Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ATLEQQXO.exe

Overview

General Information

Sample name:ATLEQQXO.exe
Analysis ID:1577351
MD5:2fd56c681ad71cfb61512d85213397fa
SHA1:d8f6d6bda59e00a56da58d596d427e834a551f36
SHA256:ae52eea09c54ce2122a585dab0231555763f5be6e90b1e63b5886cf4116ea68d
Tags:18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ATLEQQXO.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\ATLEQQXO.exe" MD5: 2FD56C681AD71CFB61512D85213397FA)
    • pyexec.exe (PID: 7412 cmdline: "C:\Users\user\AppData\Local\Temp\pyexec.exe" MD5: B6F6C3C38568EE26F1AC70411A822405)
      • pyexec.exe (PID: 7576 cmdline: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe MD5: B6F6C3C38568EE26F1AC70411A822405)
        • cmd.exe (PID: 7780 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • uzfvalidate.exe (PID: 280 cmdline: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe MD5: 967F4470627F823F4D7981E511C9824F)
  • pyexec.exe (PID: 5776 cmdline: "C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe" MD5: B6F6C3C38568EE26F1AC70411A822405)
    • cmd.exe (PID: 5824 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • pyexec.exe (PID: 1712 cmdline: "C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe" MD5: B6F6C3C38568EE26F1AC70411A822405)
    • cmd.exe (PID: 3896 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • uzfvalidate.exe (PID: 7584 cmdline: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe MD5: 967F4470627F823F4D7981E511C9824F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2599238331.0000000002CF0000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000001.00000002.2017596159.0000000003602000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000004.00000002.2185711490.000000000353F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000011.00000002.2751851758.00000000035F9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.cmd.exe.2cf07f8.1.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              11.2.cmd.exe.2cf07f8.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x10f60:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x10f28:$s2: Elevation:Administrator!new:
              18.2.cmd.exe.49e66cd.4.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                18.2.cmd.exe.49e66cd.4.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x25e61e:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x25e6a9:$s1: CoGetObject
                • 0x25e602:$s2: Elevation:Administrator!new:
                20.2.uzfvalidate.exe.27006ed.3.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  Click to see the 29 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: ATLEQQXO.exeReversingLabs: Detection: 63%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\vaccxytkawJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\qcfxollsqrJoe Sandbox ML: detected

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 11.2.cmd.exe.2cf07f8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 18.2.cmd.exe.49e66cd.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.uzfvalidate.exe.27006ed.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.cmd.exe.4cb0acd.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.cmd.exe.512facd.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.cmd.exe.4c6ba00.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.cmd.exe.4cb16cd.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.cmd.exe.50eaa00.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.cmd.exe.2cc4a08.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.uzfvalidate.exe.26ffaed.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.uzfvalidate.exe.26baa20.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.uzfvalidate.exe.27ddaed.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.uzfvalidate.exe.27de6ed.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.cmd.exe.51306cd.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 18.2.cmd.exe.49e5acd.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 18.2.cmd.exe.49a0a00.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.uzfvalidate.exe.2798a20.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2599238331.0000000002CF0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2017596159.0000000003602000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2185711490.000000000353F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2751851758.00000000035F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.2966901049.000000000499A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2539215113.00000000035E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.3070579976.00000000026B4000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2599485010.0000000004C65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7780, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: uzfvalidate.exe PID: 280, type: MEMORYSTR
                  Source: ATLEQQXO.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeFile opened: C:\Users\user\AppData\Local\Temp\msvcr90.dllJump to behavior
                  Source: Binary string: msvcr90.i386.pdb source: ATLEQQXO.exe, 00000000.00000003.1907189626.0000000002793000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdb source: uzfvalidate.exe, 0000000A.00000002.2579621814.000000000657D000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2576444929.0000000004F73000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2578645598.0000000005F70000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575633246.000000000477C000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2578352358.0000000005D7D000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573492296.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2581638557.0000000007178000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575034096.0000000004173000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2578139801.0000000005B7D000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2576239426.0000000004D78000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2579957684.0000000006770000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2580719725.0000000006B72000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2581309463.0000000006F71000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2579278538.0000000006371000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577362533.0000000005578000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575841211.0000000004970000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2574812388.0000000003F75000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577922990.000000000597A000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2572929622.0000000002340000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575231741.0000000004378000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577726520.0000000005775000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2576684859.000000000517A000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575440310.0000000004575000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577098151.0000000005372000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: pyexec.exe, 00000001.00000002.2018507861.00000000039EF000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2018682319.0000000003D40000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2186740832.000000000382E000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2187074277.0000000003B80000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2187484498.0000000004034000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2469157872.0000000005610000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468680961.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2540091080.0000000003FDB000.00000004.00000001.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539698343.00000000038C0000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539870229.0000000003C20000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdbUGP source: uzfvalidate.exe, 0000000A.00000002.2579621814.000000000657D000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2576444929.0000000004F73000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2578645598.0000000005F70000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575633246.000000000477C000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2578352358.0000000005D7D000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573492296.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2581638557.0000000007178000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575034096.0000000004173000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2578139801.0000000005B7D000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2576239426.0000000004D78000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2579957684.0000000006770000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2580719725.0000000006B72000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2581309463.0000000006F71000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2579278538.0000000006371000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577362533.0000000005578000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575841211.0000000004970000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2574812388.0000000003F75000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577922990.000000000597A000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2572929622.0000000002340000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575231741.0000000004378000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577726520.0000000005775000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2576684859.000000000517A000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575440310.0000000004575000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577098151.0000000005372000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: pyexec.exe, 00000001.00000002.2018507861.00000000039EF000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2018682319.0000000003D40000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2186740832.000000000382E000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2187074277.0000000003B80000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2187484498.0000000004034000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2469157872.0000000005610000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468680961.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2540091080.0000000003FDB000.00000004.00000001.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539698343.00000000038C0000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539870229.0000000003C20000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\build27\cpython\PCBuild\python27.pdb source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmp, pyexec.exe, 00000001.00000003.2011482547.00000000021F2000.00000004.00000001.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2188285100.000000006BC6A000.00000002.00000001.01000000.00000009.sdmp, pyexec.exe, 00000009.00000002.2540844549.000000006CADA000.00000002.00000001.01000000.00000009.sdmp
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: unknownDNS traffic detected: query: amenstilo.website replaycode: Name error (3)
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficDNS traffic detected: DNS query: amenstilo.website
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                  Source: pyexec.exe, 00000009.00000002.2540844549.000000006CADA000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://python.org/dev/peps/pep-0263/
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2016483557.00000000006BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2016483557.00000000006BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2016483557.00000000006BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2016483557.00000000006BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2016483557.00000000006BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.???.xx/?search=%s
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                  Source: pyexec.exe, 00000001.00000002.2017596159.0000000003366000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.000000000509B000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.0000000003345000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002749000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.com
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.com/?Download=Find.Same.Images.OK
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.de
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.de/?Download=Find.Same.Images.OK
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0
                  Source: uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.surfok.de/
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                  Source: uzfvalidate.exe, 0000000A.00000003.2564848089.00000000004E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amenstilo.website/
                  Source: uzfvalidate.exe, 0000000A.00000003.2569044412.00000000004E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amenstilo.website/.zO=
                  Source: uzfvalidate.exe, 0000000A.00000003.2570624959.00000000004E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amenstilo.website/2z
                  Source: uzfvalidate.exe, 0000000A.00000002.2572412655.00000000004E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amenstilo.website/:z
                  Source: uzfvalidate.exe, 0000000A.00000003.2564848089.00000000004E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amenstilo.website/Bz
                  Source: uzfvalidate.exe, 0000000A.00000002.2572412655.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2572412655.0000000000509000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2564848089.0000000000509000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2564848089.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2565012223.000000000050A000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2556675846.0000000000510000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2562183771.0000000000519000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2555199319.0000000000510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amenstilo.website/Don_Edwards?atyh7eeqttnb3s=fQ7RLJljbyh%2BwDv7gAgqxsUgC17NXOOzLhsEZLteSFedN
                  Source: uzfvalidate.exe, 0000000A.00000003.2564848089.00000000004E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amenstilo.website/bz
                  Source: uzfvalidate.exe, 0000000A.00000003.2567639862.00000000004E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amenstilo.website/fz
                  Source: uzfvalidate.exe, 0000000A.00000003.2569044412.00000000004E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amenstilo.website/jz
                  Source: uzfvalidate.exe, 0000000A.00000002.2572412655.00000000004E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amenstilo.website/nz
                  Source: uzfvalidate.exe, 0000000A.00000003.2569044412.00000000004E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amenstilo.website/rz
                  Source: uzfvalidate.exe, 0000000A.00000003.2570430954.0000000000519000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2558544001.0000000000519000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amenstilo.website:443
                  Source: uzfvalidate.exe, 00000014.00000003.3057008710.0000000000626000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amenstilo.website:443/Don_Edwards?atyh7eeqttnb3s=fQ7RLJljbyh%2BwDv7gAgqxsUgC17NXOOzLhsEZLteS
                  Source: uzfvalidate.exe, 0000000A.00000003.2566233935.0000000000519000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2564848089.0000000000519000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2562183771.0000000000519000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amenstilo.website:443H
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2016483557.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2016483557.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2016483557.00000000006BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                  Source: cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 11.2.cmd.exe.2cf07f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 18.2.cmd.exe.49e66cd.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 20.2.uzfvalidate.exe.27006ed.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 11.2.cmd.exe.4cb0acd.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 6.2.cmd.exe.512facd.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 11.2.cmd.exe.4c6ba00.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 11.2.cmd.exe.4cb16cd.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 6.2.cmd.exe.50eaa00.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 11.2.cmd.exe.2cc4a08.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 20.2.uzfvalidate.exe.26ffaed.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 20.2.uzfvalidate.exe.26baa20.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 10.2.uzfvalidate.exe.27ddaed.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 10.2.uzfvalidate.exe.27de6ed.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 6.2.cmd.exe.51306cd.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 18.2.cmd.exe.49e5acd.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 18.2.cmd.exe.49a0a00.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 10.2.uzfvalidate.exe.2798a20.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_00404FAA0_2_00404FAA
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_0041206B0_2_0041206B
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_0041022D0_2_0041022D
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_00411F910_2_00411F91
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: 1_2_6C908DF01_2_6C908DF0
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: 1_2_6C833F101_2_6C833F10
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: 1_2_6C909F301_2_6C909F30
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: 1_2_6C8322901_2_6C832290
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: 1_2_6C90BBC01_2_6C90BBC0
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: 1_2_6C8313E11_2_6C8313E1
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: 1_2_6C8313E01_2_6C8313E0
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 4_2_6BC0BBC04_2_6BC0BBC0
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 4_2_6BB313E14_2_6BB313E1
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 4_2_6BB313E04_2_6BB313E0
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 4_2_6BB322904_2_6BB32290
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 4_2_6BB33F104_2_6BB33F10
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 4_2_6BC09F304_2_6BC09F30
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 4_2_6BC08DF04_2_6BC08DF0
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 9_2_6CA78DF09_2_6CA78DF0
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 9_2_6C9A3F109_2_6C9A3F10
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 9_2_6CA79F309_2_6CA79F30
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 9_2_6C9A22909_2_6C9A2290
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 9_2_6CA7BBC09_2_6CA7BBC0
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 9_2_6C9A13E09_2_6C9A13E0
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 9_2_6C9A13E19_2_6C9A13E1
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: String function: 6BC408E0 appears 239 times
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: String function: 6BC3FDF0 appears 199 times
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: String function: 6CAB08E0 appears 247 times
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: String function: 6CAAFDF0 appears 207 times
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: String function: 6BC61420 appears 81 times
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: String function: 6BBC7460 appears 33 times
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: String function: 6BBECAD0 appears 107 times
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: String function: 6CAD1420 appears 82 times
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: String function: 6CA5CAD0 appears 118 times
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: String function: 6CA37460 appears 36 times
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: String function: 0040243B appears 37 times
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: String function: 6C9408E0 appears 241 times
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: String function: 6C8ECAD0 appears 117 times
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: String function: 6C961420 appears 81 times
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: String function: 6C8C7460 appears 36 times
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: String function: 6C93FDF0 appears 200 times
                  Source: uzfvalidate.exe.6.drStatic PE information: Resource name: ZIP type: Zip archive data (empty)
                  Source: qcfxollsqr.6.drStatic PE information: Number of sections : 12 > 10
                  Source: vaccxytkaw.18.drStatic PE information: Number of sections : 12 > 10
                  Source: ATLEQQXO.exe, 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs ATLEQQXO.exe
                  Source: ATLEQQXO.exe, 00000000.00000003.1907620160.0000000000750000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepython27.dll. vs ATLEQQXO.exe
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMSVCR90.DLL^ vs ATLEQQXO.exe
                  Source: ATLEQQXO.exe, 00000000.00000003.1907189626.0000000002A6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepython27.dll. vs ATLEQQXO.exe
                  Source: ATLEQQXO.exe, 00000000.00000003.1898095373.000000000253D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs ATLEQQXO.exe
                  Source: ATLEQQXO.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 11.2.cmd.exe.2cf07f8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 18.2.cmd.exe.49e66cd.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 20.2.uzfvalidate.exe.27006ed.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 11.2.cmd.exe.4cb0acd.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 6.2.cmd.exe.512facd.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 11.2.cmd.exe.4c6ba00.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 11.2.cmd.exe.4cb16cd.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 6.2.cmd.exe.50eaa00.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 11.2.cmd.exe.2cc4a08.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 20.2.uzfvalidate.exe.26ffaed.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 20.2.uzfvalidate.exe.26baa20.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 10.2.uzfvalidate.exe.27ddaed.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 10.2.uzfvalidate.exe.27de6ed.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 6.2.cmd.exe.51306cd.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 18.2.cmd.exe.49e5acd.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 18.2.cmd.exe.49a0a00.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 10.2.uzfvalidate.exe.2798a20.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: classification engineClassification label: mal92.expl.evad.winEXE@20/17@2/0
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_00407776
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,0_2_0040118A
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_004034C1
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,0_2_00401BDF
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeFile created: C:\Users\user\AppData\Roaming\UpdateChrome_ZeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2076:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeFile created: C:\Users\user\AppData\Local\Temp\kkfppsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCommand line argument: windows_exe1_2_00401110
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCommand line argument: sys1_2_00401110
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCommand line argument: _MessageBox1_2_00401110
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCommand line argument: windows_exe9_2_00401110
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCommand line argument: sys9_2_00401110
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCommand line argument: _MessageBox9_2_00401110
                  Source: ATLEQQXO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: ATLEQQXO.exeReversingLabs: Detection: 63%
                  Source: pyexec.exeString found in binary or memory: --help
                  Source: pyexec.exeString found in binary or memory: --help
                  Source: pyexec.exeString found in binary or memory: --help
                  Source: pyexec.exeString found in binary or memory: --help
                  Source: pyexec.exeString found in binary or memory: --help
                  Source: pyexec.exeString found in binary or memory: --help
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeFile read: C:\Users\user\Desktop\ATLEQQXO.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\ATLEQQXO.exe "C:\Users\user\Desktop\ATLEQQXO.exe"
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeProcess created: C:\Users\user\AppData\Local\Temp\pyexec.exe "C:\Users\user\AppData\Local\Temp\pyexec.exe"
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeProcess created: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe "C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe C:\Users\user\AppData\Local\Temp\uzfvalidate.exe
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe "C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe"
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe C:\Users\user\AppData\Local\Temp\uzfvalidate.exe
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeProcess created: C:\Users\user\AppData\Local\Temp\pyexec.exe "C:\Users\user\AppData\Local\Temp\pyexec.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeProcess created: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe C:\Users\user\AppData\Local\Temp\uzfvalidate.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe C:\Users\user\AppData\Local\Temp\uzfvalidate.exeJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeSection loaded: pla.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeSection loaded: pdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeSection loaded: tdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: pla.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: pdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: tdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: pla.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: pdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: tdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msftedit.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: comsvcs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmlua.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: pla.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: pdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: tdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: ivf.6.drLNK file: ..\..\Roaming\UpdateChrome_Ze\pyexec.exe
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
                  Source: ATLEQQXO.exeStatic file information: File size 5343929 > 1048576
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeFile opened: C:\Users\user\AppData\Local\Temp\msvcr90.dllJump to behavior
                  Source: Binary string: msvcr90.i386.pdb source: ATLEQQXO.exe, 00000000.00000003.1907189626.0000000002793000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdb source: uzfvalidate.exe, 0000000A.00000002.2579621814.000000000657D000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2576444929.0000000004F73000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2578645598.0000000005F70000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575633246.000000000477C000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2578352358.0000000005D7D000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573492296.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2581638557.0000000007178000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575034096.0000000004173000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2578139801.0000000005B7D000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2576239426.0000000004D78000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2579957684.0000000006770000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2580719725.0000000006B72000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2581309463.0000000006F71000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2579278538.0000000006371000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577362533.0000000005578000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575841211.0000000004970000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2574812388.0000000003F75000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577922990.000000000597A000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2572929622.0000000002340000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575231741.0000000004378000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577726520.0000000005775000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2576684859.000000000517A000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575440310.0000000004575000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577098151.0000000005372000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: pyexec.exe, 00000001.00000002.2018507861.00000000039EF000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2018682319.0000000003D40000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2186740832.000000000382E000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2187074277.0000000003B80000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2187484498.0000000004034000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2469157872.0000000005610000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468680961.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2540091080.0000000003FDB000.00000004.00000001.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539698343.00000000038C0000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539870229.0000000003C20000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdbUGP source: uzfvalidate.exe, 0000000A.00000002.2579621814.000000000657D000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2576444929.0000000004F73000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2578645598.0000000005F70000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575633246.000000000477C000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2578352358.0000000005D7D000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573492296.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2581638557.0000000007178000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575034096.0000000004173000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2578139801.0000000005B7D000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2576239426.0000000004D78000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2579957684.0000000006770000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2580719725.0000000006B72000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2581309463.0000000006F71000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2579278538.0000000006371000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577362533.0000000005578000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575841211.0000000004970000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2574812388.0000000003F75000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577922990.000000000597A000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2572929622.0000000002340000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575231741.0000000004378000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577726520.0000000005775000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2576684859.000000000517A000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2575440310.0000000004575000.00000004.00000001.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2577098151.0000000005372000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: pyexec.exe, 00000001.00000002.2018507861.00000000039EF000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2018682319.0000000003D40000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2186740832.000000000382E000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2187074277.0000000003B80000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2187484498.0000000004034000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2469157872.0000000005610000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468680961.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2540091080.0000000003FDB000.00000004.00000001.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539698343.00000000038C0000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539870229.0000000003C20000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\build27\cpython\PCBuild\python27.pdb source: ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmp, pyexec.exe, 00000001.00000003.2011482547.00000000021F2000.00000004.00000001.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2188285100.000000006BC6A000.00000002.00000001.01000000.00000009.sdmp, pyexec.exe, 00000009.00000002.2540844549.000000006CADA000.00000002.00000001.01000000.00000009.sdmp
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
                  Source: qcfxollsqr.6.drStatic PE information: real checksum: 0x27642f should be: 0x27b597
                  Source: pyexec.exe.1.drStatic PE information: real checksum: 0x7592 should be: 0x73ad
                  Source: pyexec.exe.0.drStatic PE information: real checksum: 0x7592 should be: 0x73ad
                  Source: python27.dll.0.drStatic PE information: real checksum: 0x29675c should be: 0x28d381
                  Source: python27.dll.1.drStatic PE information: real checksum: 0x29675c should be: 0x28d381
                  Source: ATLEQQXO.exeStatic PE information: real checksum: 0x33302 should be: 0x51ac35
                  Source: vaccxytkaw.18.drStatic PE information: real checksum: 0x27642f should be: 0x27b597
                  Source: uzfvalidate.exe.6.drStatic PE information: section name: Shared
                  Source: qcfxollsqr.6.drStatic PE information: section name: .xdata
                  Source: qcfxollsqr.6.drStatic PE information: section name: aeeh
                  Source: vaccxytkaw.18.drStatic PE information: section name: .xdata
                  Source: vaccxytkaw.18.drStatic PE information: section name: aeeh
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_00411C20 push eax; ret 0_2_00411C4E
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: 1_2_00402F71 push ecx; ret 1_2_00402F84
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 9_2_00402F71 push ecx; ret 9_2_00402F84
                  Source: msvcr90.dll.0.drStatic PE information: section name: .text entropy: 6.9217598022130655
                  Source: msvcr90.dll.1.drStatic PE information: section name: .text entropy: 6.9217598022130655
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeFile created: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeJump to dropped file
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeFile created: C:\Users\user\AppData\Local\Temp\python27.dllJump to dropped file
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeFile created: C:\Users\user\AppData\Local\Temp\pyexec.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\qcfxollsqrJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeFile created: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\msvcr90.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\vaccxytkawJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeFile created: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\python27.dllJump to dropped file
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeFile created: C:\Users\user\AppData\Local\Temp\msvcr90.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\qcfxollsqrJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\vaccxytkawJump to dropped file

