b6b37618db01fe58124a87f1d68f694451c2dc2a1ca4
Instruction Fuzzy Hash: E021B432A18F529AEB248F13E484369B3A0FB0AB90F444479DB4D53760DF3DE55AC340

Function 00007FF77D6A9368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF77D6A9390
_set_statfp.LIBCMT ref: 00007FF77D6A93AB
_set_statfp.LIBCMT ref: 00007FF77D6A93C7
_set_statfp.LIBCMT ref: 00007FF77D6A9403

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 213db936796fc3778afcba5c84b0d6d08a704705715f00606921d5d5fe13ce49
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 91114F23D7CA0201F6542155A89137B9062AFD93E8FE40736EBAE962DABE6C68414220

Function 00007FF77D69B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF77D69A5A3,?,?,00000000,00007FF77D69A83E,?,?,?,?,?,00007FF77D69A7CA), ref: 00007FF77D69B3AF
FlsSetValue.KERNEL32(?,?,?,00007FF77D69A5A3,?,?,00000000,00007FF77D69A83E,?,?,?,?,?,00007FF77D69A7CA), ref: 00007FF77D69B3CE
FlsSetValue.KERNEL32(?,?,?,00007FF77D69A5A3,?,?,00000000,00007FF77D69A83E,?,?,?,?,?,00007FF77D69A7CA), ref: 00007FF77D69B3F6
FlsSetValue.KERNEL32(?,?,?,00007FF77D69A5A3,?,?,00000000,00007FF77D69A83E,?,?,?,?,?,00007FF77D69A7CA), ref: 00007FF77D69B407
FlsSetValue.KERNEL32(?,?,?,00007FF77D69A5A3,?,?,00000000,00007FF77D69A83E,?,?,?,?,?,00007FF77D69A7CA), ref: 00007FF77D69B418

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
Instruction ID: 83ca0808ae1361b3a0c94cd2bef51bd5ce1e9d53afcc9c135310723a2e4ed9a1
Opcode Fuzzy Hash: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
Instruction Fuzzy Hash: BA116D26E3C60241FA58B329969113BA5835F447F0FD8937CE83DC66CAFE2CE4429220

Function 00007FFE148E1070 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON312 ref: 00007FFE148E1086
_Py_Dealloc.PYTHON312 ref: 00007FFE148E2196

Memory Dump Source

Source File: 00000001.00000002.2667804984.00007FFE148E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000001.00000002.2667789447.00007FFE148E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667822402.00007FFE148E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667838554.00007FFE148E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667854016.00007FFE148E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe148e0000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: DeallocModule_State
String ID:
API String ID: 1903735390-0
Opcode ID: 2ce0c8c7188e7a3beb229335f2cd0a6251314470689c624f0e1d13b771884af1
Instruction ID: a113cfe5e4d60c9f89b7c69d5035bc31d61f51281dddd0cd47147902aacdd5a5
Opcode Fuzzy Hash: 2ce0c8c7188e7a3beb229335f2cd0a6251314470689c624f0e1d13b771884af1
Instruction Fuzzy Hash: 9821FE31E0DE92C5FB595F7288843B8B2A4AB57B39F1440B4E60E623A1CF7EA54D8701

Function 00007FF77D69B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF77D69B235
FlsSetValue.KERNEL32 ref: 00007FF77D69B254
FlsSetValue.KERNEL32 ref: 00007FF77D69B27C
FlsSetValue.KERNEL32 ref: 00007FF77D69B28D
FlsSetValue.KERNEL32 ref: 00007FF77D69B29E

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
Instruction ID: f538c7682a5980089d859b24db90e66a5ae9d22e0dc95da31c83f38e38dad85e
Opcode Fuzzy Hash: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
Instruction Fuzzy Hash: ED110626E3C20741F958B36945A117BA5838F467F0FA487BCE93ECA6C2FD2CB4404231

Function 00007FFE13336E64 Relevance: 7.5, APIs: 5, Instructions: 39threadnetworkCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FFE13336E94
PyEval_SaveThread.PYTHON312 ref: 00007FFE13336EAA
WSADuplicateSocketW.WS2_32 ref: 00007FFE13336EC0
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13336ECB

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Eval_Thread$Arg_DuplicateParseRestoreSaveSizeSocketTuple_
String ID:
API String ID: 3898289384-0
Opcode ID: c8e2bad8f66a6fb79bb8ed3b2e5e97b1d887adf2b3fc17a41d9c2dd7865fadd9
Instruction ID: eb1123acc7618ba9664ab84bda97e3a4b8b1aebe937c5afe0a5a8cd49b555294
Opcode Fuzzy Hash: c8e2bad8f66a6fb79bb8ed3b2e5e97b1d887adf2b3fc17a41d9c2dd7865fadd9
Instruction Fuzzy Hash: 39115661A09FC1CAEA209B62E4883B9A354FF64FB0F004171D96D137B4DF3CD0448604

Function 00007FFE13336F10 Relevance: 7.5, APIs: 5, Instructions: 33threadCOMMON

Download Yara Rule

APIs

_PyLong_AsInt.PYTHON312 ref: 00007FFE13336F20
PyErr_Occurred.PYTHON312 ref: 00007FFE13336F2D
PyEval_SaveThread.PYTHON312 ref: 00007FFE13336F41
shutdown.WS2_32 ref: 00007FFE13336F50
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13336F5B

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Eval_Thread$Err_Long_OccurredRestoreSaveshutdown
String ID:
API String ID: 24305128-0
Opcode ID: 6516a418a14a859acfa3d73bcf82298d2a1ff85a94d003fe5974aec2db2ce4ef
Instruction ID: 376f4ab411e07b0f9fbcd44fb5c4773155327edb43dd0ee8c002967cc054ebbc
Opcode Fuzzy Hash: 6516a418a14a859acfa3d73bcf82298d2a1ff85a94d003fe5974aec2db2ce4ef
Instruction Fuzzy Hash: 2B013621F1CF42CAEA505B63B584179A360AF68FB0B14C670EA6E53774DF3CE4859214