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Found hidden mapped module (file has been removed from disk)
                  Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\QCFXOLLSQR
                  Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\VACCXYTKAW
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeAPI/Special instruction interceptor: Address: 6BE67C44
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeAPI/Special instruction interceptor: Address: 6CC67C44
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeAPI/Special instruction interceptor: Address: 6CC67945
                  Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6CC63B54
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\python27.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qcfxollsqrJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\msvcr90.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vaccxytkawJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\python27.dllJump to dropped file
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msvcr90.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeAPI coverage: 0.8 %
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeAPI coverage: 0.5 %
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeAPI coverage: 0.8 %
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe TID: 6424Thread sleep time: -180000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe TID: 1720Thread sleep time: -180000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                  Source: uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                  Source: uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                  Source: uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                  Source: uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                  Source: uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                  Source: uzfvalidate.exe, 0000000A.00000002.2572412655.000000000049E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: 1_2_004030A8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,1_2_004030A8
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: 1_2_6C8211D7 mov eax, dword ptr fs:[00000030h]1_2_6C8211D7
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 4_2_6BB211D7 mov eax, dword ptr fs:[00000030h]4_2_6BB211D7
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 9_2_6C9911D7 mov eax, dword ptr fs:[00000030h]9_2_6C9911D7
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: 1_2_004022C0 free,free,VirtualFree,free,GetProcessHeap,HeapFree,1_2_004022C0
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: 1_2_004030A8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,1_2_004030A8
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: 1_2_00402CAD SetUnhandledExceptionFilter,1_2_00402CAD
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: 1_2_6C968908 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,1_2_6C968908
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 4_2_6BC68908 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,4_2_6BC68908
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 9_2_004030A8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,9_2_004030A8
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 9_2_00402CAD SetUnhandledExceptionFilter,9_2_00402CAD
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: 9_2_6CAD8908 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,9_2_6CAD8908

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Found direct / indirect Syscall (likely to bypass EDR)
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68C2C5242Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x7FF68C12FBB4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68CFE51E2Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68C2CDEEEJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQuerySystemInformation: Direct from: 0x7FF68CFE7BDFJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryValueKey: Direct from: 0x7FF68CE78830Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x7FF68C18FBDAJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQuerySystemInformation: Direct from: 0x7FF68CE43E22Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryValueKey: Direct from: 0x14011D93EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68C11A3C6Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x7FF68C18A4CDJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtClose: Direct from: 0x7FF68CFE68D7
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryInformationToken: Direct from: 0x7FF68C187970Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68CE54B9AJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68C2CDFC6Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtClose: Direct from: 0x14011D864
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x7FFE221E4B5EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtCreateFile: Direct from: 0x7FF68C2C43E0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtClose: Indirect: 0x14012000F
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtSetInformationProcess: Direct from: 0x7FF68CE5671EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x7FF68CDA4541Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryInformationToken: Direct from: 0x7FF68C153CE6Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtClose: Direct from: 0x7FF68C1372D3
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtCreateFile: Direct from: 0x7FF68C2C224FJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtClose: Direct from: 0x7FF68C2C68E5
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtCreateFile: Direct from: 0x7FF68CFE43E0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x7FF68C084541Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68CE4420FJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryInformationProcess: Direct from: 0x7FF68CE56830Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68CFEDFC6Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryInformationToken: Direct from: 0x7FFE221C26A1Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryInformationToken: Direct from: 0x7FF68CE73CE6Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryInformationToken: Direct from: 0x7FF68CEA7970Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtSetInformationProcess: Direct from: 0x7FF68C137D3AJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtCreateFile: Direct from: 0x7FF68CFE224FJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQuerySystemInformation: Direct from: 0x7FF68C18BAC8Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeNtQuerySystemInformation: Direct from: 0x401CF4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtSetInformationProcess: Direct from: 0x7FF68CE57D3AJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryInformationProcess: Direct from: 0x7FF68C136830Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtClose: Direct from: 0x7FF68CFE68E5
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryValueKey: Direct from: 0x7FF68CE785F7Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x7FF68CFE5670Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68CFEBF83Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtCreateFile: Direct from: 0x7FF68CE4F991Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQuerySystemInformation: Direct from: 0x7FF68C1B9FCBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQuerySystemInformation: Direct from: 0x7FF68CEABAC8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryValueKey: Direct from: 0x7FF68C157F3AJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtOpenKeyEx: Direct from: 0x7FF68CE7706CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x14011D808Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x7FF68CE572D3Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtReadVirtualMemory: Direct from: 0x7FF68CFE1F6DJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68C134B9AJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtSetInformationProcess: Direct from: 0x7FF68C13671EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryValueKey: Direct from: 0x7FF68CE77F3AJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQuerySystemInformation: Direct from: 0x7FF68CED9FCBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x7FF68CE51CBFJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQuerySystemInformation: Direct from: 0x7FF68C123E22Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtReadFile: Direct from: 0x7FF68CE4FC47Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x7FF68CE4FBB4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68CFEDEEEJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtReadFile: Direct from: 0x14011D832Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x7FF68CEAA4CDJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeNtSetInformationThread: Direct from: 0x6C9923FDJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryValueKey: Direct from: 0x7FF68C157AC3Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68CFE5242Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x7FF68CDA7DC7Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtClose: Direct from: 0x7FF68C2C68C3
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryInformationProcess: Direct from: 0x7FF68CE56FA9Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtCreateThreadEx: Direct from: 0x7FF68CDA4803Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryValueKey: Direct from: 0x7FF68C1585F7Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x7FF68C087DC7Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtCreateFile: Direct from: 0x14011D7A4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x7FF68C2C5670Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtClose: Direct from: 0x7FF68C2C68D7
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68C2CBF83Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtCreateThreadEx: Direct from: 0x7FF68C084803Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeNtSetInformationThread: Direct from: 0x6BB223FDJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtOpenKeyEx: Direct from: 0x7FF68C15706CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtReadVirtualMemory: Direct from: 0x7FF68C2C1F6DJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryValueKey: Direct from: 0x7FF68CE77AC3Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68C12420FJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtClose: Direct from: 0x7FF68CFE68C3
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtCreateFile: Direct from: 0x7FF68C12F991Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtReadFile: Direct from: 0x7FF68C12FC47Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68C2C51E2Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryInformationProcess: Direct from: 0x7FF68C136FA9Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQueryValueKey: Direct from: 0x7FF68C158830Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x140120A3CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtProtectVirtualMemory: Direct from: 0x7FF68CE3A3C6Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtAllocateVirtualMemory: Direct from: 0x7FF68C131CBFJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeNtSetInformationThread: Direct from: 0x6BB123FDJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeNtQuerySystemInformation: Direct from: 0x7FF68C2C7BDFJump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe protection: read writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe protection: read writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe base: 14011BC08Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe base: 21C010Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe base: 14011BC08Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe base: 302010Jump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeProcess created: C:\Users\user\AppData\Local\Temp\pyexec.exe "C:\Users\user\AppData\Local\Temp\pyexec.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe C:\Users\user\AppData\Local\Temp\uzfvalidate.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\uzfvalidate.exe C:\Users\user\AppData\Local\Temp\uzfvalidate.exeJump to behavior
                  Source: pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_0040D72E cpuid 0_2_0040D72E
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,0_2_00401F9D
                  Source: C:\Users\user\AppData\Local\Temp\pyexec.exeCode function: GetACP,PyOS_snprintf,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_Py_NoneStruct,Py_BuildValue,1_2_6C82FDD0
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: GetACP,PyOS_snprintf,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_Py_NoneStruct,Py_BuildValue,4_2_6BB2FDD0
                  Source: C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exeCode function: GetACP,PyOS_snprintf,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_Py_NoneStruct,Py_BuildValue,9_2_6C99FDD0
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00401626
                  Source: C:\Users\user\Desktop\ATLEQQXO.exeCode function: 0_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,0_2_00404FAA
                  Source: C:\Users\user\AppData\Local\Temp\uzfvalidate.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                  Command and Scripting Interpreter                  		11
                  DLL Side-Loading                  		212
                  Process Injection                  		11
                  Masquerading                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		Boot or Logon Initialization Scripts1
                  Abuse Elevation Control Mechanism                  		1
                  Virtualization/Sandbox Evasion                  		LSASS Memory121
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Application Layer Protocol                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
                  DLL Side-Loading                  		212
                  Process Injection                  		Security Account Manager1
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Deobfuscate/Decode Files or Information                  		NTDS2
                  Process Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Abuse Elevation Control Mechanism                  		LSA Secrets3
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                  Obfuscated Files or Information                  		Cached Domain Credentials145
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577351 Sample: ATLEQQXO.exe Startdate: 18/12/2024 Architecture: WINDOWS Score: 92 62 amenstilo.website 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected UAC Bypass using CMSTP 2->68 70 2 other signatures 2->70 10 ATLEQQXO.exe 7 2->10         started        13 pyexec.exe 1 2->13         started        16 pyexec.exe 1 2->16         started        signatures3 process4 file5 56 C:\Users\user\AppData\Local\...\python27.dll, PE32 10->56 dropped 58 C:\Users\user\AppData\Local\Temp\pyexec.exe, PE32 10->58 dropped 60 C:\Users\user\AppData\Local\...\msvcr90.dll, PE32 10->60 dropped 18 pyexec.exe 6 10->18         started        96 Maps a DLL or memory area into another process 13->96 98 Found direct / indirect Syscall (likely to bypass EDR) 13->98 22 cmd.exe 2 13->22         started        24 cmd.exe 1 16->24         started        signatures6 process7 file8 44 C:\Users\user\AppData\...\python27.dll, PE32 18->44 dropped 46 C:\Users\user\AppData\Roaming\...\pyexec.exe, PE32 18->46 dropped 48 C:\Users\user\AppData\Roaming\...\msvcr90.dll, PE32 18->48 dropped 72 Switches to a custom stack to bypass stack traces 18->72 74 Found direct / indirect Syscall (likely to bypass EDR) 18->74 26 pyexec.exe 1 18->26         started        50 C:\Users\user\AppData\Local\Temp\vaccxytkaw, PE32+ 22->50 dropped 76 Writes to foreign memory regions 22->76 78 Maps a DLL or memory area into another process 22->78 29 uzfvalidate.exe 22->29         started        31 conhost.exe 22->31         started        33 conhost.exe 24->33         started        signatures9 process10 signatures11 90 Maps a DLL or memory area into another process 26->90 92 Switches to a custom stack to bypass stack traces 26->92 94 Found direct / indirect Syscall (likely to bypass EDR) 26->94 35 cmd.exe 5 26->35         started        process12 file13 52 C:\Users\user\AppData\...\uzfvalidate.exe, PE32+ 35->52 dropped 54 C:\Users\user\AppData\Local\Temp\qcfxollsqr, PE32+ 35->54 dropped 80 Writes to foreign memory regions 35->80 82 Found hidden mapped module (file has been removed from disk) 35->82 84 Maps a DLL or memory area into another process 35->84 86 Switches to a custom stack to bypass stack traces 35->86 39 uzfvalidate.exe 35->39         started        42 conhost.exe 35->42         started        signatures14 process15 signatures16 88 Found direct / indirect Syscall (likely to bypass EDR) 39->88

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  ATLEQQXO.exe63%ReversingLabsWin32.Downloader.Rugmi

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\vaccxytkaw100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\qcfxollsqr100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\msvcr90.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\pyexec.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\python27.dll4%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\uzfvalidate.exe0%ReversingLabs
                  C:\Users\user\AppData\Roaming\UpdateChrome_Ze\msvcr90.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe0%ReversingLabs
                  C:\Users\user\AppData\Roaming\UpdateChrome_Ze\python27.dll4%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://amenstilo.website/jz0%Avira URL Cloudsafe
                  https://amenstilo.website/fz0%Avira URL Cloudsafe
                  https://amenstilo.website/2z0%Avira URL Cloudsafe
                  https://amenstilo.website/.zO=0%Avira URL Cloudsafe
                  https://amenstilo.website:443H0%Avira URL Cloudsafe
                  https://amenstilo.website/nz0%Avira URL Cloudsafe
                  https://amenstilo.website/Don_Edwards?atyh7eeqttnb3s=fQ7RLJljbyh%2BwDv7gAgqxsUgC17NXOOzLhsEZLteSFedN0%Avira URL Cloudsafe
                  https://amenstilo.website/0%Avira URL Cloudsafe
                  https://amenstilo.website/rz0%Avira URL Cloudsafe
                  https://amenstilo.website/bz0%Avira URL Cloudsafe
                  https://amenstilo.website/:z0%Avira URL Cloudsafe
                  https://amenstilo.website:4430%Avira URL Cloudsafe
                  https://amenstilo.website:443/Don_Edwards?atyh7eeqttnb3s=fQ7RLJljbyh%2BwDv7gAgqxsUgC17NXOOzLhsEZLteS0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  amenstilo.website
                  		unknown
                  		unknownfalse
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://amenstilo.website/fzuzfvalidate.exe, 0000000A.00000003.2567639862.00000000004E7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://python.org/dev/peps/pep-0263/pyexec.exe, 00000009.00000002.2540844549.000000006CADA000.00000002.00000001.01000000.00000009.sdmpfalse
                      		high
                      https://amenstilo.website/uzfvalidate.exe, 0000000A.00000003.2564848089.00000000004E7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://amenstilo.website/jzuzfvalidate.exe, 0000000A.00000003.2569044412.00000000004E7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://sectigo.com/CPS0ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://www.vmware.com/0pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://www.softwareok.com/?Freeware/Find.Same.Images.OK/Historycmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://amenstilo.website/.zO=uzfvalidate.exe, 0000000A.00000003.2569044412.00000000004E7000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://ocsp.sectigo.com0ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://amenstilo.website/nzuzfvalidate.exe, 0000000A.00000002.2572412655.00000000004E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.softwareok.com/?Freeware/Find.Same.Images.OKcmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.softwareok.de/?Download=Find.Same.Images.OKcmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://amenstilo.website:443Huzfvalidate.exe, 0000000A.00000003.2566233935.0000000000519000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2564848089.0000000000519000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2562183771.0000000000519000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://amenstilo.website/2zuzfvalidate.exe, 0000000A.00000003.2570624959.00000000004E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://amenstilo.website/rzuzfvalidate.exe, 0000000A.00000003.2569044412.00000000004E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.vmware.com/0/pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#ATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.???.xx/?search=%spyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.symauth.com/cps0(pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://amenstilo.website/bzuzfvalidate.exe, 0000000A.00000003.2564848089.00000000004E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.softwareok.de/?Freeware/Find.Same.Images.OKcmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://amenstilo.website/Don_Edwards?atyh7eeqttnb3s=fQ7RLJljbyh%2BwDv7gAgqxsUgC17NXOOzLhsEZLteSFedNuzfvalidate.exe, 0000000A.00000002.2572412655.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2572412655.0000000000509000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2564848089.0000000000509000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2564848089.00000000004E7000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2565012223.000000000050A000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2556675846.0000000000510000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2562183771.0000000000519000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2555199319.0000000000510000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yATLEQQXO.exe, 00000000.00000003.1907189626.000000000282C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://amenstilo.website:443/Don_Edwards?atyh7eeqttnb3s=fQ7RLJljbyh%2BwDv7gAgqxsUgC17NXOOzLhsEZLteSuzfvalidate.exe, 00000014.00000003.3057008710.0000000000626000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.symauth.com/rpa00pyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.softwareok.depyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.info-zip.org/pyexec.exe, 00000001.00000002.2017596159.0000000003366000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.000000000509B000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.0000000003345000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002749000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.softwareok.de/?Freeware/Find.Same.Images.OK/Historycmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://amenstilo.website/:zuzfvalidate.exe, 0000000A.00000002.2572412655.00000000004E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.softwareok.com/?Download=Find.Same.Images.OKcmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.surfok.de/uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://amenstilo.website:443uzfvalidate.exe, 0000000A.00000003.2570430954.0000000000519000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000003.2558544001.0000000000519000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://amenstilo.website/Bzuzfvalidate.exe, 0000000A.00000003.2564848089.00000000004E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.softwareok.compyexec.exe, 00000001.00000002.2017596159.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, pyexec.exe, 00000004.00000002.2185711490.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, pyexec.exe, 00000009.00000002.2539215113.000000000339B000.00000004.00000020.00020000.00000000.sdmp, uzfvalidate.exe, 0000000A.00000000.2387762711.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, uzfvalidate.exe, 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high

                                                                      World Map of Contacted IPs

                                                                      No contacted IP infos

                                                                      General Information

                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                      Analysis ID:1577351
                                                                      Start date and time:2024-12-18 12:22:19 +01:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 10m 1s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Number of analysed new started processes analysed:20
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:1
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:ATLEQQXO.exe
                                                                      Detection:MAL
                                                                      Classification:mal92.expl.evad.winEXE@20/17@2/0
                                                                      EGA Information:
                                                                      • Successful, ratio: 100%
                                                                      HCA Information:
                                                                      • Successful, ratio: 92%
                                                                      • Number of executed functions: 42
                                                                      • Number of non-executed functions: 425
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                      • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • VT rate limit hit for: ATLEQQXO.exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      06:24:33API Interceptor40x Sleep call for process: uzfvalidate.exe modified
                                                                      11:24:15AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\securityStream.lnk

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      No context

                                                                      Domains

                                                                      No context

                                                                      ASNs

                                                                      No context

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      C:\Users\user\AppData\Local\Temp\msvcr90.dllIMAKBWPY.exeGet hashmaliciousLummaCBrowse
                                                                        JIKJCBEX.exeGet hashmaliciousLummaCBrowse
                                                                          InvoiceNr274728.pdf.lnkGet hashmaliciousLummaCBrowse
                                                                            KlarnaInvoice229837.pdf.lnkGet hashmaliciousLummaCBrowse
                                                                              upgrade.htaGet hashmaliciousDarkVision RatBrowse
                                                                                file.ps1Get hashmaliciousLummaC StealerBrowse
                                                                                  bUAmCazc.ps1Get hashmaliciousLummaC StealerBrowse
                                                                                    KBKHHYI29L.msiGet hashmaliciousAmadeyBrowse
                                                                                      http://winningwriters.comGet hashmaliciousUnknownBrowse

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Temp\252f0690

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):5677106
                                                                                        Entropy (8bit):7.748539160950584
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:IZOU4iVP2W69QB5ZYc2X2HjmhpFcF2v9XslHlS3ly2mqmMe4zt:OlVPs9QT6E2va+0kB
                                                                                        MD5:8C5AA97A220D3135B90AD2878D52E31A
                                                                                        SHA1:0C7E8AA9B39B4DDFFA498FAD0875DA34D0452C2E
                                                                                        SHA-256:60080C4FEBE3E46C9AF8EB7D9966CFC36C7FE47C647FC3E826F442DB05399E0E
                                                                                        SHA-512:5CFD7B4D883194F0CC8272AFEDE7B6CEC20A9B8FC2E45CA6E88F8D5858CAD027F806B8F376069A77F69363690145C185B2B4D89E06FB0628752CC63B77E2F924
                                                                                        Malicious:false
                                                                                        Preview:.\...\...\...\...\...\...X...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\.................:...5..+...(..|..)...3..1...(..)...\...\...\...\...\...\...\...\...\...\...\...3..(..5..$...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...3..=..2..2...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\.............3..(.....=..3...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...n..i..k...\...\...\...\...\...\...\...\...\...\..

                                                                                        C:\Users\user\AppData\Local\Temp\3ab2647e

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):5677106
                                                                                        Entropy (8bit):7.748539229835212
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:hZOU4iVP2W69QB5ZYc2X2HjmhpFcF2v9XslHlS3ly2mqmMe4zt:XlVPs9QT6E2va+0kB
                                                                                        MD5:FB1627EC4C9831442DFB02E33B8B8E99
                                                                                        SHA1:B73D744FECCBD9936F5D78159775F764072EAE0E
                                                                                        SHA-256:6E9BFF9A6FCA19A24FC37F112E068A18067DCEA8BE6DCE0FDD14E2F9BA903E13
                                                                                        SHA-512:AA43A5003848407443FEA9BD88D2F5AC011555086FAE8DB996BA2379D700FCC402B1C872588E63467421E79AC6B6E5290D090AFE6062C3B1C34572E120E43EC6
                                                                                        Malicious:false
                                                                                        Preview:.\...\...\...\...\...\...X...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\.................:...5..+...(..|..)...3..1...(..)...\...\...\...\...\...\...\...\...\...\...\...3..(..5..$...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...3..=..2..2...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\.............3..(.....=..3...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...n..i..k...\...\...\...\...\...\...\...\...\...\..

                                                                                        C:\Users\user\AppData\Local\Temp\474a063d

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):5677106
                                                                                        Entropy (8bit):7.748538538318428
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:SZOU4iVP2W69QB5ZYc2X2HjmhpFcF2v9XslHlS3ly2mqmMe4zt:klVPs9QT6E2va+0kB
                                                                                        MD5:FE27BAB3E02AEA480D2D9FBF49525C8A
                                                                                        SHA1:48BB57D276B322A19705BE419FD3AF2880700F51
                                                                                        SHA-256:95029A621FBA2150951B8DD8A05C8D1F0FA59F6528E35533FC216B1DD42C6C5C
                                                                                        SHA-512:1CA377E6EF4EF968F85D1316B8F5DF9C4C7D52331FAF2117D3DFBA8260F49A85BEC23F826874F70961EAB3A1C69BDF3AC924EE4D97F9997E2E80B3C2AEFD48F9
                                                                                        Malicious:false
                                                                                        Preview:.\...\...\...\...\...\...X...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\.................:...5..+...(..|..)...3..1...(..)...\...\...\...\...\...\...\...\...\...\...\...3..(..5..$...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...3..=..2..2...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\.............3..(.....=..3...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...\...n..i..k...\...\...\...\...\...\...\...\...\...\..

                                                                                        C:\Users\user\AppData\Local\Temp\ivf

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Dec 18 10:23:46 2024, mtime=Wed Dec 18 10:23:47 2024, atime=Tue Nov 26 04:08:50 2024, length=29152, window=hide
                                                                                        Category:dropped
                                                                                        Size (bytes):909
                                                                                        Entropy (8bit):4.985585306693363
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:8v16o4hzWCqXdY//HGAjLs8TxNkfEsnAKtjAVDrH9cZWJAsT3BmV:88hij+/GA35bKbJAVDZcUZ3Bm
                                                                                        MD5:4E6A667CD85BA616224CC419083E8508
                                                                                        SHA1:7D9EE0E658B17533D8B19E50175B4F1CFFC89174
                                                                                        SHA-256:C7304DF86FABDAC773F99E39E1439DE37993582D7D94919D1D1F71CBC27CD42C
                                                                                        SHA-512:ECFDDB709F24224D79EFA0252C0BF4C6957601FED13A8A5B5974FB11BB6D48A48FD96E02D3272F5F87E8D05CF507E6BCB10CE446191603397F18E02EBF287D2E
                                                                                        Malicious:false
                                                                                        Preview:L..................F.... ...{&.M?Q.....N?Q....G.?...q........................:..DG..Yr?.D..U..k0.&...&......vk.v......*B?Q.../QZ?Q......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.Z...........................%..A.p.p.D.a.t.a...B.V.1......Y.Z..Roaming.@......CW.^.Y.Z..............................R.o.a.m.i.n.g.....h.1......Y.Z..UPDATE~1..P......Y.Z.Y.Z...........................2..U.p.d.a.t.e.C.h.r.o.m.e._.Z.e.....`.2..q..zY.) .pyexec.exe..F......Y.Z.Y.Z.... .........................p.y.e.x.e.c...e.x.e.......h...............-.......g............fe7.....C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe..(.....\.....\.R.o.a.m.i.n.g.\.U.p.d.a.t.e.C.h.r.o.m.e._.Z.e.\.p.y.e.x.e.c...e.x.e.`.......X.......216041...........hT..CrF.f4... .a.T..b...,.......hT..CrF.f4... .a.T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                        C:\Users\user\AppData\Local\Temp\kkfpps

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\ATLEQQXO.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):4543241
                                                                                        Entropy (8bit):7.953577593572823
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:1qhKbkLC48QfYKC+rSB0gBSr1n8admb5diF+8jqvZh9TCru2:9YLC48zCSB0gBSUq+82vZhNU
                                                                                        MD5:CAB0057CFD10E7AEF479B8AED8B4357C
                                                                                        SHA1:C798E4520B3D3BBC9DC34C92AEEABADDC7CAAB23
                                                                                        SHA-256:B0518F06E336D48F65A4AE9109D384815517308C7A687E9FF8D28858FDFF21C3
                                                                                        SHA-512:1D6A8C2D158CF931757F6632CD3E4352F598EE180FB39B9DEFDFEBE19CFFCD1312A28686BC2281FE42CDFFD649A1B392C53AADC4798FF67BC52BE829D3F4512B
                                                                                        Malicious:false
                                                                                        Preview:O.J[`d.PT..mq.M.x.i.Q...q_hm.q.\F.G....].Uq.].C.`i.....NIjr..D..DGg.k..Z.D...A.f..l.Dl.N...u.j.O...qP.n._x..km.....vU.Dnu.QDx.t...y...qY_GNW_L.g..[._tSW.jZ...xMs..M.Mno...rEK.t..^..._....Xl.[.`.wT.t...wGgcLyK.pDhq...X.nN.yXWw.HZJ....K..U.a[D..Z..x.tQ....FBX.rG.`...CtGu.]..w.]P.Ak.Wh...K....f.Vq...D....g.b..`n....Pi.u...bA..Z..Yu.e.Q...H...Lk.hf.mU..P....[..j.]..hyI..b[.V.p.M.xA..g............Il.oPJZd..ghUrrjXE.o.t.s.gcrYJVu[F._I..d...HpY.lu.X...b.ohv.N....a.I]_.n....\Q.Unqb...A.C.f.BaO.SGOJIh.e.K..Q.DxY.I.GA..Sd.ZI.A.[.T..lsN...Ha.ys.O\Y.Fs....kl..x...L.to..mC...D`oJ.Z..A.W.U.R..dY.C_]Oq.y._..r.GR.F...OB..W...L.T.KU.Js..u..JG_._q...l.oa...Sj..Y.Grb......oIAV..kx...N.V._w.h..G.`.rUQ.N`^.AcpkYDV.X`fAm....yIu...^.f..b...^..Vs.F...Klo.V.u.^B...P.r.[..qt...ba[....x.A..wp.....N...wr.C.....qa.`SD.Aqu.J.UUo..HV.d^....WABE.Vm.F..u..oI..e.YO..kb....\..JB..a]w.su.ISP..w..l.j.V].A..QSA.....M.m.a............Y......J.....KD.U.y..ntDq.H..OdY.c.EQ.R\.`..df.q._.^I.fi....`m..aq..RmfFDnS.lOm..V.f..X..VOD

                                                                                        C:\Users\user\AppData\Local\Temp\msvcr90.dll

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\ATLEQQXO.exe
                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):653952
                                                                                        Entropy (8bit):6.885961951552677
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:5hr4UC+Ju/A0BI4yWkoGKJwZ9axKmhYTMAO7wFKjCUmRyyPe:9JfyZFGKJjxKmhSMAB6CUmRyyPe
                                                                                        MD5:11D49148A302DE4104DED6A92B78B0ED
                                                                                        SHA1:FD58A091B39ED52611ADE20A782EF58AC33012AF
                                                                                        SHA-256:CEB0947D898BC2A55A50F092F5ED3F7BE64AC1CD4661022EEFD3EDD4029213B0
                                                                                        SHA-512:FDC43B3EE38F7BEB2375C953A29DB8BCF66B73B78CCC04B147E26108F3B650C0A431B276853BB8E08167D34A8CC9C6B7918DAEF9EBC0A4833B1534C5AFAC75E4
                                                                                        Malicious:false
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: IMAKBWPY.exe, Detection: malicious, Browse
                                                                                        • Filename: JIKJCBEX.exe, Detection: malicious, Browse
                                                                                        • Filename: InvoiceNr274728.pdf.lnk, Detection: malicious, Browse
                                                                                        • Filename: KlarnaInvoice229837.pdf.lnk, Detection: malicious, Browse
                                                                                        • Filename: upgrade.hta, Detection: malicious, Browse
                                                                                        • Filename: file.ps1, Detection: malicious, Browse
                                                                                        • Filename: bUAmCazc.ps1, Detection: malicious, Browse
                                                                                        • Filename: KBKHHYI29L.msi, Detection: malicious, Browse
                                                                                        • Filename: , Detection: malicious, Browse
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L.....i[...........!.....\..........@-.......p....Rx.........................0......?T....@..............................|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\oqie

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\ATLEQQXO.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):19176
                                                                                        Entropy (8bit):5.5744691419553645
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:K2sgh5cTvSSX02b2DjahnzDqzp8EhFzyTRjnB5iwUQMkye/EXlVl+F/2:fP5cTqsxrz62yzWGwjMwO2E
                                                                                        MD5:1B460253D49274B10FBB004DFB9747FC
                                                                                        SHA1:E7EEB198A3BFD9E5977ECA69940754AA6D065EE0
                                                                                        SHA-256:EA375E1438BE7CBD7841956E11C8B5749BEA413FD9D6B8044C2204E8E7C2E209
                                                                                        SHA-512:2D3F22B67B702C68491AA8B66081BF02BA6E94DC4CFB352A41810C479807B149F4BD698ABBCC1E41287640C0376AD099E932BCFDB6790C7F099F67625A77C390
                                                                                        Malicious:false
                                                                                        Preview:t...fK`[dbSwox.p.I.p...d..mPg._R.Ad........rl..b..A...eA\.....EjDqWd...l.m...yFkjUP.[`.p...pU....T]Q...O....A.fx.d.f_..x.Epl[ZS.o..GNW..._..L.A.`.Au.g[QLN.WS...S..G.hZJ...FMMRaC...m..DjU..].VvEx.e..\LnLK.[.._.........G.O.hG...fm...Wu...tu.o.QH.U..V`.K..H..A..YxuH^....[.no.k..T.....QCY.T..pi..]PQ.NB.xyWnS...gY.]...R..^.L..Ac.d_..cJA.X.O....iKs...CU.s.P..GI..I..UTfGYj.Y.D.ZZI.L..y.`a.x.Y.f.E.E...B..pM..p..VD...U....PlaU..HOZK.Rv.F^_`jU.Ug.a.._bon..[JdEQ.IHt...cm.lhmR`..W.j...y..QqafQUy..F.UJLWGs..j...]n.c_...MD`....DC.q..gY.CMXeK_Z..f..s.N..h......]Eq.A....a._\...Q.\..RDVBb]m.fF........D.Q.....]_.U.n.q...r..B..oG.[......E....O...p..w.x.wa.YSw.jh.biBrT..L.........KwTq.Zj.A.Oq.\...N.X.W..L..bZ..BX...oTlIg.NDy.xl...]l.\..mI.W..[.O..F.r...R...MN..c.V..P._..g.IN.....c.QD.bFT.n...AU..Be.D]A.HJ..v..f.D...dZw....`.N..m.........aN\a.s_.jIU.b..UtmfST.m.hFl.GaVqq.Q.L.c...\C.M..n.A\..r..Fkl..._...qk]M.e.H..o.IU.g..xvjYQh......n..p.J.F_.x....g..V..VN.x..........lH...YaM`Y..p.v..LWx..HBs.....J....BrVk

                                                                                        C:\Users\user\AppData\Local\Temp\pyexec.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\ATLEQQXO.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):29152
                                                                                        Entropy (8bit):6.656857622778623
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:+yq82Ud7/zfkn8I+ilpd4TILqIgXYoBCH/3hprl:Zq824LfMV4TqqIgXYoBCH/3hpB
                                                                                        MD5:B6F6C3C38568EE26F1AC70411A822405
                                                                                        SHA1:5B94D0ADAC4DF2D7179C378750C4E3417231125F
                                                                                        SHA-256:A73454C7FAD23A80A3F6540AFDB64FC334980A11402569F1986AA39995AE496D
                                                                                        SHA-512:5C0A5E9A623A942AFF9D58D6E7A23B7D2BBA6A4155824AA8BB94DBD069A8C15C00DF48F12224622EFCD5042B6847C8FB476C43390E9E576C42EFC22E3C02A122
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y...=...=...=....`.?...#.e.?...#.c.<...#.r.?.......8...=...f...#.u.$...#.b.<...#.g.<...Rich=...................PE..L......I................."...(......a,.......@....@..................................u......................................lB..P....p..@............N...#...........................................A..@............@..x............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data........P.......0..............@....rsrc...@....p.......<..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\python27.dll

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\ATLEQQXO.exe
                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):2649600
                                                                                        Entropy (8bit):6.720266712937156
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:xDd0krhjbVYU9U/ElyrLKlvGBO58GBjc9nYM6JBe4PjnhMsQHNClhIdYTf2O+yXW:ckrRyylvGB65KNCMghMtHIledkpyy
                                                                                        MD5:97BA4F023EEF94417ADCB77B044830C4
                                                                                        SHA1:D071A2C68256A36A1C2504D6C931CED63D676C4F
                                                                                        SHA-256:357AEDC478D8C1C6E85874C25A6A76B3801413FD71AAA641B31905E19B6CC7BD
                                                                                        SHA-512:3A165EECBBEE200F67476709E453254FCB131441F4A1737B820826FCB6FEAD4F3A8BDBF4C6BD8A22E81DEE3B7E8B8DE548F655C2E30C2E3568EF68625CD05365
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Bu....{...{...{..[...{..l...{..l....{..l....{..l...{...z.<.{..l..{..l...{..l...{..l...{.Rich..{.................PE..L...x..^...........!.........................................................).....\g)...@..........................g!..|...Q!.x....@(. ....................P(..[.. ................................O!.@............................................text...z........................... ..`.rdata...D.......F..................@..@.data...pC....!..(....!.............@....rsrc... ....@(.......&.............@..@.reloc..~f...P(..h....'.............@..B................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\qcfxollsqr

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                        File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):2579968
                                                                                        Entropy (8bit):6.722728630171241
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:pookIXWltlwsBd1wro7OgLDWBywkLxvMvQUaAhpC9IOgUAowCGMVhJzb6nbYNvGS:CZIWd1AsDfxvMxLeIgAovGN
                                                                                        MD5:AC488933942940D2BCC094C91713D753
                                                                                        SHA1:6C23FEAD9F7AB573C0991B204E28A13A8438030A
                                                                                        SHA-256:B9BE720C5EFAA06F1C53A2F4F99AAF4FCF43098DE40F6957339AB2938A7B6970
                                                                                        SHA-512:25FEBF0EBE3DE89EB3269974BDD6801925142EC512460DDF2B279212C74CBD93D08408EE9F035F0FB777BC78CB8612AD7E071FD53A5B0A3215F85E3FC2CB6591
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......Y..................$..B'..b..W..........@.............................@....../d'...`... ...............................................-.........8.....&..j..........................................@.&.(...................(.-..............................text...H.$.......$.................`..`.data.........$.......$.............@....rdata..H.....%.......%.............@..@.pdata...j....&..l...x&.............@..@.xdata...Q....'..R....&.............@..@.bss.... a...`'..........................idata........-......6'.............@....CRT....0.....-......<'.............@....tls..........-......>'.............@....rsrc...8............@'.............@..@.reloc...............B'.............@..Baeeh..... ... .......F'.............@...................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\uzfvalidate.exe

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):2364728
                                                                                        Entropy (8bit):6.606009669324617
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
                                                                                        MD5:967F4470627F823F4D7981E511C9824F
                                                                                        SHA1:416501B096DF80DDC49F4144C3832CF2CADB9CB2
                                                                                        SHA-256:B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
                                                                                        SHA-512:8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\vaccxytkaw

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                        File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):2579968
                                                                                        Entropy (8bit):6.722728630171241
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:pookIXWltlwsBd1wro7OgLDWBywkLxvMvQUaAhpC9IOgUAowCGMVhJzb6nbYNvGS:CZIWd1AsDfxvMxLeIgAovGN
                                                                                        MD5:AC488933942940D2BCC094C91713D753
                                                                                        SHA1:6C23FEAD9F7AB573C0991B204E28A13A8438030A
                                                                                        SHA-256:B9BE720C5EFAA06F1C53A2F4F99AAF4FCF43098DE40F6957339AB2938A7B6970
                                                                                        SHA-512:25FEBF0EBE3DE89EB3269974BDD6801925142EC512460DDF2B279212C74CBD93D08408EE9F035F0FB777BC78CB8612AD7E071FD53A5B0A3215F85E3FC2CB6591
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......Y..................$..B'..b..W..........@.............................@....../d'...`... ...............................................-.........8.....&..j..........................................@.&.(...................(.-..............................text...H.$.......$.................`..`.data.........$.......$.............@....rdata..H.....%.......%.............@..@.pdata...j....&..l...x&.............@..@.xdata...Q....'..R....&.............@..@.bss.... a...`'..........................idata........-......6'.............@....CRT....0.....-......<'.............@....tls..........-......>'.............@....rsrc...8............@'.............@..@.reloc...............B'.............@..Baeeh..... ... .......F'.............@...................................................................................................................................