Function 00007FFE13337EB0 Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

PyLong_AsUnsignedLong.PYTHON312 ref: 00007FFE13337ECE
PyErr_Occurred.PYTHON312 ref: 00007FFE13337EDB
if_indextoname.IPHLPAPI ref: 00007FFE13337EED
PyErr_SetFromErrno.PYTHON312 ref: 00007FFE13337F02
PyUnicode_DecodeFSDefault.PYTHON312 ref: 00007FFE13337F11

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Err_$DecodeDefaultErrnoFromLongLong_OccurredUnicode_Unsignedif_indextoname
String ID:
API String ID: 2382930745-0
Opcode ID: 3cc25d69238de96e231579351c1bec566e97787018e5fdd4677d39b8f471e047
Instruction ID: 41ae4ab59be4b0e7e16d9b554014689c8d9a5bee0180219d8f7338659dbb7378
Opcode Fuzzy Hash: 3cc25d69238de96e231579351c1bec566e97787018e5fdd4677d39b8f471e047
Instruction Fuzzy Hash: 7C01EC61A18E4189FA219B22E8943B5A390AFA8F75F408574D96E963B0DF2CA5448604

Function 00007FF77D695FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D695FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D696106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6961BC

Strings

verbose, xrefs: 00007FF77D695FB0

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 49fc8158dee8d03463ff35406dbe0ecb005a87ac0c8d3ef9179d083adc5d5de7
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 2191AE23E3C74681EB60AFA8D55037FB693AB41BD4FC4427ADA59872D5EE3CE4058320

Function 00007FF77D69FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D69FEA7

Part of subcall function 00007FF77D697A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D697A59

Strings

ccs, xrefs: 00007FF77D69FDE2
UTF-16LEUNICODE, xrefs: 00007FF77D69FE45
UTF-8, xrefs: 00007FF77D69FE26

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: 00767ae982e21424efe52ce2e6c62e4e55cc184f1f67ef8eba1cd89e678e24d8
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: 8E81A473E3C202D5F764BE25811027BB6A3AB117C4FD68279CA09D7285EF2DE9499321

Function 00007FFE1A45470C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45488B

Strings

csm, xrefs: 00007FFE1A4548C5
csm, xrefs: 00007FFE1A45475B
, xrefs: 00007FFE1A4547DC

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: bd14039b9dc44c48f3afba7226bd4a8f48c08aeb5fb2f86f7c5774b76e28317a
Instruction ID: 981da8115c9b48803b9ad4d14fb071730699ec5304509786106cb108d2509734
Opcode Fuzzy Hash: bd14039b9dc44c48f3afba7226bd4a8f48c08aeb5fb2f86f7c5774b76e28317a
Instruction Fuzzy Hash: 8D71D4B2B08AC186D7659F26D04037D7BA1FB41FA8F0481B2DA8D0B6AACB3CD461C741

Function 00007FF77D68D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF77D68D673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF77D68D70A
RtlUnwindEx.KERNEL32 ref: 00007FF77D68D764

Strings

csm, xrefs: 00007FF77D68D6F1

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: 1745753b4f805a345d4c0616f5d3b058fc74155de081ad507d368850db67da1f
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: BD517023E3D602CEDB14AB15D444A7AA792EB44BD8F984231DB4E87744EF7CE841CB20

Function 00007FF77D68EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF77D68EF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF77D68EF83

Strings

MOC, xrefs: 00007FF77D68EF4B
RCC, xrefs: 00007FF77D68EF53

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: 070cc0957e374de7d9a95a03585695e38ce21bbd50daed78c51e6b64d8680c66
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: 7B616C3392CB85C5DB20AB15E4403AAB7A1FB957D8F444235EA9C43B96EF7CD190CB10

Function 00007FF77D68F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF77D68F2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF77D68F398

Strings

csm, xrefs: 00007FF77D68F3EA
csm, xrefs: 00007FF77D68F2D2

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: 67e3a653c59d2beac016d2c38ef232b8e60f1bc17d661ba938a5d04c8be8dfd0
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: 5A519F33E3C242C6EB64AA21914426AB7A2EB64BC4F944236DA4C83B96DF3CE450C751

Function 00007FFE1A4544E4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4545DB
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A4545EB

Strings

csm, xrefs: 00007FFE1A45463D
csm, xrefs: 00007FFE1A45452E

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind
String ID: csm$csm
API String ID: 4108983575-3733052814
Opcode ID: 08ef0bffa0d8dc861c4a01b7d2fd628c67e896dc6c26123b9582640005c51e48
Instruction ID: de0bbe02d8b80d45672660b4dc0e76c3c97907b3f4d833729b3815f7139b15e7
Opcode Fuzzy Hash: 08ef0bffa0d8dc861c4a01b7d2fd628c67e896dc6c26123b9582640005c51e48
Instruction Fuzzy Hash: DC51A4B2B08A8586EB649B12914437976A1FB50FA4F1441F7DB4C4BBA6CF3CE571CB00

Function 00007FFE1A45B118 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A45B172

Strings

%lf, xrefs: 00007FFE1A45B1AD, 00007FFE1A45B1E1, 00007FFE1A45B211

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: 7e0deb2cf17bd330c849068a4ca2fc9bc064bfcc9212df10860184869afe9d43
Instruction ID: d2b3330a5854bd68c2839003d70c3650593197a4c269079963081034022440b0
Opcode Fuzzy Hash: 7e0deb2cf17bd330c849068a4ca2fc9bc064bfcc9212df10860184869afe9d43
Instruction Fuzzy Hash: B331B7A1B0CF4685EA11EB13A8501BA7361BF55FA0F5481F7EA5E53771EE2CE162C700

Function 00007FF77D687E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF77D68352C,?,00000000,00007FF77D683F1B), ref: 00007FF77D687F32

Strings

%s%c, xrefs: 00007FF77D687EA4
%.*s, xrefs: 00007FF77D687EEB
\, xrefs: 00007FF77D687E97

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
Instruction ID: 3c798745d1f8650b8f62018f9636e3239a9f20de0f3146175b9d1dd341fbab97
Opcode Fuzzy Hash: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
Instruction Fuzzy Hash: 1C31BA62E3DAC185EA21A711E4507ABA356EB84BE0F844331EAAD877C5FF2CD6418750

Function 00007FF77D682810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF77D6828EA

Strings

[PYI-%d:%ls] , xrefs: 00007FF77D682868
Error, xrefs: 00007FF77D6828DD
ERROR, xrefs: 00007FF77D68286F

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: 31a32ef2c6f95a0c2a27cc5e00b15e28b4dc188d125b7932c4417faf45dc7aa1
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: 1E219163B28B4182E710AB14B4447ABA7A6EB887C0F800236EA8D93659EF3CD255C750

Function 00007FFE00451ED0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312(?,?,?,?,?,00007FFE00451EBC), ref: 00007FFE00453C1F

Part of subcall function 00007FFE00451FB0: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE00451FE8
Part of subcall function 00007FFE00451FB0: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE00452006

PyErr_Format.PYTHON312 ref: 00007FFE00451F33

Strings

undefined character name '%s', xrefs: 00007FFE00451F26
name too long, xrefs: 00007FFE00453C15

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Err_strncmp$FormatString
String ID: name too long$undefined character name '%s'
API String ID: 3882229318-4056717002
Opcode ID: 1035d3c545dcad7f3fc1fcdb04c9696ab0948ab795443172b9eb40205ee2c5c7
Instruction ID: 53e35b4b19dcbedcfb4c2b57ef1a9ec031c4717641aca3b0ed16b304cafff533
Opcode Fuzzy Hash: 1035d3c545dcad7f3fc1fcdb04c9696ab0948ab795443172b9eb40205ee2c5c7
Instruction Fuzzy Hash: 4B110076E18D47D1EB008B14E8946B86761FB8874AF840531DB0D477BADF7DE14AC744

Function 00007FFE13335450 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13333DD0: PyErr_Format.PYTHON312 ref: 00007FFE13334154

PySys_Audit.PYTHON312 ref: 00007FFE133354A8

Part of subcall function 00007FFE13334484: PyEval_SaveThread.PYTHON312 ref: 00007FFE133344A2
Part of subcall function 00007FFE13334484: connect.WS2_32 ref: 00007FFE133344B5
Part of subcall function 00007FFE13334484: PyEval_RestoreThread.PYTHON312 ref: 00007FFE133344C0
Part of subcall function 00007FFE13334484: WSAGetLastError.WS2_32 ref: 00007FFE133344CE
Part of subcall function 00007FFE13334484: WSAGetLastError.WS2_32 ref: 00007FFE133344DA
Part of subcall function 00007FFE13334484: PyErr_CheckSignals.PYTHON312 ref: 00007FFE133344E7
Part of subcall function 00007FFE13334484: WSASetLastError.WS2_32 ref: 00007FFE13334501

PyLong_FromLong.PYTHON312 ref: 00007FFE133354CD

Strings

connect_ex, xrefs: 00007FFE1333546F
socket.connect, xrefs: 00007FFE133354A1

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ErrorLast$Err_Eval_Thread$AuditCheckFormatFromLongLong_RestoreSaveSignalsSys_connect
String ID: connect_ex$socket.connect
API String ID: 3879675179-935070752
Opcode ID: 414937b2a6d92fbc3da88fc1208311d46d9418bcea39934cf64ea2bb9134626d
Instruction ID: 62691dd546c1f3406150417d1ad322bf580ab624ee9c7f40d36f0128aa7cac2f
Opcode Fuzzy Hash: 414937b2a6d92fbc3da88fc1208311d46d9418bcea39934cf64ea2bb9134626d
Instruction Fuzzy Hash: 34115221B08E82C5F7208B23F4107E6B3A0BF64BE4F508072DA5D67665EE3CD144C704

Function 00007FFE1A452A50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452A8E

Strings

csm, xrefs: 00007FFE1A452A70
MOC, xrefs: 00007FFE1A452A68
RCC, xrefs: 00007FFE1A452A60

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: 3ab94ae7472f91afbfb2fa40e8eaefdcfa6935c471aaf11af4776549d32657f7
Instruction ID: bf05f5ed05f654c924678f930fc850e68dc2489998943898e4d87e2a05e401aa
Opcode Fuzzy Hash: 3ab94ae7472f91afbfb2fa40e8eaefdcfa6935c471aaf11af4776549d32657f7
Instruction Fuzzy Hash: EBF03C72A18A0686E7A47B63E18107D7664EF48F61F1950F3EB4806262CF7CE8B0C701

Function 00007FFE1333678C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

PyUnicode_FromFormat.PYTHON312 ref: 00007FFE133367B0
PyErr_SetString.PYTHON312 ref: 00007FFE133367D5

Strings

no printf formatter to display the socket descriptor in decimal, xrefs: 00007FFE133367CB
<socket object, fd=%ld, family=%d, type=%d, proto=%d>, xrefs: 00007FFE133367A5