                                                                                        C:\Users\user\AppData\Roaming\UpdateChrome_Ze\kkfpps

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Local\Temp\pyexec.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):4543241
                                                                                        Entropy (8bit):7.953577593572823
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:1qhKbkLC48QfYKC+rSB0gBSr1n8admb5diF+8jqvZh9TCru2:9YLC48zCSB0gBSUq+82vZhNU
                                                                                        MD5:CAB0057CFD10E7AEF479B8AED8B4357C
                                                                                        SHA1:C798E4520B3D3BBC9DC34C92AEEABADDC7CAAB23
                                                                                        SHA-256:B0518F06E336D48F65A4AE9109D384815517308C7A687E9FF8D28858FDFF21C3
                                                                                        SHA-512:1D6A8C2D158CF931757F6632CD3E4352F598EE180FB39B9DEFDFEBE19CFFCD1312A28686BC2281FE42CDFFD649A1B392C53AADC4798FF67BC52BE829D3F4512B
                                                                                        Malicious:false
                                                                                        Preview:O.J[`d.PT..mq.M.x.i.Q...q_hm.q.\F.G....].Uq.].C.`i.....NIjr..D..DGg.k..Z.D...A.f..l.Dl.N...u.j.O...qP.n._x..km.....vU.Dnu.QDx.t...y...qY_GNW_L.g..[._tSW.jZ...xMs..M.Mno...rEK.t..^..._....Xl.[.`.wT.t...wGgcLyK.pDhq...X.nN.yXWw.HZJ....K..U.a[D..Z..x.tQ....FBX.rG.`...CtGu.]..w.]P.Ak.Wh...K....f.Vq...D....g.b..`n....Pi.u...bA..Z..Yu.e.Q...H...Lk.hf.mU..P....[..j.]..hyI..b[.V.p.M.xA..g............Il.oPJZd..ghUrrjXE.o.t.s.gcrYJVu[F._I..d...HpY.lu.X...b.ohv.N....a.I]_.n....\Q.Unqb...A.C.f.BaO.SGOJIh.e.K..Q.DxY.I.GA..Sd.ZI.A.[.T..lsN...Ha.ys.O\Y.Fs....kl..x...L.to..mC...D`oJ.Z..A.W.U.R..dY.C_]Oq.y._..r.GR.F...OB..W...L.T.KU.Js..u..JG_._q...l.oa...Sj..Y.Grb......oIAV..kx...N.V._w.h..G.`.rUQ.N`^.AcpkYDV.X`fAm....yIu...^.f..b...^..Vs.F...Klo.V.u.^B...P.r.[..qt...ba[....x.A..wp.....N...wr.C.....qa.`SD.Aqu.J.UUo..HV.d^....WABE.Vm.F..u..oI..e.YO..kb....\..JB..a]w.su.ISP..w..l.j.V].A..QSA.....M.m.a............Y......J.....KD.U.y..ntDq.H..OdY.c.EQ.R\.`..df.q._.^I.fi....`m..aq..RmfFDnS.lOm..V.f..X..VOD

                                                                                        C:\Users\user\AppData\Roaming\UpdateChrome_Ze\msvcr90.dll

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Local\Temp\pyexec.exe
                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):653952
                                                                                        Entropy (8bit):6.885961951552677
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:5hr4UC+Ju/A0BI4yWkoGKJwZ9axKmhYTMAO7wFKjCUmRyyPe:9JfyZFGKJjxKmhSMAB6CUmRyyPe
                                                                                        MD5:11D49148A302DE4104DED6A92B78B0ED
                                                                                        SHA1:FD58A091B39ED52611ADE20A782EF58AC33012AF
                                                                                        SHA-256:CEB0947D898BC2A55A50F092F5ED3F7BE64AC1CD4661022EEFD3EDD4029213B0
                                                                                        SHA-512:FDC43B3EE38F7BEB2375C953A29DB8BCF66B73B78CCC04B147E26108F3B650C0A431B276853BB8E08167D34A8CC9C6B7918DAEF9EBC0A4833B1534C5AFAC75E4
                                                                                        Malicious:false
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L.....i[...........!.....\..........@-.......p....Rx.........................0......?T....@..............................|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Roaming\UpdateChrome_Ze\oqie

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Local\Temp\pyexec.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):19176
                                                                                        Entropy (8bit):5.5744691419553645
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:K2sgh5cTvSSX02b2DjahnzDqzp8EhFzyTRjnB5iwUQMkye/EXlVl+F/2:fP5cTqsxrz62yzWGwjMwO2E
                                                                                        MD5:1B460253D49274B10FBB004DFB9747FC
                                                                                        SHA1:E7EEB198A3BFD9E5977ECA69940754AA6D065EE0
                                                                                        SHA-256:EA375E1438BE7CBD7841956E11C8B5749BEA413FD9D6B8044C2204E8E7C2E209
                                                                                        SHA-512:2D3F22B67B702C68491AA8B66081BF02BA6E94DC4CFB352A41810C479807B149F4BD698ABBCC1E41287640C0376AD099E932BCFDB6790C7F099F67625A77C390
                                                                                        Malicious:false
                                                                                        Preview:t...fK`[dbSwox.p.I.p...d..mPg._R.Ad........rl..b..A...eA\.....EjDqWd...l.m...yFkjUP.[`.p...pU....T]Q...O....A.fx.d.f_..x.Epl[ZS.o..GNW..._..L.A.`.Au.g[QLN.WS...S..G.hZJ...FMMRaC...m..DjU..].VvEx.e..\LnLK.[.._.........G.O.hG...fm...Wu...tu.o.QH.U..V`.K..H..A..YxuH^....[.no.k..T.....QCY.T..pi..]PQ.NB.xyWnS...gY.]...R..^.L..Ac.d_..cJA.X.O....iKs...CU.s.P..GI..I..UTfGYj.Y.D.ZZI.L..y.`a.x.Y.f.E.E...B..pM..p..VD...U....PlaU..HOZK.Rv.F^_`jU.Ug.a.._bon..[JdEQ.IHt...cm.lhmR`..W.j...y..QqafQUy..F.UJLWGs..j...]n.c_...MD`....DC.q..gY.CMXeK_Z..f..s.N..h......]Eq.A....a._\...Q.\..RDVBb]m.fF........D.Q.....]_.U.n.q...r..B..oG.[......E....O...p..w.x.wa.YSw.jh.biBrT..L.........KwTq.Zj.A.Oq.\...N.X.W..L..bZ..BX...oTlIg.NDy.xl...]l.\..mI.W..[.O..F.r...R...MN..c.V..P._..g.IN.....c.QD.bFT.n...AU..Be.D]A.HJ..v..f.D...dZw....`.N..m.........aN\a.s_.jIU.b..UtmfST.m.hFl.GaVqq.Q.L.c...\C.M..n.A\..r..Fkl..._...qk]M.e.H..o.IU.g..xvjYQh......n..p.J.F_.x....g..V..VN.x..........lH...YaM`Y..p.v..LWx..HBs.....J....BrVk

                                                                                        C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Local\Temp\pyexec.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):29152
                                                                                        Entropy (8bit):6.656857622778623
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:+yq82Ud7/zfkn8I+ilpd4TILqIgXYoBCH/3hprl:Zq824LfMV4TqqIgXYoBCH/3hpB
                                                                                        MD5:B6F6C3C38568EE26F1AC70411A822405
                                                                                        SHA1:5B94D0ADAC4DF2D7179C378750C4E3417231125F
                                                                                        SHA-256:A73454C7FAD23A80A3F6540AFDB64FC334980A11402569F1986AA39995AE496D
                                                                                        SHA-512:5C0A5E9A623A942AFF9D58D6E7A23B7D2BBA6A4155824AA8BB94DBD069A8C15C00DF48F12224622EFCD5042B6847C8FB476C43390E9E576C42EFC22E3C02A122
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y...=...=...=....`.?...#.e.?...#.c.<...#.r.?.......8...=...f...#.u.$...#.b.<...#.g.<...Rich=...................PE..L......I................."...(......a,.......@....@..................................u......................................lB..P....p..@............N...#...........................................A..@............@..x............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data........P.......0..............@....rsrc...@....p.......<..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Roaming\UpdateChrome_Ze\python27.dll

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Local\Temp\pyexec.exe
                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):2649600
                                                                                        Entropy (8bit):6.720266712937156
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:xDd0krhjbVYU9U/ElyrLKlvGBO58GBjc9nYM6JBe4PjnhMsQHNClhIdYTf2O+yXW:ckrRyylvGB65KNCMghMtHIledkpyy
                                                                                        MD5:97BA4F023EEF94417ADCB77B044830C4
                                                                                        SHA1:D071A2C68256A36A1C2504D6C931CED63D676C4F
                                                                                        SHA-256:357AEDC478D8C1C6E85874C25A6A76B3801413FD71AAA641B31905E19B6CC7BD
                                                                                        SHA-512:3A165EECBBEE200F67476709E453254FCB131441F4A1737B820826FCB6FEAD4F3A8BDBF4C6BD8A22E81DEE3B7E8B8DE548F655C2E30C2E3568EF68625CD05365
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Bu....{...{...{..[...{..l...{..l....{..l....{..l...{...z.<.{..l..{..l...{..l...{..l...{.Rich..{.................PE..L...x..^...........!.........................................................).....\g)...@..........................g!..|...Q!.x....@(. ....................P(..[.. ................................O!.@............................................text...z........................... ..`.rdata...D.......F..................@..@.data...pC....!..(....!.............@....rsrc... ....@(.......&.............@..@.reloc..~f...P(..h....'.............@..B................................................................................................................................................................................................................................................................................................................

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Entropy (8bit):7.990191545976132
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                        File name:ATLEQQXO.exe
                                                                                        File size:5'343'929 bytes
                                                                                        MD5:2fd56c681ad71cfb61512d85213397fa
                                                                                        SHA1:d8f6d6bda59e00a56da58d596d427e834a551f36
                                                                                        SHA256:ae52eea09c54ce2122a585dab0231555763f5be6e90b1e63b5886cf4116ea68d
                                                                                        SHA512:0e4b25832c2385330c50cb1208f45a9005da3857c99fc7324a2d90ccd042cb93b9dc8133ab9401e89b17497841f9c5cdce679c8b5eea6a3526b978ce0bcbfaa7
                                                                                        SSDEEP:98304:+p413kko9DUTkEywOQPr/uvIfH3vy8iYqLlaSZihAu0Cw2ZAuZfFuqdN:+p4t5iSOU0uiYrSZihAu0MZRTdN
                                                                                        TLSH:43363300B78768F1C9A19E717E4DC767537AEBA917015F5343AA6C292ED31E00B0B2DB
                                                                                        File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................0.......3.......................................P.............................

                                                                                        File Icon

                                                                                        Icon Hash:d292fcd8f2f2fe1c

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x411def
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                        DLL Characteristics:
                                                                                        Time Stamp:0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:b5a014d7eeb4c2042897567e1288a095

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        push ebp
                                                                                        mov ebp, esp
                                                                                        push FFFFFFFFh
                                                                                        push 00414C50h
                                                                                        push 00411F80h
                                                                                        mov eax, dword ptr fs:[00000000h]
                                                                                        push eax
                                                                                        mov dword ptr fs:[00000000h], esp
                                                                                        sub esp, 68h
                                                                                        push ebx
                                                                                        push esi
                                                                                        push edi
                                                                                        mov dword ptr [ebp-18h], esp
                                                                                        xor ebx, ebx
                                                                                        mov dword ptr [ebp-04h], ebx
                                                                                        push 00000002h
                                                                                        call dword ptr [00413184h]
                                                                                        pop ecx
                                                                                        or dword ptr [00419924h], FFFFFFFFh
                                                                                        or dword ptr [00419928h], FFFFFFFFh
                                                                                        call dword ptr [00413188h]
                                                                                        mov ecx, dword ptr [0041791Ch]
                                                                                        mov dword ptr [eax], ecx
                                                                                        call dword ptr [0041318Ch]
                                                                                        mov ecx, dword ptr [00417918h]
                                                                                        mov dword ptr [eax], ecx
                                                                                        mov eax, dword ptr [00413190h]
                                                                                        mov eax, dword ptr [eax]
                                                                                        mov dword ptr [00419920h], eax
                                                                                        call 00007F8A786F17A2h
                                                                                        cmp dword ptr [00417710h], ebx
                                                                                        jne 00007F8A786F168Eh
                                                                                        push 00411F78h
                                                                                        call dword ptr [00413194h]
                                                                                        pop ecx
                                                                                        call 00007F8A786F1774h
                                                                                        push 00417048h
                                                                                        push 00417044h
                                                                                        call 00007F8A786F175Fh
                                                                                        mov eax, dword ptr [00417914h]
                                                                                        mov dword ptr [ebp-6Ch], eax
                                                                                        lea eax, dword ptr [ebp-6Ch]
                                                                                        push eax
                                                                                        push dword ptr [00417910h]
                                                                                        lea eax, dword ptr [ebp-64h]
                                                                                        push eax
                                                                                        lea eax, dword ptr [ebp-70h]
                                                                                        push eax
                                                                                        lea eax, dword ptr [ebp-60h]
                                                                                        push eax
                                                                                        call dword ptr [0041319Ch]
                                                                                        push 00417040h
                                                                                        push 00417000h
                                                                                        call 00007F8A786F172Ch

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x150dc0xb4.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x18d04.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x130000x310.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x10000x113170x11400797279c5ab1a163aed1f2a528f9fe3ceFalse0.6174988677536232data6.576987441854239IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rdata0x130000x30ea0x32001359639b02bcb8f0a8743e6ead1c0030False0.43828125data5.549434098115495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .data0x170000x292c0x8009415c9c8dea3245d6d73c23393e27d8eFalse0.431640625data3.6583182363171756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .rsrc0x1a0000x18d040x18e009dee09854e79aa987e5336a4defda540False0.2433358197236181data5.382874846103129IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_ICON0x1a1f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.6781914893617021
                                                                                        RT_ICON0x1a6580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.47068480300187615
                                                                                        RT_ICON0x1b7000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600RussianRussia0.41161825726141077
                                                                                        RT_ICON0x1dca80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896RussianRussia0.3213863958431743
                                                                                        RT_ICON0x21ed00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584RussianRussia0.1865609842659411
                                                                                        RT_GROUP_ICON0x326f80x4cdataRussianRussia0.7763157894736842
                                                                                        RT_VERSION0x327440x350dataEnglishUnited States0.47523584905660377
                                                                                        RT_MANIFEST0x32a940x270ASCII text, with very long lines (624), with no line terminatorsEnglishUnited States0.5144230769230769

                                                                                        Imports

                                                                                        DLLImport
                                                                                        COMCTL32.dll
                                                                                        KERNEL32.dllGetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
                                                                                        USER32.dllCharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
                                                                                        GDI32.dllGetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
                                                                                        SHELL32.dllSHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
                                                                                        ole32.dllCoInitialize, CreateStreamOnHGlobal, CoCreateInstance
                                                                                        OLEAUT32.dllVariantClear, OleLoadPicture, SysAllocString
                                                                                        MSVCRT.dll__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

                                                                                        Possible Origin

                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                        RussianRussia
                                                                                        EnglishUnited States

                                                                                        Network Behavior

                                                                                        Network Port Distribution

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 18, 2024 12:24:42.179702997 CET5914853192.168.2.41.1.1.1
                                                                                        Dec 18, 2024 12:24:42.406949043 CET53591481.1.1.1192.168.2.4
                                                                                        Dec 18, 2024 12:25:32.211333990 CET5926253192.168.2.41.1.1.1
                                                                                        Dec 18, 2024 12:25:32.433882952 CET53592621.1.1.1192.168.2.4

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Dec 18, 2024 12:24:42.179702997 CET192.168.2.41.1.1.10xec01Standard query (0)amenstilo.websiteA (IP address)IN (0x0001)false
                                                                                        Dec 18, 2024 12:25:32.211333990 CET192.168.2.41.1.1.10xf528Standard query (0)amenstilo.websiteA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Dec 18, 2024 12:24:42.406949043 CET1.1.1.1192.168.2.40xec01Name error (3)amenstilo.websitenonenoneA (IP address)IN (0x0001)false
                                                                                        Dec 18, 2024 12:25:32.433882952 CET1.1.1.1192.168.2.40xf528Name error (3)amenstilo.websitenonenoneA (IP address)IN (0x0001)false