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Err_FormatFromStringUnicode_
String ID: <socket object, fd=%ld, family=%d, type=%d, proto=%d>$no printf formatter to display the socket descriptor in decimal
API String ID: 1884982852-285600062
Opcode ID: adbad624c4c56f29da8e25935a1100d7f970daaacfccf8b58daafbc43e48176e
Instruction ID: 7b8862da4e3d907d316ef7d85c3db3cd3cd88235dfd5c12a888bbeda281fad49
Opcode Fuzzy Hash: adbad624c4c56f29da8e25935a1100d7f970daaacfccf8b58daafbc43e48176e
Instruction Fuzzy Hash: 06F01D64A08902CDDA108B16D4801387360FB68FB8FA08771D93D572F0DE2CE416D704

Function 00007FF77D69C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF77D69C61F
WriteFile.KERNEL32 ref: 00007FF77D69C8E7
WriteFile.KERNEL32 ref: 00007FF77D69C92D
GetLastError.KERNEL32 ref: 00007FF77D69C9E3

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: b620f536da00e8410c8aad0e1fdc1d57d60188c4c5e9e8a437d79d7f895de897
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: 26D1EF73F2CA818AE710DF75D4402BD77A2FB547D8B81426ADE5E97B89EA38D006C710

Function 00007FF77D69CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77D69CF4B), ref: 00007FF77D69D07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77D69CF4B), ref: 00007FF77D69D107

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: 196cbd5a16054765cac47f1e13bde620b678d246ddfc815946f20d7abc784894
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: C691B423E3C65185F750AF65944427EABA3BB44BC8F98427DDF0E97694EE38D442CB20

Function 00007FFE1A45A638 Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE4D
Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE86
Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D1B1

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A793
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A7F2
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A824
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A834

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: cc076bc81e8f2d48ba6aefa04368e4e4f2bc5c7ef048a26b3748b4f62f7846b0
Instruction ID: e2f86aca1f601f7042d61afb5962c07a50ea380ada2080909daca55c9a1d71c2
Opcode Fuzzy Hash: cc076bc81e8f2d48ba6aefa04368e4e4f2bc5c7ef048a26b3748b4f62f7846b0
Instruction Fuzzy Hash: FA914BA2F08F5289F7119B66D8443BC37B1BB04B68F5440F7DA4D176A5DF78A8A6C340

Function 00007FFE00451FB0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE00451FE8
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE00452006

Strings

HANGUL SYLLABLE , xrefs: 00007FFE00451FD5
CJK UNIFIED IDEOGRAPH-, xrefs: 00007FFE00451FFC

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: strncmp
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 1114863663-87138338
Opcode ID: 8c364d9f7697f15a55bc755bfe662b8d9c35c3fd34f27cade82d87210dead623
Instruction ID: 38e19ae2f11be9cfbd1a8aa3efa97cc056c22d328b4dbf04491403bbea14a671
Opcode Fuzzy Hash: 8c364d9f7697f15a55bc755bfe662b8d9c35c3fd34f27cade82d87210dead623
Instruction Fuzzy Hash: EC613832B1865146E6608E15A90067E7252FB85BD2F448236EF5D477EEDFBCE501C704

Function 00007FF77D69F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF77D69FA7C
_get_daylight.LIBCMT ref: 00007FF77D69FA8D
_get_daylight.LIBCMT ref: 00007FF77D69FA9E
_isindst.LIBCMT ref: 00007FF77D69FB69

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: 47c386d92cb6092024ef8aaec72e1afa5e0f926da57bb014de277f08e1199991
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: D8510B73F3811186EB14EF6499516BDA7A3AF543E8F910339DE1D92AD9EF38A402C710

Function 00007FF77D69577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF77D6957AF
GetFileInformationByHandle.KERNEL32 ref: 00007FF77D695811
GetLastError.KERNEL32 ref: 00007FF77D6958A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77D6956B4), ref: 00007FF77D6958EE

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction ID: 8a28f5429d2e4c9e67125e252388ac25a87a77d90ee7c1001c010b0887ce1940
Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction Fuzzy Hash: EA518233E3865185FB10EF71D5503BEA7A3AB48798F944639DE4D87689EF38D4418360

Function 00007FFE1A45D274 Relevance: 6.1, APIs: 4, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45ED94: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A45EDEE

Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE4D
Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE86
Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D1B1

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D2F4
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D303
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D380
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D38F

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID:
API String ID: 3863519203-0
Opcode ID: 57265f9aaea93611d8ae4b0edf9f43af56394ecd72ecd9aef4b3b93798ee479d
Instruction ID: 9e8a31f296105f5cfc6c94cd492f7fb90470b07ebc3ddefbf57ebb7c5ca3f9eb
Opcode Fuzzy Hash: 57265f9aaea93611d8ae4b0edf9f43af56394ecd72ecd9aef4b3b93798ee479d
Instruction Fuzzy Hash: 104166B2B08B4189FB01DF66D8403BC37B0BB48B68F9484B6DA8D57769DF789495C350

Function 00007FF77D6820C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF77D6820F4
SetWindowLongPtrW.USER32 ref: 00007FF77D682116
GetWindowLongPtrW.USER32 ref: 00007FF77D682140
InvalidateRect.USER32 ref: 00007FF77D682160

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 4db702e4260f0ae1114fb5573849cb1bf17f1f569369efbc96099a92f6ea5e0a
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 7611E922F3C142C2F654A769E54427B9693EB887C0FD44230DB8947B8DED3DD4D18220

Function 00007FFE13335790 Relevance: 6.0, APIs: 4, Instructions: 43threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE133341EC: PyErr_SetString.PYTHON312 ref: 00007FFE1333422F

memset.VCRUNTIME140 ref: 00007FFE133357DC
PyEval_SaveThread.PYTHON312 ref: 00007FFE133357E1
getsockname.WS2_32 ref: 00007FFE133357F8
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13335803

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Eval_Thread$Err_RestoreSaveStringgetsocknamememset
String ID:
API String ID: 772546412-0
Opcode ID: bb4860f722e20605b845678caae1940802489a0c30753b108cbd7cf2fc4f76aa
Instruction ID: d2cbdc79b1d22ab5dd9fdb6a993b142de46caf432755f3f1aa766ca7581f88d1
Opcode Fuzzy Hash: bb4860f722e20605b845678caae1940802489a0c30753b108cbd7cf2fc4f76aa
Instruction Fuzzy Hash: E5113625A1CFC6C6EA309B52F4403AAE361FBA4B94F408172DA9D67A69DF3CD145C704

Function 00007FFE133356D0 Relevance: 6.0, APIs: 4, Instructions: 43threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE133341EC: PyErr_SetString.PYTHON312 ref: 00007FFE1333422F

memset.VCRUNTIME140 ref: 00007FFE1333571C
PyEval_SaveThread.PYTHON312 ref: 00007FFE13335721
getpeername.WS2_32 ref: 00007FFE13335738
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13335743

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Eval_Thread$Err_RestoreSaveStringgetpeernamememset
String ID:
API String ID: 1387529023-0
Opcode ID: 6217d1f52f68499da46158bc7b5de8f19134ea31d65d8230de025008c52050e8
Instruction ID: 8036eca47b3fadf2a42ed609f68d265e6b1a0a5629fb20338c45b6ed31cfa141
Opcode Fuzzy Hash: 6217d1f52f68499da46158bc7b5de8f19134ea31d65d8230de025008c52050e8
Instruction Fuzzy Hash: 7F116625A0CFC2C6EA309B52F0403AAE361FB94B94F008072D69D27A69DF3CE045CB04

Function 00007FFE13332EEC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE13332F18
GetCurrentThreadId.KERNEL32 ref: 00007FFE13332F26
GetCurrentProcessId.KERNEL32 ref: 00007FFE13332F32
QueryPerformanceCounter.KERNEL32 ref: 00007FFE13332F42

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: d9f98cd6e8095113ce688e9adc81d2d2b62b70132384823deca84349fed3ec32
Instruction ID: 91636e9d6e0b14421da765e8c760570b423b5d27a6b690c8c95efc4d6af645bb
Opcode Fuzzy Hash: d9f98cd6e8095113ce688e9adc81d2d2b62b70132384823deca84349fed3ec32
Instruction Fuzzy Hash: 7F112A22B14F018AEB00CF62E8543B873A4FB69B68F440E31EA6D967A8DF7CD154C340

Function 00007FFE00452BEC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE00452C18
GetCurrentThreadId.KERNEL32 ref: 00007FFE00452C26
GetCurrentProcessId.KERNEL32 ref: 00007FFE00452C32
QueryPerformanceCounter.KERNEL32 ref: 00007FFE00452C42

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 109ceed06940f0f17d4484f54d46a13cc3e2d9acbfc7514a401e54a12864ff88
Instruction ID: a17b97d7ea5cd208c9c9e23f8f8818c8a3051a32cf0b20074aac15045b75e167
Opcode Fuzzy Hash: 109ceed06940f0f17d4484f54d46a13cc3e2d9acbfc7514a401e54a12864ff88
Instruction Fuzzy Hash: 59112E26B14F028AEB00CF60E8542B933A4FB19B59F441E31DB6D477A8DF78E1548380

Function 00007FFE148E165C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE148E1688
GetCurrentThreadId.KERNEL32 ref: 00007FFE148E1696
GetCurrentProcessId.KERNEL32 ref: 00007FFE148E16A2
QueryPerformanceCounter.KERNEL32 ref: 00007FFE148E16B2

Memory Dump Source

Source File: 00000001.00000002.2667804984.00007FFE148E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000001.00000002.2667789447.00007FFE148E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667822402.00007FFE148E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667838554.00007FFE148E5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2667854016.00007FFE148E6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe148e0000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 7f6b854855521a5eeb54a69c346efd32b0b439a43f7217cfd0872cc224e201bb
Instruction ID: 66a7702088a0ed98d5d21ce2edda39b65c9d63279ff5969b6908eefb5e73ecd6
Opcode Fuzzy Hash: 7f6b854855521a5eeb54a69c346efd32b0b439a43f7217cfd0872cc224e201bb
Instruction Fuzzy Hash: C8113026B14F018AEB00DF61E8942B873A4F71A768F440E71EA6D567B4DF7CD6588340

Function 00007FFDFB3A8A20 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDFB3A8A4C
GetCurrentThreadId.KERNEL32 ref: 00007FFDFB3A8A5A
GetCurrentProcessId.KERNEL32 ref: 00007FFDFB3A8A66
QueryPerformanceCounter.KERNEL32 ref: 00007FFDFB3A8A76

Memory Dump Source

Source File: 00000001.00000002.2666699426.00007FFDFB201000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFB200000, based on PE: true

Associated: 00000001.00000002.2666683732.00007FFDFB200000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2666857105.00007FFDFB482000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2666857105.00007FFDFB4A2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2666857105.00007FFDFB4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2666857105.00007FFDFB527000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2666857105.00007FFDFB5F2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667086810.00007FFDFB6F6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667130826.00007FFDFB763000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667147094.00007FFDFB765000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667163057.00007FFDFB766000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667178413.00007FFDFB767000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667195570.00007FFDFB769000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667242952.00007FFDFB7EF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667261746.00007FFDFB7F1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667278783.00007FFDFB7FB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667301806.00007FFDFB820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667318780.00007FFDFB821000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667337353.00007FFDFB822000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667353749.00007FFDFB823000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667369059.00007FFDFB825000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667387162.00007FFDFB831000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667403441.00007FFDFB832000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667427607.00007FFDFB874000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2667446336.00007FFDFB891000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb200000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c3ed045bb38a667c100e22636b803ba1f380a34d6de05b6f2a16d532bdd1e237
Instruction ID: 38b55490ada88983391d663e2f1a6acea32a42993edf941b552531a9a92f2aaf
Opcode Fuzzy Hash: c3ed045bb38a667c100e22636b803ba1f380a34d6de05b6f2a16d532bdd1e237
Instruction Fuzzy Hash: 6F113C26B15F068AEB00DF60EC646B833A4FB19758F441E31EA6D86BA8EF7CD154C340