                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:06:23:34
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Users\user\Desktop\ATLEQQXO.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\ATLEQQXO.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:5'343'929 bytes
                                                                                        MD5 hash:2FD56C681AD71CFB61512D85213397FA
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:1
                                                                                        Start time:06:23:36
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Users\user\AppData\Local\Temp\pyexec.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\pyexec.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:29'152 bytes
                                                                                        MD5 hash:B6F6C3C38568EE26F1AC70411A822405
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.2017596159.0000000003602000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Antivirus matches:
                                                                                        • Detection: 0%, ReversingLabs
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:06:23:47
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe
                                                                                        Imagebase:0x400000
                                                                                        File size:29'152 bytes
                                                                                        MD5 hash:B6F6C3C38568EE26F1AC70411A822405
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2185711490.000000000353F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Antivirus matches:
                                                                                        • Detection: 0%, ReversingLabs
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:06:23:57
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                        Imagebase:0x240000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2468804754.00000000050E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:06:23:58
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:9
                                                                                        Start time:06:24:23
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:29'152 bytes
                                                                                        MD5 hash:B6F6C3C38568EE26F1AC70411A822405
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.2539215113.00000000035E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:10
                                                                                        Start time:06:24:24
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Users\user\AppData\Local\Temp\uzfvalidate.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\uzfvalidate.exe
                                                                                        Imagebase:0x140000000
                                                                                        File size:2'364'728 bytes
                                                                                        MD5 hash:967F4470627F823F4D7981E511C9824F
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.2573119972.0000000002792000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Antivirus matches:
                                                                                        • Detection: 0%, ReversingLabs
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:11
                                                                                        Start time:06:24:33
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                        Imagebase:0x240000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.2599238331.0000000002CF0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.2599485010.0000000004C65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:12
                                                                                        Start time:06:24:33
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:17
                                                                                        Start time:06:24:45
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\UpdateChrome_Ze\pyexec.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:29'152 bytes
                                                                                        MD5 hash:B6F6C3C38568EE26F1AC70411A822405
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.2751851758.00000000035F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:18
                                                                                        Start time:06:24:54
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                        Imagebase:0x240000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000012.00000002.2966901049.000000000499A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:19
                                                                                        Start time:06:24:54
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:20
                                                                                        Start time:06:25:14
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Users\user\AppData\Local\Temp\uzfvalidate.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\uzfvalidate.exe
                                                                                        Imagebase:0x140000000
                                                                                        File size:2'364'728 bytes
                                                                                        MD5 hash:967F4470627F823F4D7981E511C9824F
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.3070579976.00000000026B4000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:17.4%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:25.9%
                                                                                          Total number of Nodes:1473
                                                                                          Total number of Limit Nodes:20
                                                                                          execution_graph 9004 410e7f 9005 410e9a 9004->9005 9006 410eb5 9005->9006 9008 40f42d 9005->9008 9009 40f445 free 9008->9009 9010 40f437 9008->9010 9011 4024e7 46 API calls 9009->9011 9010->9009 9012 40f456 9010->9012 9011->9012 9012->9006 10835 411a2d _EH_prolog 10838 4117b9 10835->10838 10837 411a61 10839 4117e9 10838->10839 10840 4117cd 10838->10840 10839->10837 10840->10839 10858 40e58f 10840->10858 10843 40e58f 47 API calls 10844 411801 10843->10844 10844->10839 10845 40e58f 47 API calls 10844->10845 10846 411813 10845->10846 10846->10839 10847 40e58f 47 API calls 10846->10847 10848 411828 10847->10848 10848->10839 10864 40e9b5 10848->10864 10850 41183d 10850->10839 10870 41168a 10850->10870 10852 411a16 10880 40ea88 10852->10880 10855 41164e _CxxThrowException 10857 4118a0 10855->10857 10856 4115a9 memmove _CxxThrowException 10856->10857 10857->10839 10857->10852 10857->10855 10857->10856 10874 4116c7 10857->10874 10859 40e59e 10858->10859 10860 40e5b9 10859->10860 10884 40e556 10859->10884 10860->10839 10860->10843 10863 4024c4 46 API calls 10863->10860 10865 40e9c4 10864->10865 10866 40e9de 10865->10866 10888 40e964 10865->10888 10866->10850 10869 4024c4 46 API calls 10869->10866 10871 411693 10870->10871 10873 4116c4 10871->10873 10892 40e63c 10871->10892 10873->10857 10875 411726 10874->10875 10876 4116df 10874->10876 10877 411709 10875->10877 10879 40e63c _CxxThrowException 10875->10879 10876->10877 10878 40e63c _CxxThrowException 10876->10878 10877->10857 10878->10877 10879->10877 10881 40ea8d 10880->10881 10882 40eaa0 10881->10882 10899 40e9f7 10881->10899 10882->10839 10887 401b1f VirtualFree 10884->10887 10886 40e561 10886->10863 10887->10886 10891 401b1f VirtualFree 10888->10891 10890 40e96e 10890->10869 10891->10890 10895 40e5d3 10892->10895 10896 40e5e1 10895->10896 10897 40e5e5 10895->10897 10896->10871 10897->10896 10898 40e60a _CxxThrowException 10897->10898 10898->10896 10900 40ea0b 10899->10900 10901 40ea30 10900->10901 10902 40ea1c memmove 10900->10902 10901->10881 10902->10901 8236 4096c7 _EH_prolog 8249 4096fa 8236->8249 8237 40971c 8238 409827 8271 40118a 8238->8271 8240 409851 8244 40985e ??2@YAPAXI 8240->8244 8241 40983c 8322 409425 8241->8322 8242 4094e0 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8242->8249 8252 409878 8244->8252 8245 40969d 8 API calls 8245->8249 8246 40e959 VirtualFree ??3@YAXPAX free free ctype 8246->8249 8249->8237 8249->8238 8249->8242 8249->8245 8249->8246 8315 4095b7 8249->8315 8319 409403 8249->8319 8250 4098c2 8325 409530 8250->8325 8251 409925 ??2@YAPAXI 8251->8252 8252->8250 8252->8251 8256 409530 3 API calls 8252->8256 8258 409425 ctype 3 API calls 8252->8258 8260 4099a2 8252->8260 8265 409a65 8252->8265 8281 409fb4 8252->8281 8285 408ea4 8252->8285 8328 409c13 ??2@YAPAXI 8252->8328 8330 409f49 8252->8330 8256->8252 8258->8252 8261 409530 3 API calls 8260->8261 8262 4099c7 8261->8262 8263 409425 ctype 3 API calls 8262->8263 8263->8237 8267 409530 3 API calls 8265->8267 8268 409a84 8267->8268 8269 409425 ctype 3 API calls 8268->8269 8269->8237 8272 401198 GetDiskFreeSpaceExW 8271->8272 8273 4011ee SendMessageW 8271->8273 8272->8273 8274 4011b0 8272->8274 8275 4011d6 8273->8275 8274->8273 8276 401f9d 19 API calls 8274->8276 8275->8240 8275->8241 8277 4011c9 8276->8277 8278 407717 25 API calls 8277->8278 8279 4011cf 8278->8279 8279->8275 8280 4011e7 8279->8280 8280->8273 8282 409fdd 8281->8282 8334 409dff 8282->8334 8608 40aef3 8285->8608 8288 408ec1 8288->8252 8290 408fd5 8626 408b7c 8290->8626 8291 408f0d ??2@YAPAXI 8300 408ef5 8291->8300 8293 408f31 ??2@YAPAXI 8293->8300 8300->8290 8300->8291 8300->8293 8669 40cdb8 ??2@YAPAXI 8300->8669 8317 4095cc 8315->8317 8318 4095c6 8315->8318 8316 4095e2 _CxxThrowException 8316->8318 8317->8316 8317->8318 8318->8249 8320 40e8e2 4 API calls 8319->8320 8321 40940b 8320->8321 8321->8249 8323 40e8da ctype 3 API calls 8322->8323 8324 409433 8323->8324 8326 408963 ctype 3 API calls 8325->8326 8327 40953b 8326->8327 8329 409c45 8328->8329 8329->8252 8332 409f4e 8330->8332 8331 409f75 8331->8252 8332->8331 8333 409cde 110 API calls 8332->8333 8333->8332 8337 409e04 8334->8337 8335 409e3a 8335->8252 8337->8335 8338 409cde 8337->8338 8339 409cf8 8338->8339 8343 401626 8339->8343 8406 40db1f 8339->8406 8340 409d2c 8340->8337 8344 401642 8343->8344 8350 401638 8343->8350 8409 40a62f _EH_prolog 8344->8409 8346 40166f 8453 40eca9 8346->8453 8347 401411 2 API calls 8349 401688 8347->8349 8351 401962 ??3@YAXPAX 8349->8351 8352 40169d 8349->8352 8350->8340 8356 40eca9 VariantClear 8351->8356 8435 401329 8352->8435 8355 4016a8 8439 401454 8355->8439 8356->8350 8359 401362 2 API calls 8360 4016c7 ??3@YAXPAX 8359->8360 8365 4016d9 8360->8365 8392 401928 ??3@YAXPAX 8360->8392 8362 40eca9 VariantClear 8362->8350 8363 4016fa 8364 40eca9 VariantClear 8363->8364 8366 401702 ??3@YAXPAX 8364->8366 8365->8363 8367 401764 8365->8367 8380 401725 8365->8380 8366->8346 8369 4017a2 8367->8369 8370 401789 8367->8370 8368 40eca9 VariantClear 8371 401737 ??3@YAXPAX 8368->8371 8373 4017c4 GetLocalTime SystemTimeToFileTime 8369->8373 8374 4017aa 8369->8374 8372 40eca9 VariantClear 8370->8372 8371->8346 8375 401791 ??3@YAXPAX 8372->8375 8373->8374 8376 4017e1 8374->8376 8377 4017f8 8374->8377 8374->8380 8375->8346 8457 403354 lstrlenW 8376->8457 8444 40301a GetFileAttributesW 8377->8444 8380->8368 8382 401934 GetLastError 8382->8392 8383 401818 ??2@YAPAXI 8385 401824 8383->8385 8384 40192a 8384->8382 8481 40db53 8385->8481 8388 40190f 8391 40eca9 VariantClear 8388->8391 8389 40185f GetLastError 8484 4012f7 8389->8484 8391->8392 8392->8362 8393 401871 8394 403354 86 API calls 8393->8394 8398 40187f ??3@YAXPAX 8393->8398 8396 4018cc 8394->8396 8396->8398 8399 40db53 2 API calls 8396->8399 8397 40189c 8400 40eca9 VariantClear 8397->8400 8398->8397 8401 4018f1 8399->8401 8402 4018aa ??3@YAXPAX 8400->8402 8403 4018f5 GetLastError 8401->8403 8404 401906 ??3@YAXPAX 8401->8404 8402->8346 8403->8398 8404->8388 8600 40da56 8406->8600 8410 40a738 8409->8410 8411 40a66a 8409->8411 8412 40a687 8410->8412 8413 40a73d 8410->8413 8411->8412 8414 40a704 8411->8414 8415 40a679 8411->8415 8422 40a6ad 8412->8422 8513 40a3b0 8412->8513 8416 40a6f2 8413->8416 8419 40a747 8413->8419 8420 40a699 8413->8420 8414->8422 8487 40e69c 8414->8487 8415->8416 8417 40a67e 8415->8417 8509 40ed34 8416->8509 8421 40a6b2 8417->8421 8426 40a684 8417->8426 8419->8416 8419->8421 8420->8422 8501 40ed59 8420->8501 8421->8422 8505 40ed79 8421->8505 8496 40ecae 8422->8496 8425 40a71a 8490 40eced 8425->8490 8426->8412 8426->8420 8432 40eca9 VariantClear 8434 40166b 8432->8434 8434->8346 8434->8347 8436 401340 8435->8436 8437 40112b 2 API calls 8436->8437 8438 40134b 8437->8438 8438->8355 8440 4012f7 2 API calls 8439->8440 8441 401462 8440->8441 8528 4013e2 8441->8528 8443 40146d 8443->8359 8445 403037 8444->8445 8451 401804 8444->8451 8446 403048 8445->8446 8447 40303b SetLastError 8445->8447 8448 403051 8446->8448 8450 40305f FindFirstFileW 8446->8450 8446->8451 8447->8451 8531 402fed 8448->8531 8450->8448 8452 403072 FindClose CompareFileTime 8450->8452 8451->8382 8451->8383 8451->8384 8452->8448 8452->8451 8454 40ec65 8453->8454 8455 40ec86 VariantClear 8454->8455 8456 40ec9d 8454->8456 8455->8350 8456->8350 8458 4024fc 2 API calls 8457->8458 8459 403375 8458->8459 8460 40112b 2 API calls 8459->8460 8463 403385 8459->8463 8460->8463 8462 4033d3 GetSystemTimeAsFileTime GetFileAttributesW 8464 4033e8 8462->8464 8465 4033f2 8462->8465 8463->8462 8476 403477 8463->8476 8572 401986 CreateDirectoryW 8463->8572 8466 40301a 22 API calls 8464->8466 8467 401986 4 API calls 8465->8467 8478 4033f8 ??3@YAXPAX 8465->8478 8466->8465 8480 403405 8467->8480 8468 4034a7 8469 407776 55 API calls 8468->8469 8473 4034b1 ??3@YAXPAX 8469->8473 8470 40340a 8578 407776 8470->8578 8471 40346b ??3@YAXPAX 8477 4034bc 8471->8477 8472 40341d memcpy 8472->8480 8473->8477 8476->8468 8476->8478 8477->8380 8478->8477 8479 401986 4 API calls 8479->8480 8480->8470 8480->8471 8480->8472 8480->8479 8597 40db3c 8481->8597 8485 40112b 2 API calls 8484->8485 8486 401311 8485->8486 8486->8393 8488 4012f7 2 API calls 8487->8488 8489 40e6a9 8488->8489 8489->8425 8517 40ecd7 8490->8517 8493 40ed12 8494 40a726 ??3@YAXPAX 8493->8494 8495 40ed17 _CxxThrowException 8493->8495 8494->8422 8495->8494 8520 40ec65 8496->8520 8498 40ecba 8499 40a7b2 8498->8499 8500 40ecbe memcpy 8498->8500 8499->8432 8500->8499 8502 40ed62 8501->8502 8503 40ed67 8501->8503 8504 40ecd7 VariantClear 8502->8504 8503->8422 8504->8503 8506 40ed82 8505->8506 8507 40ed87 8505->8507 8508 40ecd7 VariantClear 8506->8508 8507->8422 8508->8507 8510 40ed42 8509->8510 8511 40ed3d 8509->8511 8510->8422 8512 40ecd7 VariantClear 8511->8512 8512->8510 8514 40a3c2 8513->8514 8515 40a3de 8514->8515 8524 40eda0 8514->8524 8515->8422 8518 40eca9 VariantClear 8517->8518 8519 40ecdf SysAllocString 8518->8519 8519->8493 8519->8494 8521 40ec6d 8520->8521 8522 40ec86 VariantClear 8521->8522 8523 40ec9d 8521->8523 8522->8498 8523->8498 8525 40eda9 8524->8525 8527 40edae 8524->8527 8526 40ecd7 VariantClear 8525->8526 8526->8527 8527->8515 8529 401398 2 API calls 8528->8529 8530 4013f2 8529->8530 8530->8443 8537 402c86 8531->8537 8533 402ff6 8534 403017 8533->8534 8535 402ffb GetLastError 8533->8535 8534->8451 8536 403006 8535->8536 8536->8451 8538 402c93 GetFileAttributesW 8537->8538 8539 402c8f 8537->8539 8540 402ca4 8538->8540 8541 402ca9 8538->8541 8539->8533 8540->8533 8542 402cc7 8541->8542 8543 402cad SetFileAttributesW 8541->8543 8548 402b79 8542->8548 8545 402cc3 8543->8545 8546 402cba DeleteFileW 8543->8546 8545->8533 8546->8533 8549 4024fc 2 API calls 8548->8549 8550 402b90 8549->8550 8551 40254d 2 API calls 8550->8551 8552 402b9d FindFirstFileW 8551->8552 8553 402c55 SetFileAttributesW 8552->8553 8568 402bbf 8552->8568 8555 402c60 RemoveDirectoryW 8553->8555 8556 402c78 ??3@YAXPAX 8553->8556 8554 401329 2 API calls 8554->8568 8555->8556 8557 402c6d ??3@YAXPAX 8555->8557 8558 402c80 8556->8558 8557->8558 8558->8533 8560 40254d 2 API calls 8560->8568 8561 402c24 SetFileAttributesW 8561->8556 8563 402c2d DeleteFileW 8561->8563 8562 402bef lstrcmpW 8564 402c05 lstrcmpW 8562->8564 8565 402c38 FindNextFileW 8562->8565 8563->8568 8564->8565 8564->8568 8566 402c4e FindClose 8565->8566 8565->8568 8566->8553 8567 402b79 2 API calls 8567->8568 8568->8554 8568->8556 8568->8560 8568->8561 8568->8562 8568->8565 8568->8567 8569 401429 8568->8569 8570 401398 2 API calls 8569->8570 8571 401433 8570->8571 8571->8568 8573 4019c7 8572->8573 8574 401997 GetLastError 8572->8574 8573->8463 8575 4019b1 GetFileAttributesW 8574->8575 8577 4019a6 8574->8577 8575->8573 8575->8577 8576 4019a7 SetLastError 8576->8463 8577->8573 8577->8576 8579 401f9d 19 API calls 8578->8579 8580 40778a wvsprintfW 8579->8580 8581 407859 8580->8581 8582 4077ab GetLastError FormatMessageW 8580->8582 8585 4076a8 25 API calls 8581->8585 8583 4077d9 FormatMessageW 8582->8583 8584 4077ee lstrlenW lstrlenW ??2@YAPAXI lstrcpyW lstrcpyW 8582->8584 8583->8581 8583->8584 8589 4076a8 8584->8589 8587 407865 8585->8587 8587->8478 8590 407715 ??3@YAXPAX LocalFree 8589->8590 8591 4076b7 8589->8591 8590->8587 8592 40661a 2 API calls 8591->8592 8593 4076c6 IsWindow 8592->8593 8594 4076ef 8593->8594 8595 4076dd IsBadReadPtr 8593->8595 8596 4073d1 21 API calls 8594->8596 8595->8594 8596->8590 8598 40db1f 2 API calls 8597->8598 8599 401857 8598->8599 8599->8388 8599->8389 8605 40d985 8600->8605 8603 40da65 CreateFileW 8604 40da8a 8603->8604 8604->8340 8606 40d98f CloseHandle 8605->8606 8607 40d99a 8605->8607 8606->8607 8607->8603 8607->8604 8609 40af0c 8608->8609 8624 408ebd 8608->8624 8609->8624 8699 40ac7a 8609->8699 8611 40af3f 8612 40ac7a 7 API calls 8611->8612 8613 40b0cb 8611->8613 8617 40af96 8612->8617 8615 40e959 ctype 4 API calls 8613->8615 8614 40afbd 8706 40e959 8614->8706 8615->8624 8617->8613 8617->8614 8618 40b043 8621 40e959 ctype 4 API calls 8618->8621 8619 408761 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8620 40afc6 8619->8620 8620->8618 8620->8619 8622 40b07f 8621->8622 8623 40e959 ctype 4 API calls 8622->8623 8623->8624 