Function 00007FF77D68D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF77D68D03C
GetCurrentThreadId.KERNEL32 ref: 00007FF77D68D04A
GetCurrentProcessId.KERNEL32 ref: 00007FF77D68D056
QueryPerformanceCounter.KERNEL32 ref: 00007FF77D68D066

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: 14a8499e14123beba902dd89f1c22f41f4dd9097b921d8cf51a00b565be52fc5
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: 09111F26B28B0589EB00DF64E8542BA73B4F759798F440E31DA6D86764EF78D1548350

Function 00007FFE1A4609FC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE1A460A28
GetCurrentThreadId.KERNEL32 ref: 00007FFE1A460A36
GetCurrentProcessId.KERNEL32 ref: 00007FFE1A460A42
QueryPerformanceCounter.KERNEL32 ref: 00007FFE1A460A52

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 74344bb322e65ea4bb1ed5ded81f371800f489492d84809563666ba838173471
Instruction ID: 33dffdaf724ecdefb08a3f1d2a2de64897ed55664a948e8fbf907ee1024d40a7
Opcode Fuzzy Hash: 74344bb322e65ea4bb1ed5ded81f371800f489492d84809563666ba838173471
Instruction Fuzzy Hash: 7E113022B18F418AEB00CF61E8542B833B4F759B68F440E72DA6D477A8DF7CE1688340

Function 00007FFE13335338 Relevance: 6.0, APIs: 4, Instructions: 29threadCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON312 ref: 00007FFE1333535C
closesocket.WS2_32 ref: 00007FFE13335368
PyEval_RestoreThread.PYTHON312 ref: 00007FFE13335373
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13335382

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Eval_Thread$RestoreSave_errnoclosesocket
String ID:
API String ID: 1624953543-0
Opcode ID: 469834960f5fb333051253006ecc6c4dbb46e8df025279c03e012d890aa341a8
Instruction ID: b5c4f0274551ca12e17240d305ccf627bf02a8eec55b346948946d46e4334420
Opcode Fuzzy Hash: 469834960f5fb333051253006ecc6c4dbb46e8df025279c03e012d890aa341a8
Instruction Fuzzy Hash: EDF03C62A08F41C6EA549B57B448268B364FF68FB1B188370EA7E137F0CF7CD8858204

Function 00007FFE1A45F670 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A45F732
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A45F435), ref: 00007FFE1A45F78C

Strings

csm, xrefs: 00007FFE1A45F719

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind
String ID: csm
API String ID: 451473138-1018135373
Opcode ID: 88d75f8372be57577a220e465c4aa8d65e851ebfefcdd899ecde71752cd89d28
Instruction ID: 3e254eb058274db80f329d4f6bdb0b1a4564a01dbbbef0ed088735ea23cff000
Opcode Fuzzy Hash: 88d75f8372be57577a220e465c4aa8d65e851ebfefcdd899ecde71752cd89d28
Instruction Fuzzy Hash: 7A51D572B19A028ADB18EB17E444A7C73A1EB44FA4F1081F6DA5D437A8DF3DE861C701

Function 00007FF77D6A5B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77D6A1760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A1793

_get_daylight.LIBCMT ref: 00007FF77D6A5C34
_get_daylight.LIBCMT ref: 00007FF77D6A5C45

Strings

?, xrefs: 00007FF77D6A5BC5

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
Instruction ID: ff92f2518d4ab9e194f3fd5ebea0e4a1a50341733b802b621a1c783827fed23c
Opcode Fuzzy Hash: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
Instruction Fuzzy Hash: 5041F523E3C28241E724E725945137BA692EBD0BE4F944339EE9D86ADDEF3CD4418710

Function 00007FFE1A454E40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE1A454F16
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A454F74

Strings

csm, xrefs: 00007FFE1A45501A

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: a8b8ee24cb783e7d293a6e1db454b28b1bfc46eb23a73e5049af87221528bbc6
Instruction ID: 6c548b89e410d91d6acf8a4d69b70324756b5b1b9ef40ebb5ab467b027ff0735
Opcode Fuzzy Hash: a8b8ee24cb783e7d293a6e1db454b28b1bfc46eb23a73e5049af87221528bbc6
Instruction Fuzzy Hash: 1F511C73719B4186D660AB26E44027E77A4FB89FA1F1401B6EB8D47B65CF3CE461CB01

Function 00007FF77D699014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D699046

Part of subcall function 00007FF77D69A948: HeapFree.KERNEL32(?,?,?,00007FF77D6A2D22,?,?,?,00007FF77D6A2D5F,?,?,00000000,00007FF77D6A3225,?,?,?,00007FF77D6A3157), ref: 00007FF77D69A95E
Part of subcall function 00007FF77D69A948: GetLastError.KERNEL32(?,?,?,00007FF77D6A2D22,?,?,?,00007FF77D6A2D5F,?,?,00000000,00007FF77D6A3225,?,?,?,00007FF77D6A3157), ref: 00007FF77D69A968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF77D68CBA5), ref: 00007FF77D699064

Strings

C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe, xrefs: 00007FF77D699052

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe
API String ID: 3580290477-818140841
Opcode ID: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
Instruction ID: 55a836dad8fb8ed1c6f3f5e98ecb12e168b273073b0afe6edf662220781ca243
Opcode Fuzzy Hash: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
Instruction Fuzzy Hash: BA416E37E3C71285E714AF2595800BAB7A7FB487D0B95527AE94D83B85FE3CE4818320

Function 00007FF77D69CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF77D69CD4F
GetLastError.KERNEL32 ref: 00007FF77D69CD71