8624->8288 8625 4065ea InitializeCriticalSection 8624->8625 8625->8300 8718 4086f0 8626->8718 8670 40cdc7 8669->8670 8671 408761 4 API calls 8670->8671 8672 40cdde 8671->8672 8672->8300 8700 40e8da ctype 3 API calls 8699->8700 8701 40ac86 8700->8701 8710 40e811 8701->8710 8703 40aca2 8703->8611 8704 409403 4 API calls 8705 40ac90 8704->8705 8705->8703 8705->8704 8707 40e93b 8706->8707 8708 40e8da ctype 3 API calls 8707->8708 8709 40e943 ??3@YAXPAX 8708->8709 8709->8620 8711 40e8a5 8710->8711 8712 40e824 8710->8712 8711->8705 8713 40e833 _CxxThrowException 8712->8713 8714 40e863 ??2@YAPAXI 8712->8714 8715 40e895 ??3@YAXPAX 8712->8715 8713->8712 8714->8712 8716 40e879 memcpy 8714->8716 8715->8711 8716->8715 8719 40e8da ctype 3 API calls 8718->8719 8720 4086f8 8719->8720 8721 40e8da ctype 3 API calls 8720->8721 8722 408700 8721->8722 8723 40e8da ctype 3 API calls 8722->8723 8724 408708 8723->8724 9013 40dace 9016 40daac 9013->9016 9019 40da8f 9016->9019 9020 40da56 2 API calls 9019->9020 9021 40daa9 9020->9021 9003 40dadc ReadFile 9022 411def __set_app_type __p__fmode __p__commode 9023 411e5e 9022->9023 9024 411e72 9023->9024 9025 411e66 __setusermatherr 9023->9025 9034 411f66 _controlfp 9024->9034 9025->9024 9027 411e77 _initterm __getmainargs _initterm 9028 411ecb GetStartupInfoA 9027->9028 9030 411eff GetModuleHandleA 9028->9030 9035 4064af _EH_prolog 9030->9035 9034->9027 9038 404faa 9035->9038 9343 401b37 GetModuleHandleW CreateWindowExW 9038->9343 9041 404fdc 9042 40648e MessageBoxA 9041->9042 9044 404ff6 9041->9044 9043 4064a5 exit _XcptFilter 9042->9043 9045 401411 2 API calls 9044->9045 9046 40502d 9045->9046 9047 401411 2 API calls 9046->9047 9048 405035 9047->9048 9346 403e23 9048->9346 9053 40254d 2 API calls 9054 405073 9053->9054 9355 402a69 9054->9355 9056 40507c 9369 403d71 9056->9369 9060 40509b _wtol 9062 4050b1 9060->9062 9061 4050d6 9063 403d71 6 API calls 9061->9063 9374 404405 9062->9374 9064 4050e1 9063->9064 9065 4050e7 9064->9065 9066 405118 9064->9066 9531 404996 9065->9531 9067 405130 GetModuleFileNameW 9066->9067 9069 40112b 2 API calls 9066->9069 9070 405151 9067->9070 9071 405142 9067->9071 9069->9067 9076 403d71 6 API calls 9070->9076 9072 407776 55 API calls 9071->9072 9081 4050ec 9072->9081 9073 4050ee ??3@YAXPAX 9549 403e70 9073->9549 9075 4050ff ??3@YAXPAX ??3@YAXPAX 9075->9043 9089 405173 9076->9089 9077 4052d5 9078 401362 2 API calls 9077->9078 9079 4052e5 9078->9079 9080 401362 2 API calls 9079->9080 9084 4052f2 9080->9084 9081->9073 9082 4051fa 9082->9081 9083 40522a 9082->9083 9086 405213 _wtol 9082->9086 9087 403d71 6 API calls 9083->9087 9085 40538d ??2@YAPAXI 9084->9085 9088 401329 2 API calls 9084->9088 9095 405399 9085->9095 9086->9083 9093 405289 9087->9093 9090 405327 9088->9090 9089->9077 9089->9081 9089->9082 9089->9083 9092 401429 2 API calls 9089->9092 9091 401329 2 API calls 9090->9091 9097 40533d 9091->9097 9092->9089 9093->9077 9094 404594 2 API calls 9093->9094 9096 4052ba 9094->9096 9098 4053cf 9095->9098 9102 407776 55 API calls 9095->9102 9096->9077 9100 401362 2 API calls 9096->9100 9101 401362 2 API calls 9097->9101 9399 4025ae 9098->9399 9100->9077 9104 405367 9101->9104 9102->9098 9106 401f9d 19 API calls 9104->9106 9105 4025ae 2 API calls 9107 4053f6 9105->9107 9108 40536e 9106->9108 9109 4025ae 2 API calls 9107->9109 9110 40254d 2 API calls 9108->9110 9112 4053fe 9109->9112 9111 405377 9110->9111 9111->9085 9402 404e3f 9112->9402 9117 40546f 9118 405534 9117->9118 9121 403d71 6 API calls 9117->9121 9120 40e8da ctype 3 API calls 9118->9120 9119 402844 10 API calls 9122 405441 9119->9122 9123 40553c 9120->9123 9124 405493 9121->9124 9122->9117 9125 407776 55 API calls 9122->9125 9126 405573 9123->9126 9580 403093 9123->9580 9124->9118 9135 40549d 9124->9135 9127 405450 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9125->9127 9129 405506 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9126->9129 9130 40557c 9126->9130 9127->9117 9129->9073 9129->9081 9133 405588 wsprintfW 9130->9133 9134 4055ed 9130->9134 9141 401411 2 API calls 9130->9141 9143 401329 ??2@YAPAXI ??3@YAXPAX 9130->9143 9145 401f9d 19 API calls 9130->9145 9614 402f6c ??2@YAPAXI 9130->9614 9620 402425 ??3@YAXPAX ??3@YAXPAX 9130->9620 9132 405556 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9136 4054f5 9132->9136 9137 401411 2 API calls 9133->9137 9430 404603 9134->9430 9135->9129 9554 404cbc 9135->9554 9136->9129 9137->9130 9140 4054cc 9140->9129 9142 407776 55 API calls 9140->9142 9141->9130 9144 4054da ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9142->9144 9143->9130 9144->9136 9145->9130 9146 40584a 9147 404603 26 API calls 9146->9147 9180 40586a 9147->9180 9149 403b94 lstrlenW lstrlenW _wcsnicmp 9177 4055f6 9149->9177 9152 405933 9492 404034 9152->9492 9153 4024fc 2 API calls 9153->9180 9157 4059d8 CoInitialize 9164 40243b lstrcmpW 9157->9164 9158 40595a 9161 40243b lstrcmpW 9158->9161 9159 405935 ??3@YAXPAX 9159->9152 9163 405969 9161->9163 9162 401411 ??2@YAPAXI ??3@YAXPAX 9162->9180 9165 405979 9163->9165 9167 401f9d 19 API calls 9163->9167 9166 4059fe 9164->9166 9647 403b40 9165->9647 9168 405a12 9166->9168 9171 401329 2 API calls 9166->9171 9167->9165 9498 403b59 9168->9498 9170 401362 2 API calls 9170->9180 9171->9168 9175 4073d1 21 API calls 9179 40599c ctype 9175->9179 9176 401329 2 API calls 9176->9180 9177->9146 9177->9149 9190 4057dd _wtol 9177->9190 9204 405878 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9177->9204 9621 40484d 9177->9621 9632 40408b 9177->9632 9178 405a4d 9184 405a2b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9178->9184 9219 405a61 9178->9219 9667 4082e9 9178->9667 9185 4059a7 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9179->9185 9180->9152 9180->9153 9180->9159 9180->9162 9180->9170 9180->9176 9183 402f6c 7 API calls 9180->9183 9489 40243b 9180->9489 9646 402425 ??3@YAXPAX ??3@YAXPAX 9180->9646 9183->9180 9184->9178 9185->9081 9187 405910 ??3@YAXPAX 9187->9180 9188 401411 2 API calls 9188->9219 9190->9177 9191 405bd8 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9211 405bf3 9191->9211 9192 405a9f GetKeyState 9192->9219 9193 405c6c 9194 405ca2 9193->9194 9195 405c74 9193->9195 9198 4012f7 2 API calls 9194->9198 9709 403f85 9195->9709 9202 405cb0 9198->9202 9201 40243b lstrcmpW 9201->9219 9205 403b59 15 API calls 9202->9205 9203 401362 2 API calls 9209 405c91 ??3@YAXPAX 9203->9209 9204->9081 9207 405cb9 9205->9207 9206 407776 55 API calls 9208 405c13 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9206->9208 9210 405cca ??3@YAXPAX 9207->9210 9215 401362 2 API calls 9207->9215 9208->9211 9216 405cd9 9209->9216 9210->9216 9211->9206 9212 405c4a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9211->9212 9212->9211 9213 405bcd ??3@YAXPAX 9213->9219 9214 401329 ??2@YAPAXI ??3@YAXPAX 9214->9219 9215->9210 9217 405d24 9216->9217 9218 405d16 9216->9218 9722 40786b 9217->9722 9505 404a44 9218->9505 9219->9188 9219->9191 9219->9192 9219->9193 9219->9201 9219->9211 9219->9212 9219->9213 9219->9214 9222 401429 ??2@YAPAXI ??3@YAXPAX 9219->9222 9694 407613 9219->9694 9703 407674 9219->9703 9222->9219 9223 405d20 9224 405d65 9223->9224 9728 403e0d 9223->9728 9225 404034 21 API calls 9224->9225 9227 405d77 9225->9227 9229 406373 9227->9229 9230 401411 2 API calls 9227->9230 9232 4063f7 ctype 9229->9232 9235 40243b lstrcmpW 9229->9235 9231 405d95 9230->9231 9275 405da8 9231->9275 9732 40453e 9231->9732 9234 40643a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9232->9234 9240 40243b lstrcmpW 9232->9240 9236 406461 9234->9236 9237 406467 ??3@YAXPAX 9234->9237 9238 4063a4 9235->9238 9236->9237 9239 403e70 ctype 4 API calls 9237->9239 9238->9232 9759 403f48 9238->9759 9241 406478 ??3@YAXPAX ??3@YAXPAX 9239->9241 9243 406416 9240->9243 9241->9043 9242 401411 ??2@YAPAXI ??3@YAXPAX 9242->9275 9243->9234 9247 406423 9243->9247 9246 405dd8 9249 405de5 9246->9249 9250 4061fa ??3@YAXPAX ??3@YAXPAX 9246->9250 9252 4012f7 2 API calls 9247->9252 9248 4073d1 21 API calls 9253 4063e0 ??3@YAXPAX 9248->9253 9741 4043c6 9249->9741 9254 406312 9250->9254 9251 40243b lstrcmpW 9251->9275 9256 406432 9252->9256 9253->9232 9260 40636a ??3@YAXPAX 9254->9260 9261 404034 21 API calls 9254->9261 9764 404aff 9256->9764 9259 405e45 9263 401329 2 API calls 9259->9263 9260->9229 9265 406321 9261->9265 9266 405e4e 9263->9266 9264 4043c6 2 API calls 9267 405e0e 9264->9267 9749 4048ab 9265->9749 9271 403b7f 19 API calls 9266->9271 9272 401362 2 API calls 9267->9272 9269 40626b ??3@YAXPAX ??3@YAXPAX 9269->9254 9270 401329 2 API calls 9270->9275 9289 405e57 9271->9289 9273 405e1a ??3@YAXPAX ??3@YAXPAX GetFileAttributesW 9272->9273 9276 406211 9273->9276 9277 405e41 9273->9277 9274 40633a SetCurrentDirectoryW 9278 4048ab 4 API calls 9274->9278 9275->9242 9275->9246 9275->9251 9275->9259 9275->9269 9275->9270 9279 401429 2 API calls 9275->9279 9282 403e0d 16 API calls 9276->9282 9277->9259 9280 406362 9278->9280 9281 405ee5 ??3@YAXPAX ??3@YAXPAX 9279->9281 9283 403e0d 16 API calls 9280->9283 9281->9275 9284 406216 9282->9284 9283->9260 9285 407776 55 API calls 9284->9285 9287 40621f 7 API calls 9285->9287 9286 403bce lstrlenW lstrlenW _wcsnicmp 9286->9289 9288 40625e 9287->9288 9288->9269 9289->9286 9290 405f61 _wtol 9289->9290 9291 406025 9289->9291 9290->9289 9292 406080 9291->9292 9293 40602e 9291->9293 9294 401362 2 API calls 9292->9294 9295 406053 9293->9295 9296 406034 9293->9296 9297 40607e 9294->9297 9299 401329 2 API calls 9295->9299 9298 401329 2 API calls 9296->9298 9300 40254d 2 API calls 9297->9300 9301 40603f 9298->9301 9302 406051 9299->9302 9303 406092 9300->9303 9304 40254d 2 API calls 9301->9304 9305 40243b lstrcmpW 9302->9305 9306 401411 2 API calls 9303->9306 9307 406048 9304->9307 9308 406068 9305->9308 9309 40609a 9306->9309 9310 40254d 2 API calls 9307->9310 9308->9303 9312 40254d 2 API calls 9308->9312 9311 401411 2 API calls 9309->9311 9310->9302 9313 4060a2 memset 9311->9313 9312->9297 9314 4060e1 9313->9314 9315 404594 2 API calls 9314->9315 9316 4060fe 9315->9316 9317 401329 2 API calls 9316->9317 9318 406109 9317->9318 9319 403b7f 19 API calls 9318->9319 9320 406112 9319->9320 9321 4061b1 9320->9321 9525 4021ed 9320->9525 9323 4062ee ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9321->9323 9325 4061c5 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9321->9325 9323->9254 9325->9250 9326 406150 9328 403b7f 19 API calls 9326->9328 9327 401429 2 API calls 9329 406147 9327->9329 9330 406168 ShellExecuteExW 9328->9330 9331 40254d 2 API calls 9329->9331 9333 406282 9330->9333 9334 40618c 9330->9334 9331->9326 9337 407776 55 API calls 9333->9337 9335 4061a0 CloseHandle 9334->9335 9336 406192 WaitForSingleObject 9334->9336 9746 402185 9335->9746 9336->9335 9339 40628c 9337->9339 9340 403e0d 16 API calls 9339->9340 9341 406291 9 API calls 9340->9341 9342 4062e1 9341->9342 9342->9323 9344 401b6c SetTimer GetMessageW DispatchMessageW KillTimer KiUserCallbackDispatcher 9343->9344 9345 401b9f GetVersionExW 9343->9345 9344->9345 9345->9041 9345->9042 9347 40112b 2 API calls 9346->9347 9348 403e38 GetCommandLineW 9347->9348 9349 404594 9348->9349 9350 4045ce 9349->9350 9353 4045a2 9349->9353 9352 401429 2 API calls 9350->9352 9354 4045c6 9350->9354 9351 401429 2 API calls 9351->9353 9352->9350 9353->9351 9353->9354 9354->9053 9356 401411 2 API calls 9355->9356 9364 402a79 9356->9364 9357 401362 2 API calls 9358 402b6c ??3@YAXPAX 9357->9358 9358->9056 9359 401429 ??2@YAPAXI ??3@YAXPAX 9359->9364 9360 402b5f 9360->9357 9362 401411 2 API calls 9362->9364 9364->9359 9364->9360 9364->9362 9365 401362 2 API calls 9364->9365 9803 4025c6 9364->9803 9806 40272e 9364->9806 9366 402ad9 ??3@YAXPAX 9365->9366 9367 4013e2 2 API calls 9366->9367 9368 402aee ??3@YAXPAX ??3@YAXPAX 9367->9368 9368->9364 9370 403d80 9369->9370 9371 403dbd 9370->9371 9372 403d9a lstrlenW lstrlenW 9370->9372 9371->9060 9371->9062 9817 401a85 9372->9817 9375 401f47 3 API calls 9374->9375 9376 404416 9375->9376 9377 401f9d 19 API calls 9376->9377 9378 40441d 9377->9378 9379 401f9d 19 API calls 9378->9379 9380 404429 9379->9380 9381 401f9d 19 API calls 9380->9381 9382 404435 9381->9382 9383 401f9d 19 API calls 9382->9383 9384 404441 9383->9384 9385 401f9d 19 API calls 9384->9385 9386 40444d 9385->9386 9387 401f9d 19 API calls 9386->9387 9388 404459 9387->9388 9389 401f9d 19 API calls 9388->9389 9390 404465 9389->9390 9391 404480 SHGetSpecialFolderPathW 9390->9391 9394 404533 #17 9390->9394 9395 401411 2 API calls 9390->9395 9396 401329 ??2@YAPAXI ??3@YAXPAX 9390->9396 9398 402f6c 7 API calls 9390->9398 9822 402425 ??3@YAXPAX ??3@YAXPAX 9390->9822 9391->9390 9392 40449a wsprintfW 9391->9392 9393 401411 2 API calls 9392->9393 9393->9390 9394->9061 9395->9390 9396->9390 9398->9390 9400 4022b0 2 API calls 9399->9400 9401 4025c2 9400->9401 9401->9105 9823 403e86 9402->9823 9404 404e56 9405 403e86 2 API calls 9404->9405 9406 404e65 9405->9406 9827 404343 9406->9827 9410 404e82 ??3@YAXPAX 9411 404343 3 API calls 9410->9411 9412 404e9d 9411->9412 9413 403ec1 2 API calls 9412->9413 9414 404ea8 ??3@YAXPAX wsprintfA 9413->9414 9843 403ef6 9414->9843 9416 404ed0 9417 403ef6 2 API calls 9416->9417 9418 404edb 9417->9418 9419 402844 9418->9419 9420 402851 9419->9420 9428 40dcfb 3 API calls 9420->9428 9421 402863 lstrlenA lstrlenA 9426 402890 9421->9426 9422 40296e 9422->9117 9422->9119 9423 40293b memmove 9423->9422 9423->9426 9424 4028db memcmp 9424->9422 9424->9426 9425 402918 memcmp 9425->9426 9426->9422 9426->9423 9426->9424 9426->9425 9429 40dcc7 GetLastError 9426->9429 9854 402640 9426->9854 9428->9421 9429->9426 9431 40243b lstrcmpW 9430->9431 9432 40461c 9431->9432 9433 40466c 9432->9433 9435 401329 2 API calls 9432->9435 9434 40243b lstrcmpW 9433->9434 9436 40468a 9434->9436 9437 404633 9435->9437 9439 40243b lstrcmpW 9436->9439 9438 401f9d 19 API calls 9437->9438 9440 40463a 9438->9440 9442 4046a2 9439->9442 9441 40254d 2 API calls 9440->9441 9443 404643 9441->9443 9444 40243b lstrcmpW 9442->9444 9445 401329 2 API calls 9443->9445 9446 4046ba 9444->9446 9447 40465c 9445->9447 9449 40243b lstrcmpW 9446->9449 9448 401f9d 19 API calls 9447->9448 9450 404663 9448->9450 9451 4046d2 9449->9451 9452 40254d 2 API calls 9450->9452 9453 4046e9 9451->9453 9454 4046d9 lstrcmpiW 9451->9454 9452->9433 9455 40243b lstrcmpW 9453->9455 9454->9453 9456 4046ff 9455->9456 9457 40243b lstrcmpW 9456->9457 9458 40472c 9457->9458 9459 404739 9458->9459 9857 403d1f 9458->9857 9461 40243b lstrcmpW 9459->9461 9462 40474d 9461->9462 9463 40476d 9462->9463 9466 40243b lstrcmpW 9462->9466 9861 403cc6 9462->9861 9465 40243b lstrcmpW 9463->9465 9470 404780 9465->9470 9466->9462 9467 4047a0 9469 40243b lstrcmpW 9467->9469 9471 4047ac 9469->9471 9470->9467 9472 40243b lstrcmpW 9470->9472 9865 403cf7 9470->9865 9473 40243b lstrcmpW 9471->9473 9472->9470 9474 4047bd 9473->9474 9475 40243b lstrcmpW 9474->9475 9476 4047ce 9475->9476 9477 4047e4 9476->9477 9478 4047db _wtol 9476->9478 9479 40243b lstrcmpW 9477->9479 9478->9477 9480 4047f0 9479->9480 9481 404800 9480->9481 9482 4047f7 _wtol 9480->9482 9483 40243b lstrcmpW 9481->9483 9482->9481 9484 40480c 9483->9484 9485 40243b lstrcmpW 9484->9485 9486 404824 9485->9486 9487 40243b lstrcmpW 9486->9487 9488 40483c 9487->9488 9488->9177 9873 4023dd 9489->9873 9493 404045 9492->9493 9494 404088 9492->9494 9495 4012f7 2 API calls 9493->9495 9496 403b7f 19 API calls 9493->9496 9494->9157 9494->9158 9495->9493 9497 404062 SetEnvironmentVariableW ??3@YAXPAX 9496->9497 9497->9493 9497->9494 9499 40393b 7 API calls 9498->9499 9500 403b69 9499->9500 9501 4039f6 7 API calls 9500->9501 9502 403b74 9501->9502 9503 4027c7 6 API calls 9502->9503 9504 403b7a 9503->9504 9504->9178 9650 4083b6 9504->9650 9877 408676 9505->9877 9507 404a55 ??2@YAPAXI 9508 404a64 9507->9508 9522 40dcfb 3 API calls 9508->9522 9509 404a85 9879 40b2fc 9509->9879 9885 40a7de _EH_prolog 9509->9885 9510 404a95 9511 404ab3 9510->9511 9512 404a99 9510->9512 9514 404ada ??2@YAPAXI 9511->9514 9517 403354 86 API calls 9511->9517 9513 407776 55 API calls 9512->9513 9521 404aa1 9513->9521 9515 404ae6 9514->9515 9516 404aed 9514->9516 9920 404292 9515->9920 9901 40150b 9516->9901 9519 404ac6 9517->9519 9519->9514 9519->9521 9521->9223 9522->9509 9526 402200 LoadLibraryA GetProcAddress 9525->9526 9527 4021fb 9525->9527 9528 40221b 9526->9528 9529 402223 9526->9529 9527->9321 9527->9326 9527->9327 9528->9527 9529->9528 10383 4021b9 LoadLibraryA GetProcAddress 9529->10383 9532 40661a 2 API calls 9531->9532 9533 4049af 9532->9533 9534 401f9d 19 API calls 9533->9534 9535 4049bd 9534->9535 9536 4024fc 2 API calls 9535->9536 9537 4049c7 9536->9537 9538 4049fd 9537->9538 9540 40254d ??2@YAPAXI ??3@YAXPAX 9537->9540 9539 40254d 2 API calls 9538->9539 9541 404a0a 9539->9541 9540->9537 9542 401f9d 19 API calls 9541->9542 9543 404a11 9542->9543 9544 40254d 2 API calls 9543->9544 9545 404a1b 9544->9545 9546 4073d1 21 API calls 9545->9546 9547 404a30 ??3@YAXPAX 9546->9547 9548 404a41 ctype 9547->9548 9548->9081 9550 40e8da ctype 3 API calls 9549->9550 9551 403e7e 9550->9551 9552 40e8da ctype 3 API calls 9551->9552 9553 40e943 ??3@YAXPAX 9552->9553 9553->9075 9555 40db53 2 API calls 9554->9555 9556 404ce8 9555->9556 9557 404d44 9556->9557 9559 4024fc 2 API calls 9556->9559 9558 4025ae 2 API calls 9557->9558 9560 404d4c 9558->9560 9561 404cf7 9559->9561 9562 403e86 2 API calls 9560->9562 9565 404db5 ??3@YAXPAX 9561->9565 9567 403354 86 API calls 9561->9567 9563 404d59 9562->9563 9564 403ef6 2 API calls 9563->9564 9566 404d66 9564->9566 9579 404db1 9565->9579 9568 403ef6 2 API calls 9566->9568 9569 404d1b 9567->9569 9570 404d73 9568->9570 9569->9565 9572 40db53 2 API calls 9569->9572 9571 403ef6 2 API calls 9570->9571 9573 404d80 9571->9573 9574 404d37 9572->9574 9575 40dd5f 2 API calls 9573->9575 9574->9565 9576 404d3b ??3@YAXPAX 9574->9576 9577 404d94 9575->9577 9576->9557 9577->9565 9578 404d9d ??3@YAXPAX 9577->9578 9578->9579 9579->9140 9581 4025ae 2 API calls 9580->9581 9597 4030a8 9581->9597 9582 403301 9583 403344 ??3@YAXPAX 9582->9583 9584 40334e 9583->9584 9584->9126 9584->9132 9585 401411 ??2@YAPAXI ??3@YAXPAX 9585->9597 9587 40272e ??2@YAPAXI ??3@YAXPAX MultiByteToWideChar 9587->9597 9588 401362 2 API calls 9589 4030f3 ??3@YAXPAX ??3@YAXPAX 9588->9589 9590 403303 9589->9590 9589->9597 10391 4029c3 9590->10391 9594 40331c ??3@YAXPAX 9594->9584 9595 4031e5 strncmp 9596 4031d0 strncmp 9595->9596 9595->9597 9596->9595 9596->9597 9597->9582 9597->9585 9597->9587 9597->9588 9597->9590 9597->9595 9598 401362 2 API calls 9597->9598 9599 402640 2 API calls 9597->9599 9602 402640 ??2@YAPAXI ??3@YAXPAX 9597->9602 9604 4023dd lstrcmpW 9597->9604 9605 402f6c 7 API calls 9597->9605 9607 403330 9597->9607 9608 4032b2 lstrcmpW 9597->9608 9612 401329 2 API calls 9597->9612 10385 402986 9597->10385 10390 402425 ??3@YAXPAX ??3@YAXPAX 9597->10390 9600 403252 ??3@YAXPAX 9598->9600 9599->9596 9601 402a69 9 API calls 9600->9601 9603 403263 lstrcmpW 9601->9603 9602->9597 9603->9597 9604->9597 9605->9597 9610 402f6c 7 API calls 9607->9610 9608->9597 9609 4032c0 lstrcmpW 9608->9609 9609->9597 9611 40333c 9610->9611 10409 402425 ??3@YAXPAX ??3@YAXPAX 9611->10409 9612->9597 9615 402f7b 9614->9615 9617 402f86 9614->9617 10411 402668 9615->10411 9618 408761 4 API calls 9617->9618 9619 402f92 9618->9619 9619->9130 9620->9130 9622 4024fc 2 API calls 9621->9622 9623 40485f 9622->9623 9624 40254d 2 API calls 9623->9624 9625 40486c 9624->9625 9626 404888 9625->9626 9627 401429 2 API calls 9625->9627 9628 40254d 2 API calls 9626->9628 9627->9625 9629 404892 9628->9629 9630 40408b 94 API calls 9629->9630 9631 40489d ??3@YAXPAX 9630->9631 9631->9177 9633 4040a2 lstrlenW 9632->9633 9634 4040ce 9632->9634 9635 401a85 4 API calls 9633->9635 9634->9177 9636 4040b8 9635->9636 9636->9633 9636->9634 9637 4040d5 9636->9637 9638 4024fc 2 API calls 9637->9638 9641 4040de 9638->9641 10416 402776 9641->10416 9642 403093 84 API calls 9643 40414c 9642->9643 9644 404156 ??3@YAXPAX ??3@YAXPAX 9643->9644 9645 40416d ??3@YAXPAX ??3@YAXPAX 9643->9645 9644->9634 9645->9634 9646->9187 9648 40661a 2 API calls 9647->9648 9649 403b48 9648->9649 9649->9175 9651 408646 9650->9651 9663 4083d5 ctype 9650->9663 9651->9184 9652 40661a 2 API calls 9652->9663 9653 40786b 23 API calls 9653->9663 9654 40243b lstrcmpW 9654->9663 9656 407674 23 API calls 9656->9663 9657 407613 23 API calls 9657->9663 9658 403b40 2 API calls 9658->9663 9659 401f9d 19 API calls 9659->9663 9660 403f48 4 API calls 9660->9663 9661 4073d1 21 API calls 9661->9663 9662 407776 55 API calls 9662->9663 9663->9651 9663->9652 9663->9653 9663->9654 9663->9656 9663->9657 9663->9658 9663->9659 9663->9660 9663->9661 9663->9662 9664 407717 25 API calls 9663->9664 9665 4073d1 21 API calls 9663->9665 10426 40744b 9663->10426 9664->9663 9666 408476 ??3@YAXPAX 9665->9666 9666->9663 9668 40243b lstrcmpW 9667->9668 9669 4082fd 9668->9669 9670 40830b 9669->9670 10430 4019f0 GetStdHandle WriteFile 9669->10430 9672 40831e 9670->9672 10431 4019f0 GetStdHandle WriteFile 9670->10431 9674 408333 9672->9674 10432 4019f0 GetStdHandle WriteFile 9672->10432 9676 408344 9674->9676 10433 4019f0 GetStdHandle WriteFile 9674->10433 9677 40243b lstrcmpW 9676->9677 9679 408351 9677->9679 9682 40835f 9679->9682 10434 4019f0 GetStdHandle WriteFile 9679->10434 9681 40243b lstrcmpW 9683 40836c 9681->9683 9682->9681 9684 40837a 9683->9684 10435 4019f0 GetStdHandle WriteFile 9683->10435 9686 40243b lstrcmpW 9684->9686 9687 408387 9686->9687 9688 408395 9687->9688 10436 4019f0 GetStdHandle WriteFile 9687->10436 9690 40243b lstrcmpW 9688->9690 9691 4083a2 9690->9691 9692 4083b2 9691->9692 10437 4019f0 GetStdHandle WriteFile 9691->10437 9692->9178 9695 407636 9694->9695 9696 407658 9695->9696 9697 40764b 9695->9697 10441 407186 9696->10441 10438 407154 9697->10438 9700 407653 9701 4073d1 21 API calls 9700->9701 9702 407671 9701->9702 9702->9219 9704 407689 9703->9704 9705 40716d 2 API calls 9704->9705 9706 407694 9705->9706 9707 4073d1 21 API calls 9706->9707 9708 4076a5 9707->9708 9708->9219 9710 401411 2 API calls 9709->9710 9711 403f96 9710->9711 9712 402535 2 API calls 9711->9712 9713 403f9f GetTempPathW 9712->9713 9714 403fb8 9713->9714 9719 403fcf 9713->9719 9715 402535 2 API calls 9714->9715 9716 403fc3 GetTempPathW 9715->9716 9716->9719 9717 402535 2 API calls 9718 403ff2 wsprintfW 9717->9718 9718->9719 9719->9717 9720 404009 GetFileAttributesW 9719->9720 9721 40402d 9719->9721 9720->9719 9720->9721 9721->9203 9723 40787e 9722->9723 10447 40719f 9723->10447 9726 4073d1 21 API calls 9727 4078b3 9726->9727 9727->9223 9729 403e21 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9728->9729 9730 403e16 9728->9730 9729->9224 9731 402c86 16 API calls 9730->9731 9731->9729 9733 40243b lstrcmpW 9732->9733 9734 40455d 9733->9734 9735 404592 9734->9735 9736 401329 2 API calls 9734->9736 9735->9275 9737 40456c 9736->9737 9738 403b7f 19 API calls 9737->9738 9739 404572 9738->9739 9739->9735 9740 401429 2 API calls 9739->9740 9740->9735 9742 4012f7 2 API calls 9741->9742 9743 4043d4 9742->9743 9744 40254d 2 API calls 9743->9744 9745 4043df 9744->9745 9745->9264 9747 4021a9 9746->9747 9748 40218e LoadLibraryA GetProcAddress 9746->9748 9747->9321 9748->9747 9750 401411 2 API calls 9749->9750 9757 4048bc 9750->9757 9751 401329 2 API calls 9751->9757 9752 40494e 9753 404988 ??3@YAXPAX 9752->9753 9755 4048ab 3 API calls 9752->9755 9753->9274 9754 401429 2 API calls 9754->9757 9756 404985 9755->9756 9756->9753 9757->9751 9757->9752 9757->9754 9758 40243b lstrcmpW 9757->9758 9758->9757 9760 40661a 2 API calls 9759->9760 9761 403f50 9760->9761 9762 401411 2 API calls 9761->9762 9763 403f5e 9762->9763 9763->9248 9765 404cb1 ??3@YAXPAX 9764->9765 9766 404b15 9764->9766 9769 404cb7 9765->9769 9766->9765 9767 404b29 GetDriveTypeW 9766->9767 9767->9765 9768 404b55 9767->9768 9770 403f85 6 API calls 9768->9770 9769->9234 9771 404b63 CreateFileW 9770->9771 9772 404b89 9771->9772 9773 404c7b ??3@YAXPAX ??3@YAXPAX 9771->9773 9774 401411 2 API calls 9772->9774 9773->9769 9775 404b92 9774->9775 9776 401329 2 API calls 9775->9776 9777 404b9f 9776->9777 9778 40254d 2 API calls 9777->9778 9779 404bad 9778->9779 9780 4013e2 2 API calls 9779->9780 9781 404bb9 9780->9781 9782 40254d 2 API calls 9781->9782 9783 404bc7 9782->9783 9784 40254d 2 API calls 9783->9784 9785 404bd4 9784->9785 9786 4013e2 2 API calls 9785->9786 9787 404be0 9786->9787 9788 40254d 2 API calls 9787->9788 9789 404bed 9788->9789 9790 40254d 2 API calls 9789->9790 9791 404bf6 9790->9791 9792 4013e2 2 API calls 9791->9792 9793 404c02 9792->9793 9794 40254d 2 API calls 9793->9794 9795 404c0b 9794->9795 9796 402776 3 API calls 9795->9796 9797 404c1d WriteFile ??3@YAXPAX CloseHandle 9796->9797 9798 404c4b 9797->9798 9799 404c8c 9797->9799 9798->9799 9800 404c53 SetFileAttributesW ShellExecuteW ??3@YAXPAX 9798->9800 9801 402c86 16 API calls 9799->9801 9800->9773 9802 404c94 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9801->9802 9802->9769 9812 4022b0 9803->9812 9807 401411 2 API calls 9806->9807 9808 40273a 9807->9808 9809 402772 9808->9809 9810 402535 2 API calls 9808->9810 9809->9364 9811 402757 MultiByteToWideChar 9810->9811 9811->9809 9813 4022ea 9812->9813 9814 4022be ??2@YAPAXI 9812->9814 9813->9364 9814->9813 9815 4022cf ??3@YAXPAX 9814->9815 9815->9813 9818 401ae3 9817->9818 9819 401a97 9817->9819 9818->9371 9819->9818 9820 401abc CharUpperW CharUpperW 9819->9820 9820->9819 9821 401af3 CharUpperW CharUpperW 9820->9821 9821->9818 9822->9390 9824 403e9e 9823->9824 9825 4022b0 2 API calls 9824->9825 9826 403eac 9825->9826 9826->9404 9828 40435e 9827->9828 9829 404375 9828->9829 9830 40436a 9828->9830 9831 4025ae 2 API calls 9829->9831 9847 4025f6 9830->9847 9833 40437e 9831->9833 9835 4022b0 2 API calls 9833->9835 9834 404373 9839 403ec1 9834->9839 9836 404387 9835->9836 9837 4025f6 2 API calls 9836->9837 9838 4043b5 ??3@YAXPAX 9837->9838 9838->9834 9840 403ecd 9839->9840 9842 403ede 9839->9842 9841 4022b0 2 API calls 9840->9841 9841->9842 9842->9410 9844 403f06 9843->9844 9844->9844 9850 4022fc 9844->9850 9846 403f13 9846->9416 9848 4022b0 2 API calls 9847->9848 9849 402610 9848->9849 9849->9834 9851 402340 9850->9851 9852 402310 9850->9852 9851->9846 9853 4022b0 2 API calls 9852->9853 9853->9851 9855 4022fc 2 API calls 9854->9855 9856 40264a 9855->9856 9856->9426 9858 403d3d 9857->9858 9869 403c63 9858->9869 9862 403cd3 9861->9862 9863 403c63 _wtol 9862->9863 9864 403cf4 9863->9864 9864->9462 9866 403d04 9865->9866 9867 403c63 _wtol 9866->9867 9868 403d1c 9867->9868 9868->9470 9870 403c6d 9869->9870 9871 403c88 _wtol 9870->9871 9872 403cc1 9870->9872 9871->9870 9872->9459 9875 4023e8 9873->9875 9874 4023f4 lstrcmpW 9874->9875 9876 402411 9874->9876 9875->9874 9875->9876 9876->9180 9878 408679 9877->9878 9878->9507 9880 40b30d 9879->9880 9884 40dcfb 3 API calls 9880->9884 9881 40b321 9882 40b331 9881->9882 9925 40b163 9881->9925 9882->9510 9884->9881 9886 40a7fe 9885->9886 9887 40b2fc 11 API calls 9886->9887 9888 40a823 9887->9888 9889 40a845 9888->9889 9890 40a82c 9888->9890 9953 40cc59 _EH_prolog 9889->9953 9956 40a3fe 9890->9956 9902 40151e 9901->9902 9903 401329 2 API calls 9902->9903 9904 40152b 9903->9904 9905 401429 2 API calls 9904->9905 9906 401534 CreateThread 9905->9906 9907 401563 9906->9907 9908 401568 WaitForSingleObject 9906->9908 10377 40129c 9906->10377 9909 40786b 23 API calls 9907->9909 9910 401585 9908->9910 9911 4015b7 9908->9911 9909->9908 9914 4015a3 9910->9914 9917 401594 9910->9917 9912 4015b3 9911->9912 9913 4015bf GetExitCodeThread 9911->9913 9912->9521 9915 4015d6 9913->9915 9916 407776 55 API calls 9914->9916 9915->9912 9915->9917 9918 401605 SetLastError 9915->9918 9916->9912 9917->9912 9919 407776 55 API calls 9917->9919 9918->9917 9919->9912 9921 401411 2 API calls 9920->9921 9922 4042ab 9921->9922 9923 401411 2 API calls 9922->9923 9924 4042b7 9923->9924 9924->9516 9938 40f0b6 9925->9938 9927 40b192 9927->9882 9928 40b17e 9928->9927 9941 40adc3 9928->9941 9931 40b297 ??3@YAXPAX 9931->9927 9932 40b2a2 ??3@YAXPAX 9932->9927 9934 40b27a memmove 9935 40b1d9 9934->9935 9935->9931 9935->9932 9935->9934 9936 40b2ac memcpy 9935->9936 9937 40dcfb 3 API calls 9936->9937 9937->9932 9949 40f06b 9938->9949 9942 40add0 9941->9942 9943 40ae0d memcpy 9941->9943 9944 40add5 ??2@YAPAXI 9942->9944 9945 40adfb 9942->9945 9943->9935 9946 40adfd ??3@YAXPAX 9944->9946 9947 40ade5 memmove 9944->9947 9945->9946 9946->9943 9947->9946 9950 40f0af 9949->9950 9951 40f07d 9949->9951 9950->9928 9951->9950 9952 40dcc7 GetLastError 9951->9952 9952->9951 9964 40c9fc 9953->9964 10360 40a28e 9956->10360 9986 40a0bf 9964->9986 10109 40a030 9986->10109 10110 40e8da ctype 3 API calls 10109->10110 10111 40a039 10110->10111 10112 40e8da ctype 3 API calls 10111->10112 10113 40a041 10112->10113 10114 40e8da ctype 3 API calls 10113->10114 10115 40a049 10114->10115 10116 40e8da ctype 3 API calls 10115->10116 10117 40a051 10116->10117 10118 40e8da ctype 3 API calls 10117->10118 10119 40a059 10118->10119 10120 40e8da ctype 3 API calls 10119->10120 10121 40a061 10120->10121 10122 40e8da ctype 3 API calls 10121->10122 10123 40a06b 10122->10123 10124 40e8da ctype 3 API calls 10123->10124 10125 40a073 10124->10125 10126 40e8da ctype 3 API calls 10125->10126 10127 40a080 10126->10127 10128 40e8da ctype 3 API calls 10127->10128 10129 40a088 10128->10129 10130 40e8da ctype 3 API calls 10129->10130 10131 40a095 10130->10131 10132 40e8da ctype 3 API calls 10131->10132 10133 40a09d 10132->10133 10134 40e8da ctype 3 API calls 10133->10134 10135 40a0aa 10134->10135 10136 40e8da ctype 3 API calls 10135->10136 10137 40a0b2 10136->10137 10361 40e8da ctype 3 API calls 10360->10361 10362 40a29c 10361->10362 10378 4012a5 10377->10378 10379 4012b8 10377->10379 10378->10379 10380 4012a7 Sleep 10378->10380 10381 4012f1 10379->10381 10382 4012e3 EndDialog 10379->10382 10380->10378 10382->10381 10384 4021db 10383->10384 10384->9528 10386 4025ae 2 API calls 10385->10386 10387 402992 10386->10387 10388 4029be 10387->10388 10389 402640 2 API calls 10387->10389 10388->9597 10389->10387 10390->9597 10392 4029d2 10391->10392 10393 4029de 10391->10393 10410 4019f0 GetStdHandle WriteFile 10392->10410 10395 4025ae 2 API calls 10393->10395 10399 4029e8 10395->10399 10396 4029d9 10408 402425 ??3@YAXPAX ??3@YAXPAX 10396->10408 10397 402a13 10398 40272e 3 API calls 10397->10398 10400 402a25 10398->10400 10399->10397 10403 402640 2 API calls 10399->10403 10401 402a33 10400->10401 10402 402a47 10400->10402 10404 407776 55 API calls 10401->10404 10405 407776 55 API calls 10402->10405 10403->10399 10406 402a42 ??3@YAXPAX ??3@YAXPAX 10404->10406 10405->10406 10406->10396 10408->9594 10409->9583 10410->10396 10412 4012f7 2 API calls 10411->10412 10413 402676 10412->10413 10414 4012f7 2 API calls 10413->10414 10415 402682 10414->10415 10415->9617 10417 4025ae 2 API calls 10416->10417 10418 402785 10417->10418 10419 4027c1 10418->10419 10422 402628 10418->10422 10419->9642 10423 402634 10422->10423 10424 40263a WideCharToMultiByte 10422->10424 10425 4022b0 2 API calls 10423->10425 10424->10419 10425->10424 10427 407456 10426->10427 10428 40745b 10426->10428 10427->9663 10428->10427 10429 4073d1 21 API calls 10428->10429 10429->10427 10430->9670 10431->9672 10432->9674 10433->9676 10434->9682 10435->9684 10436->9688 10437->9692 10439 40661a 2 API calls 10438->10439 10440 40715c 10439->10440 10440->9700 10444 40716d 10441->10444 10445 40661a 2 API calls 10444->10445 10446 407175 10445->10446 10446->9700 10448 40661a 2 API calls 10447->10448 10449 4071a7 10448->10449 10449->9726 8030 40f3f1 8033 4024e7 8030->8033 8038 40245a 8033->8038 8036 4024f5 8037 4024f6 malloc 8039 40246a 8038->8039 8045 402466 8038->8045 8040 40247a GlobalMemoryStatusEx 8039->8040 8039->8045 8041 402488 8040->8041 8040->8045 8041->8045 8046 401f9d 8041->8046 8045->8036 8045->8037 8047 401fb4 8046->8047 8048 401fe5 GetLastError wsprintfW GetEnvironmentVariableW GetLastError 8047->8048 8049 401fdb 8047->8049 8050 402095 SetLastError 8048->8050 8051 40201d ??2@YAPAXI GetEnvironmentVariableW 8048->8051 8066 407717 8049->8066 8050->8049 8056 4020ac 8050->8056 8052 40204c GetLastError 8051->8052 8064 40207e ??3@YAXPAX 8051->8064 8053 402052 8052->8053 8052->8064 8059 402081 8053->8059 8060 40205c lstrcmpiW 8053->8060 8055 4020cb lstrlenA ??2@YAPAXI 8057 402136 MultiByteToWideChar 8055->8057 8058 4020fc GetLocaleInfoW 8055->8058 8056->8055 8073 401f47 8056->8073 8057->8049 8058->8057 8062 402123 _wtol 8058->8062 8059->8050 8063 40206b ??3@YAXPAX 8060->8063 8060->8064 8062->8057 8063->8059 8064->8059 8065 4020c1 8065->8055 8080 40661a 8066->8080 8069 40774e 8084 4073d1 8069->8084 8070 40773c IsBadReadPtr 8070->8069 8074 401f51 GetUserDefaultUILanguage 8073->8074 8075 401f95 8073->8075 8076 401f72 GetSystemDefaultUILanguage 8074->8076 8077 401f6e 8074->8077 8075->8065 8076->8075 8078 401f7e GetSystemDefaultLCID 8076->8078 8077->8065 8078->8075 8079 401f8e 8078->8079 8079->8075 8081 406643 8080->8081 8082 40666f IsWindow 8080->8082 8081->8082 8083 40664b GetSystemMetrics GetSystemMetrics 8081->8083 8082->8069 8082->8070 8083->8082 8085 4073e0 8084->8085 8086 407444 8084->8086 8085->8086 8096 4024fc 8085->8096 8086->8045 8088 4073f1 8089 4024fc 2 API calls 8088->8089 8090 4073fc 8089->8090 8100 403b7f 8090->8100 8093 403b7f 19 API calls 8094 40740e ??3@YAXPAX ??3@YAXPAX 8093->8094 8094->8086 8097 402513 8096->8097 8109 40112b 8097->8109 8099 40251e 8099->8088 8173 403880 8100->8173 8102 403b59 8114 40393b 8102->8114 8104 403b69 8137 4039f6 8104->8137 8106 403b74 8160 4027c7 8106->8160 8110 401177 8109->8110 8111 401139 ??2@YAPAXI 8109->8111 8110->8099 8111->8110 8113 40115a 8111->8113 8112 40116f ??3@YAXPAX 8112->8110 8113->8112 8113->8113 8196 401411 8114->8196 8118 403954 8203 40254d 8118->8203 8120 403961 8121 4024fc 2 API calls 8120->8121 8122 40396e 8121->8122 8207 403805 8122->8207 8125 401362 2 API calls 8126 403992 8125->8126 8127 40254d 2 API calls 8126->8127 8128 40399f 8127->8128 8129 4024fc 2 API calls 8128->8129 8130 4039ac 8129->8130 8131 403805 3 API calls 8130->8131 8132 4039bc ??3@YAXPAX 8131->8132 8133 4024fc 2 API calls 8132->8133 8134 4039d3 8133->8134 8135 403805 3 API calls 8134->8135 8136 4039e2 ??3@YAXPAX ??3@YAXPAX 8135->8136 8136->8104 8138 401411 2 API calls 8137->8138 8139 403a04 8138->8139 8140 401362 2 API calls 8139->8140 8141 403a0f 8140->8141 8142 40254d 2 API calls 8141->8142 8143 403a1c 8142->8143 8144 4024fc 2 API calls 8143->8144 8145 403a29 8144->8145 8146 403805 3 API calls 8145->8146 8147 403a39 ??3@YAXPAX 8146->8147 8148 401362 2 API calls 8147->8148 8149 403a4d 8148->8149 8150 40254d 2 API calls 8149->8150 8151 403a5a 8150->8151 8152 4024fc 2 API calls 8151->8152 8153 403a67 8152->8153 8154 403805 3 API calls 8153->8154 8155 403a77 ??3@YAXPAX 8154->8155 8156 4024fc 2 API calls 8155->8156 8157 403a8e 8156->8157 8158 403805 3 API calls 8157->8158 8159 403a9d ??3@YAXPAX ??3@YAXPAX 8158->8159 8159->8106 8161 401411 2 API calls 8160->8161 8162 4027d5 8161->8162 8163 4027e5 ExpandEnvironmentStringsW 8162->8163 8166 40112b 2 API calls 8162->8166 8164 402809 8163->8164 8165 4027fe ??3@YAXPAX 8163->8165 8232 402535 8164->8232 8167 402840 8165->8167 8166->8163 8167->8093 8170 402824 8171 401362 2 API calls 8170->8171 8172 402838 ??3@YAXPAX 8171->8172 8172->8167 8174 401411 2 API calls 8173->8174 8175 40388e 8174->8175 8176 401362 2 API calls 8175->8176 8177 403899 8176->8177 8178 40254d 2 API calls 8177->8178 8179 4038a6 8178->8179 8180 4024fc 2 API calls 8179->8180 8181 4038b3 8180->8181 8182 403805 3 API calls 8181->8182 8183 4038c3 ??3@YAXPAX 8182->8183 8184 401362 2 API calls 8183->8184 8185 4038d7 8184->8185 8186 40254d 2 API calls 8185->8186 8187 4038e4 8186->8187 8188 4024fc 2 API calls 8187->8188 8189 4038f1 8188->8189 8190 403805 3 API calls 8189->8190 8191 403901 ??3@YAXPAX 8190->8191 8192 4024fc 2 API calls 8191->8192 8193 403918 8192->8193 8194 403805 3 API calls 8193->8194 8195 403927 ??3@YAXPAX ??3@YAXPAX 8194->8195 8195->8102 8197 40112b 2 API calls 8196->8197 8198 401425 8197->8198 8199 401362 8198->8199 8200 40136e 8199->8200 8202 401380 8199->8202 8201 40112b 2 API calls 8200->8201 8201->8202 8202->8118 8204 40255a 8203->8204 8212 401398 8204->8212 8206 402565 8206->8120 8208 40381b 8207->8208 8209 403817 ??3@YAXPAX 8207->8209 8208->8209 8216 4026b1 8208->8216 8220 402f96 8208->8220 8209->8125 8213 4013dc 8212->8213 8214 4013ac 8212->8214 8213->8206 8215 40112b 2 API calls 8214->8215 8215->8213 8217 4026c7 8216->8217 8218 4026db 8217->8218 8224 402346 memmove 8217->8224 8218->8208 8221 402fa5 8220->8221 8223 402fbe 8221->8223 8225 4026e6 8221->8225 8223->8208 8224->8218 8226 4026f6 8225->8226 8227 401398 2 API calls 8226->8227 8228 402702 8227->8228 8231 402346 memmove 8228->8231 8230 40270f 8230->8223 8231->8230 8233 402541 8232->8233 8234 402547 ExpandEnvironmentStringsW 8232->8234 8235 40112b 2 API calls 8233->8235 8234->8170 8235->8234 11179 40e4f9 11180 40e516 11179->11180 11181 40e506 11179->11181 11184 40de46 11181->11184 11187 401b1f VirtualFree 11184->11187 11186 40de81 ??3@YAXPAX 11186->11180 11187->11186

                                                                                          Executed Functions

                                                                                          Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                                                                            • Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                                                                            • Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                                                                            • Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                                                                            • Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
                                                                                            • Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                                                                            • Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                                                                          • GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
                                                                                          • GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C
                                                                                            • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                                                                            • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                                                                            • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                                                                            • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                                                                            • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
                                                                                            • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD
                                                                                          • _wtol.MSVCRT ref: 0040509F
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
                                                                                          • _wtol.MSVCRT ref: 00405217
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F
                                                                                            • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000022,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                                                                            • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000022,004177C4,004177C4,00000000,00000022,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                                                                            • Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC
                                                                                            • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                                                                            • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                                                                            • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
                                                                                            • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                                                                            • Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519
                                                                                            • Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569
                                                                                            • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
                                                                                            • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
                                                                                            • Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6
                                                                                          • wsprintfW.USER32 ref: 00405595
                                                                                          • _wtol.MSVCRT ref: 004057DE
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
                                                                                          • CoInitialize.OLE32(00000000), ref: 004059E9
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
                                                                                          • GetKeyState.USER32(00000010), ref: 00405AA1
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
                                                                                          • memset.MSVCRT ref: 004060AE
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 0040617E
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
                                                                                          • CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB
                                                                                            • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                                                            • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                                                            • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                                                            • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                                                            • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                                                            • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                                                            • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                                                            • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                                                            • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                                                            • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                                                            • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
                                                                                          • GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
                                                                                          • _wtol.MSVCRT ref: 00405F65
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
                                                                                          • MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
                                                                                          • String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
                                                                                          • API String ID: 154539431-3058303289
                                                                                          • Opcode ID: 487138a178580eda3ece8cfdceac7d94c04d5ea51ae98c448ec9f2ba9b6a03be
                                                                                          • Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
                                                                                          • Opcode Fuzzy Hash: 487138a178580eda3ece8cfdceac7d94c04d5ea51ae98c448ec9f2ba9b6a03be
                                                                                          • Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D
                                                                                          Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 651 401626-401636 652 401642-40166d call 40874d call 40a62f 651->652 653 401638-40163d 651->653 658 401680-40168c call 401411 652->658 659 40166f 652->659 654 401980-401983 653->654 665 401962-40197d ??3@YAXPAX@Z call 40eca9 658->665 666 401692-401697 658->666 660 401671-40167b call 40eca9 659->660 667 40197f 660->667 665->667 666->665 668 40169d-4016d3 call 401329 call 401454 call 401362 ??3@YAXPAX@Z 666->668 667->654 678 401948-40194b 668->678 679 4016d9-4016f8 668->679 680 40194d-401960 ??3@YAXPAX@Z call 40eca9 678->680 683 401713-401717 679->683 684 4016fa-40170e call 40eca9 ??3@YAXPAX@Z 679->684 680->667 687 401719-40171c 683->687 688 40171e-401723 683->688 684->660 690 40174b-401762 687->690 691 401745-401748 688->691 692 401725 688->692 690->684 695 401764-401787 690->695 691->690 693 401727-40172d 692->693 697 40172f-401740 call 40eca9 ??3@YAXPAX@Z 693->697 700 4017a2-4017a8 695->700 701 401789-40179d call 40eca9 ??3@YAXPAX@Z 695->701 697->660 704 4017c4-4017d6 GetLocalTime SystemTimeToFileTime 700->704 705 4017aa-4017ad 700->705 701->660 709 4017dc-4017df 704->709 707 4017b6-4017c2 705->707 708 4017af-4017b1 705->708 707->709 708->693 710 4017e1-4017eb call 403354 709->710 711 4017f8-4017ff call 40301a 709->711 710->697 716 4017f1-4017f3 710->716 715 401804-401809 711->715 717 401934-401943 GetLastError 715->717 718 40180f-401812 715->718 716->693 717->678 719 401818-401822 ??2@YAPAXI@Z 718->719 720 40192a-40192d 718->720 722 401833 719->722 723 401824-401831 719->723 720->717 724 401835-401859 call 4010e2 call 40db53 722->724 723->724 729 40190f-401928 call 408726 call 40eca9 724->729 730 40185f-40187d GetLastError call 4012f7 call 402d5a 724->730 729->680 739 4018ba-4018cf call 403354 730->739 740 40187f-401886 730->740 746 4018d1-4018d9 739->746 747 4018db-4018f3 call 40db53 739->747 742 40188a-40189a ??3@YAXPAX@Z 740->742 744 4018a2-4018b5 call 40eca9 ??3@YAXPAX@Z 742->744 745 40189c-40189e 742->745 744->660 745->744 746->742 753 4018f5-401904 GetLastError 747->753 754 401906-40190e ??3@YAXPAX@Z 747->754 753->742 754->729
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
                                                                                          • Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
                                                                                          • Opcode Fuzzy Hash: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
                                                                                          • Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58
                                                                                          Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1082 40301a-403031 GetFileAttributesW 1083 403033-403035 1082->1083 1084 403037-403039 1082->1084 1085 403090-403092 1083->1085 1086 403048-40304f 1084->1086 1087 40303b-403046 SetLastError 1084->1087 1088 403051-403058 call 402fed 1086->1088 1089 40305a-40305d 1086->1089 1087->1085 1088->1085 1091 40308d-40308f 1089->1091 1092 40305f-403070 FindFirstFileW 1089->1092 1091->1085 1092->1088 1094 403072-40308b FindClose CompareFileTime 1092->1094 1094->1088 1094->1091
                                                                                          APIs
                                                                                          • GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
                                                                                          • SetLastError.KERNEL32(00000010), ref: 0040303D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesErrorFileLast
                                                                                          • String ID:
                                                                                          • API String ID: 1799206407-0
                                                                                          • Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                                                                          • Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
                                                                                          • Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                                                                          • Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E
                                                                                          Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
                                                                                          • SendMessageW.USER32(00008001,00000000,?), ref: 004011FF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: DiskFreeMessageSendSpace
                                                                                          • String ID:
                                                                                          • API String ID: 696007252-0
                                                                                          • Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                                                                          • Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
                                                                                          • Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                                                                          • Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D
                                                                                          Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 757 411def-411e64 __set_app_type __p__fmode __p__commode call 411f7b 760 411e72-411ec9 call 411f66 _initterm __getmainargs _initterm 757->760 761 411e66-411e71 __setusermatherr 757->761 764 411f05-411f08 760->764 765 411ecb-411ed3 760->765 761->760 766 411ee2-411ee6 764->766 767 411f0a-411f0e 764->767 768 411ed5-411ed7 765->768 769 411ed9-411edc 765->769 770 411ee8-411eea 766->770 771 411eec-411efd GetStartupInfoA 766->771 767->764 768->765 768->769 769->766 772 411ede-411edf 769->772 770->771 770->772 773 411f10-411f12 771->773 774 411eff-411f03 771->774 772->766 775 411f13-411f40 GetModuleHandleA call 4064af exit _XcptFilter 773->775 774->775
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                                          • String ID: HpA
                                                                                          • API String ID: 801014965-2938899866
                                                                                          • Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                                                                          • Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
                                                                                          • Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                                                                          • Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58
                                                                                          Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47timewindowCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                                                                          • CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                                                                          • SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                                                                          • DispatchMessageW.USER32(?), ref: 00401B89
                                                                                          • KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                                                                          • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
                                                                                          • String ID: Static
                                                                                          • API String ID: 2479445380-2272013587
                                                                                          • Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                                                                          • Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
                                                                                          • Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                                                                          • Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9
                                                                                          Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 781 40b163-40b183 call 40f0b6 784 40b2f6-40b2f9 781->784 785 40b189-40b190 call 40ac2d 781->785 788 40b192-40b194 785->788 789 40b199-40b1d6 call 40adc3 memcpy 785->789 788->784 792 40b1d9-40b1dd 789->792 793 40b202-40b221 792->793 794 40b1df-40b1f2 792->794 800 40b2a2 793->800 801 40b223-40b22b 793->801 795 40b297-40b2a0 ??3@YAXPAX@Z 794->795 796 40b1f8 794->796 799 40b2f4-40b2f5 795->799 796->793 797 40b1fa-40b1fc 796->797 797->793 797->795 799->784 802 40b2a4-40b2a5 800->802 803 40b2a7-40b2aa 801->803 804 40b22d-40b231 801->804 805 40b2ed-40b2f2 ??3@YAXPAX@Z 802->805 803->802 804->793 806 40b233-40b243 804->806 805->799 807 40b245 806->807 808 40b27a-40b292 memmove 806->808 809 40b254-40b258 807->809 808->792 810 40b25a 809->810 811 40b24c-40b24e 809->811 812 40b25c 810->812 811->812 813 40b250-40b251 811->813 812->808 814 40b25e-40b267 call 40ac2d 812->814 813->809 817 40b269-40b278 814->817 818 40b2ac-40b2e5 memcpy call 40dcfb 814->818 817->808 819 40b247-40b24a 817->819 820 40b2e8-40b2eb 818->820 819->809 820->805
                                                                                          APIs
                                                                                          • memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
                                                                                          • memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@memcpymemmove
                                                                                          • String ID:
                                                                                          • API String ID: 3549172513-3916222277
                                                                                          • Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                                                                          • Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
                                                                                          • Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                                                                          • Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D
                                                                                          Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145stringtimeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 822 403354-40337a lstrlenW call 4024fc 825 403385-403391 822->825 826 40337c-403380 call 40112b 822->826 828 403393-403397 825->828 829 403399-40339f 825->829 826->825 828->829 830 4033a2-4033a4 828->830 829->830 831 4033c8-4033d1 call 401986 830->831 834 4033d3-4033e6 GetSystemTimeAsFileTime GetFileAttributesW 831->834 835 4033b7-4033b9 831->835 838 4033e8-4033f6 call 40301a 834->838 839 4033ff-403408 call 401986 834->839 836 4033a6-4033ae 835->836 837 4033bb-4033bd 835->837 836->837 844 4033b0-4033b4 836->844 840 4033c3 837->840 841 403477-40347d 837->841 838->839 851 4033f8-4033fa 838->851 852 403419-40341b 839->852 853 40340a-403417 call 407776 839->853 840->831 847 4034a7-4034ba call 407776 ??3@YAXPAX@Z 841->847 848 40347f-40348a 841->848 844->837 849 4033b6 844->849 864 4034bc-4034c0 847->864 848->847 854 40348c-403490 848->854 849->835 858 40349c-4034a5 ??3@YAXPAX@Z 851->858 855 40346b-403475 ??3@YAXPAX@Z 852->855 856 40341d-40343c memcpy 852->856 853->851 854->847 860 403492-403497 854->860 855->864 862 403451-403455 856->862 863 40343e 856->863 858->864 860->847 861 403499-40349b 860->861 861->858 867 403440-403448 862->867 868 403457-403464 call 401986 862->868 866 403450 863->866 866->862 867->868 869 40344a-40344e 867->869 868->853 872 403466-403469 868->872 869->866 869->868 872->855 872->856
                                                                                          APIs
                                                                                          • lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                                                                          • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                                                                            • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                                                            • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                                                          • memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
                                                                                          • String ID:
                                                                                          • API String ID: 846840743-0
                                                                                          • Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                                                                          • Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
                                                                                          • Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                                                                          • Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD
                                                                                          Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                            • Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51
                                                                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                                                            • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                                                                            • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                                                                            • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                                                            • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                                                                            • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                                                            • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                                                            • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                                                                            • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                                                            • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                                                            • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                                                            • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                                                                            • Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
                                                                                            • Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                                                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
                                                                                          • wsprintfW.USER32 ref: 004044A7
                                                                                            • Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                                                                          • #17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
                                                                                          • String ID: 7zSfxFolder%02d$IA
                                                                                          • API String ID: 3387708999-1317665167
                                                                                          • Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                                                                          • Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
                                                                                          • Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                                                                          • Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58
                                                                                          Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 913 408ea4-408ebf call 40aef3 916 408ec1-408ecb 913->916 917 408ece-408f07 call 4065ea call 408726 913->917 922 408fd5-408ffb call 408d21 call 408b7c 917->922 923 408f0d-408f17 ??2@YAPAXI@Z 917->923 935 408ffd-409013 call 408858 922->935 936 40901e 922->936 925 408f26 923->925 926 408f19-408f24 923->926 927 408f28-408f61 call 4010e2 ??2@YAPAXI@Z 925->927 926->927 933 408f73 927->933 934 408f63-408f71 927->934 937 408f75-408fae call 4010e2 call 408726 call 40cdb8 933->937 934->937 944 409199-4091b0 935->944 945 409019-40901c 935->945 939 409020-409035 call 40e8da call 40874d 936->939 965 408fb0-408fb2 937->965 966 408fb6-408fbb 937->966 954 409037-409044 ??2@YAPAXI@Z 939->954 955 40906d-40907d 939->955 952 4091b6 944->952 953 40934c-409367 call 4087ea 944->953 945->939 957 4091b9-4091e9 952->957 975 409372-409375 953->975 976 409369-40936f 953->976 958 409046-40904d call 408c96 954->958 959 40904f 954->959 970 4090ad-4090b3 955->970 971 40907f 955->971 978 409219-40925f call 40e811 * 2 957->978 979 4091eb-4091f1 957->979 963 409051-409061 call 408726 958->963 959->963 987 409063-409066 963->987 988 409068 963->988 965->966 968 408fc3-408fcf 966->968 969 408fbd-408fbf 966->969 968->922 968->923 969->968 981 409187-409196 call 408e83 970->981 982 4090b9-4090d9 call 40d94b 970->982 977 409081-4090a7 call 40e959 call 408835 call 408931 call 408963 971->977 975->977 983 40937b-4093a2 call 40e811 975->983 976->975 977->970 1016 409261-409264 978->1016 1017 4092c9 978->1017 985 4091f7-409209 979->985 986 4092b9-4092bb 979->986 981->944 997 4090de-4090e6 982->997 999 4093a4-4093b8 call 408761 983->999 1000 4093ba-4093d6 983->1000 1013 409293-409295 985->1013 1014 40920f-409211 985->1014 1001 4092bf-4092c4 986->1001 994 40906a 987->994 988->994 994->955 1005 409283-409288 997->1005 1006 4090ec-4090f3 997->1006 999->1000 1080 4093d7 call 40ce70 1000->1080 1081 4093d7 call 40f160 1000->1081 1001->977 1011 409290 1005->1011 1012 40928a-40928c 1005->1012 1007 409121-409124 1006->1007 1008 4090f5-4090f9 1006->1008 1022 4092b2-4092b7 1007->1022 1023 40912a-409138 call 408726 1007->1023 1008->1007 1018 4090fb-4090fe 1008->1018 1011->1013 1012->1011 1025 409297-409299 1013->1025 1026 40929d-4092a0 1013->1026 1014->978 1024 409213-409215 1014->1024 1027 409267-40927f call 408761 1016->1027 1030 4092cc-4092d2 1017->1030 1028 409104-409112 call 408726 1018->1028 1029 4092a5-4092aa 1018->1029 1020 4093da-4093e4 call 40e959 1020->977 1022->986 1022->1001 1046 409145-409156 call 40cdb8 1023->1046 1047 40913a-409140 call 40d6f0 1023->1047 1024->978 1025->1026 1026->977 1049 409281 1027->1049 1028->1046 1050 409114-40911f call 40d6cb 1028->1050 1029->1001 1041 4092ac-4092ae 1029->1041 1036 4092d4-4092e0 call 408a55 1030->1036 1037 40931d-409346 call 40e959 * 2 1030->1037 1057 4092e2-4092ec 1036->1057 1058 4092ee-4092fa call 408aa0 1036->1058 1037->953 1037->957 1041->1022 1059 409158-40915a 1046->1059 1060 40915e-409163 1046->1060 1047->1046 1049->1030 1050->1046 1063 409303-40931b call 408761 1057->1063 1074 409300 1058->1074 1075 4093e9-4093fe call 40e959 * 2 1058->1075 1059->1060 1065 409165-409167 1060->1065 1066 40916b-409170 1060->1066 1063->1036 1063->1037 1065->1066 1071 409172-409174 1066->1071 1072 409178-409181 1066->1072 1071->1072 1072->981 1072->982 1074->1063 1075->977 1080->1020 1081->1020
                                                                                          APIs
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??2@
                                                                                          • String ID: IA$IA
                                                                                          • API String ID: 1033339047-1400641299
                                                                                          • Opcode ID: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
                                                                                          • Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
                                                                                          • Opcode Fuzzy Hash: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
                                                                                          • Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44
                                                                                          Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23COMMONLIBRARYCODE
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1095 410cd0-410d1a call 410b9a free 1098 410d22-410d23 1095->1098 1099 410d1c-410d1e 1095->1099 1099->1098
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: free
                                                                                          • String ID: $KA$4KA$HKA$\KA
                                                                                          • API String ID: 1294909896-3316857779
                                                                                          • Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                                                                          • Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
                                                                                          • Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                                                                          • Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C
                                                                                          Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1100 4096c7-40970f _EH_prolog call 4010e2 1103 409711-409714 1100->1103 1104 409717-40971a 1100->1104 1103->1104 1105 409730-409755 1104->1105 1106 40971c-409721 1104->1106 1109 409757-40975d 1105->1109 1107 409723-409725 1106->1107 1108 409729-40972b 1106->1108 1107->1108 1110 409b93-409ba4 1108->1110 1111 409763-409767 1109->1111 1112 409827-40983a call 40118a 1109->1112 1113 409769-40976c 1111->1113 1114 40976f-40977e 1111->1114 1120 409851-409876 call 408e4e ??2@YAPAXI@Z 1112->1120 1121 40983c-409846 call 409425 1112->1121 1113->1114 1116 409780-409796 call 4094e0 call 40969d call 40e959 1114->1116 1117 4097a3-4097a8 1114->1117 1137 40979b-4097a1 1116->1137 1118 4097b6-4097f0 call 4094e0 call 40969d call 40e959 call 4095b7 1117->1118 1119 4097aa-4097b4 1117->1119 1124 4097f3-409809 1118->1124 1119->1118 1119->1124 1133 409881-40989a call 4010e2 call 40eb24 1120->1133 1134 409878-40987f call 40ebf7 1120->1134 1144 40984a-40984c 1121->1144 1129 40980c-409814 1124->1129 1136 409816-409825 call 409403 1129->1136 1129->1137 1153 40989d-4098c0 call 40eb19 1133->1153 1134->1133 1136->1129 1137->1109 1144->1110 1157 4098c2-4098c7 1153->1157 1158 4098f6-4098f9 1153->1158 1161 4098c9-4098cb 1157->1161 1162 4098cf-4098e7 call 409530 call 409425 1157->1162 1159 409925-409949 ??2@YAPAXI@Z 1158->1159 1160 4098fb-409900 1158->1160 1163 409954 1159->1163 1164 40994b-409952 call 409c13 1159->1164 1165 409902-409904 1160->1165 1166 409908-40991e call 409530 call 409425 1160->1166 1161->1162 1179 4098e9-4098eb