Strings

U, xrefs: 00007FF77D69CCFB

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: cbeb1b35439bb3f0d7e1996fb4b1a01f507193706e99a2bb16ecf329025b6c6d
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: E4419163A3CA4181DB20AF25E4443BAA7A2FB887C4F814235EA4DC7798EF3CD405CB50

Function 00007FFE1A45A524 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A622

Strings

void , xrefs: 00007FFE1A45A5AC
void, xrefs: 00007FFE1A45A584

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: d81aed41cb4c8c5c69bd061dfd49733f36ea67ee8bb27e73bf8cb873ba0293ca
Instruction ID: 6a3847a797ea34b0243600d97617f3cdeba82360af4f26f101c998dbfe1bd0e4
Opcode Fuzzy Hash: d81aed41cb4c8c5c69bd061dfd49733f36ea67ee8bb27e73bf8cb873ba0293ca
Instruction Fuzzy Hash: 373105A2F18B559DFB01DBA5E8400FC37B0BB48B58F4405B6EA4E53A69DF3C9164C750

Function 00007FF77D69F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF77D69F5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF77D69F64A

Strings

:, xrefs: 00007FF77D69F60E

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
Instruction ID: 964337a21861e369412d896d3835c6b074c981b240ba78b7c6488159310ffc96
Opcode Fuzzy Hash: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
Instruction Fuzzy Hash: 6E21A073E3C34181EB20AB15904427EA3A3EB94BC4F864239D68D83695EF7CE5458761

Function 00007FFE13334B6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13338654: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE13338698

PyErr_SetString.PYTHON312(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE13333FC0), ref: 00007FFE13334C47

Strings

bad bluetooth address, xrefs: 00007FFE13334C3D
%X:%X:%X:%X:%X:%X%c, xrefs: 00007FFE13334B97

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Err_String__stdio_common_vsscanf
String ID: %X:%X:%X:%X:%X:%X%c$bad bluetooth address
API String ID: 3283897942-3956635471
Opcode ID: 82460378f9390543d5d03a976a5082cfe22b1e135c935a62461cff4db5ddd525
Instruction ID: ccad937845cde5c8bb7df8308a8eeb5db2a80719b2c0d40099472df190f87b88
Opcode Fuzzy Hash: 82460378f9390543d5d03a976a5082cfe22b1e135c935a62461cff4db5ddd525
Instruction Fuzzy Hash: AF21CFB1718E859ADB50CB02E8880ACB3A2F754BE0F418136EABC57B64DF3DD858C710

Function 00007FFE1A45676F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456B10: RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A456B60
Part of subcall function 00007FFE1A456B10: RaiseException.KERNEL32 ref: 00007FFE1A456BA1

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A4567DF

Strings

Bad dynamic_cast!, xrefs: 00007FFE1A456792
Access violation - no RTTI data!, xrefs: 00007FFE1A45676F

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: 161e8b28e34caca24568961a6528755d3751e4ffa6d3c1bec0c9a5cac7a2823b
Instruction ID: 17a2e61351ae8dc12e7991a8cfa1d336490933007049f6bf365d772dc3632de2
Opcode Fuzzy Hash: 161e8b28e34caca24568961a6528755d3751e4ffa6d3c1bec0c9a5cac7a2823b
Instruction Fuzzy Hash: 690175A1B19D46A1EE40EB16F450178A360FF80F64F4854F3E51E07679EF6CE568C700

Function 00007FF77D68FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF77D68FD98
RaiseException.KERNEL32 ref: 00007FF77D68FDD9

Strings

csm, xrefs: 00007FF77D68FDC6

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: ba8f854b799dacf9db38a70c412af82643bc7bf57596a335849349486092c63c
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: 86114C33A2CB8182EB219F15E40026ABBE5FB88B84F984631DBCD47759EF3CC5558700

Function 00007FFE1A456B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A456B60
RaiseException.KERNEL32 ref: 00007FFE1A456BA1

Strings

csm, xrefs: 00007FFE1A456B8E

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 96783e5d5ee86e7ed91570add2de904558e3ade983638e121ecc73efc59d9239
Instruction ID: cbebe9d87d3f32192772af2eaa90a002eec98cf13a5b03ff9fcc6ff7f3e1d358
Opcode Fuzzy Hash: 96783e5d5ee86e7ed91570add2de904558e3ade983638e121ecc73efc59d9239
Instruction Fuzzy Hash: 86112E72618F8182EB618B16F840269B7E5FB88F99F5842B1DF8C07768DF3DD5618700

Function 00007FF77D6A073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77D6A076C
GetDriveTypeW.KERNEL32 ref: 00007FF77D6A07AC

Strings

:, xrefs: 00007FF77D6A0795

Memory Dump Source

Source File: 00000001.00000002.2666583150.00007FF77D681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77D680000, based on PE: true

Associated: 00000001.00000002.2666564889.00007FF77D680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666607457.00007FF77D6AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666629980.00007FF77D6C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2666662431.00007FF77D6C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff77d680000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: ec74fa260558e8435e2ed8b85590191b1fb7eb131c19f089dfce8499952ac3d5
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: 6A017163D3C20285E720BF60946127FA3A2EF847C4FD00235D58DD2685FE3CE5048B24

Function 00007FFE00454C28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFE00454C78
PyUnicode_FromString.PYTHON312 ref: 00007FFE00454C95

Strings

no such name, xrefs: 00007FFE00454C6E

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: String$Err_FromUnicode_
String ID: no such name
API String ID: 3678473424-4211486178
Opcode ID: 3005c2e76ccdbfdbb1504f9de79cdf15a2dc4c168f6a8fbb72cf26d2d18b7585
Instruction ID: 96cceaa9ae5b413b3fd2aea7a524f45295509af4aaab05d7c19fd320677e6266
Opcode Fuzzy Hash: 3005c2e76ccdbfdbb1504f9de79cdf15a2dc4c168f6a8fbb72cf26d2d18b7585
Instruction Fuzzy Hash: 28012C31A19E4291FB618B25E8543B923A0BFD8B4AF410031DB4E4A37AEE2CE0458B08

Function 00007FFE133341EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFE1333422F

Strings

getsockaddrlen: bad family, xrefs: 00007FFE13334207
getsockaddrlen: unknown BT protocol, xrefs: 00007FFE1333421E

Memory Dump Source

Source File: 00000001.00000002.2667720462.00007FFE13331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13330000, based on PE: true

Associated: 00000001.00000002.2667704348.00007FFE13330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667756494.00007FFE13341000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13330000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Err_String
String ID: getsockaddrlen: bad family$getsockaddrlen: unknown BT protocol
API String ID: 1450464846-3381576205
Opcode ID: 68c5e8985835ae6d1ad6a3eb8734c9d41b7279e8c40dd2ee74cade83e5c1d99f
Instruction ID: 3f854c0d9fe083b14bc9a0792ed4fb52ff3f1f9a0590a297cb17ff692d9c7d74
Opcode Fuzzy Hash: 68c5e8985835ae6d1ad6a3eb8734c9d41b7279e8c40dd2ee74cade83e5c1d99f
Instruction Fuzzy Hash: DB011DB990C902CDF7648F0BD484278A2A1AB65F20F61C4B1C52DF66B0CF7CA4D59709

Function 00007FFE1A45F420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45F45A

Strings

f, xrefs: 00007FFE1A45F435
csm, xrefs: 00007FFE1A45F43B

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: abortterminate
String ID: csm$f
API String ID: 661698970-629598281
Opcode ID: f31257b661c57643b6b4b1793288747ab2a9155158c122d579431834bbccefac
Instruction ID: 466f39f7d2c6ad8747c7229578763f3ef958adfb448de98c0d7c4ff533c0d341
Opcode Fuzzy Hash: f31257b661c57643b6b4b1793288747ab2a9155158c122d579431834bbccefac
Instruction Fuzzy Hash: 70E06C71E08B5141DB507B23B14017D6664AF56F75F1480F6DB4807666CF3CD4B08702

Function 00007FFE004525A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_PyObject_GC_New.PYTHON312(?,?,00000000,00007FFE00452513), ref: 00007FFE004525A6
PyObject_GC_Track.PYTHON312(?,?,00000000,00007FFE00452513), ref: 00007FFE004525D8

Strings

3.2.0, xrefs: 00007FFE004525B4

Memory Dump Source

Source File: 00000001.00000002.2667485466.00007FFE00451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00450000, based on PE: true

Associated: 00000001.00000002.2667467986.00007FFE00450000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00455000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE004FE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00502000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE00507000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667671456.00007FFE00562000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: Object_$Track
String ID: 3.2.0
API String ID: 16854473-1786766648
Opcode ID: 05fdb2ae452a8d6f4b3be3f11c3efdbfda8cc49ab31c9f152460280c20d50ee3
Instruction ID: ccbb104c83f3db08d03c83c5503cd6530072bed03bcd89f24aab938ec7c1446b
Opcode Fuzzy Hash: 05fdb2ae452a8d6f4b3be3f11c3efdbfda8cc49ab31c9f152460280c20d50ee3
Instruction Fuzzy Hash: EAE0E524E09F06A1EA158F21A86407823A8BF09B46B540136CE4C0233AEF7CE5A8C248

Function 00007FFE1A456E64 Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFE1A456CE9,?,?,?,?,00007FFE1A460582,?,?,?,?,?), ref: 00007FFE1A456E83
SetLastError.KERNEL32(?,?,?,00007FFE1A456CE9,?,?,?,?,00007FFE1A460582,?,?,?,?,?), ref: 00007FFE1A456F0C

Memory Dump Source

Source File: 00000001.00000002.2667891014.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.2667872888.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667929860.00007FFE1A468000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_ITC590-Script 3 V2-P-2024.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 29fbcb28d85caf8942357daff49778de6b87ab13b42ab574bfe6367f35ca65f9
Instruction ID: 33c700dcbbda43727ad60f5bfec39fe087911570393653a7a61029dbca3fc842
Opcode Fuzzy Hash: 29fbcb28d85caf8942357daff49778de6b87ab13b42ab574bfe6367f35ca65f9
Instruction Fuzzy Hash: 181136A1F0DE4282FA55AB67A84417462A1AF44FB4F084AF6E93E077F5DF2CB4618710

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ITC590-Script 3 V2-P-2024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI68802\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI68802\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI68802\_decimal.pyd

C:\Users\user\AppData\Local\Temp\_MEI68802\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\_MEI68802\_lzma.pyd

C:\Users\user\AppData\Local\Temp\_MEI68802\_socket.pyd

C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip

C:\Users\user\AppData\Local\Temp\_MEI68802\libcrypto-3.dll

C:\Users\user\AppData\Local\Temp\_MEI68802\python312.dll

C:\Users\user\AppData\Local\Temp\_MEI68802\select.pyd

C:\Users\user\AppData\Local\Temp\_MEI68802\unicodedata.pyd

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
ITC590-Script 3 V2-P-2024.exe

Function 00007FF77D6889E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Function 00007FF77D681000 Relevance: 60.0, APIs: 6, Strings: 28, Instructions: 509
COMMON

Function 00007FF77D6A6964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Function 00007FF77D6883C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Function 00007FF77D681950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Function 00007FF77D681600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Function 00007FF77D688660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Function 00007FF77D681210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Function 00007FF77D69ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Function 00007FF77D6836B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Function 00007FF77D69BA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Function 00007FF77D688570 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Function 00007FF77D6890E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Function 00007FF77D69CF60 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON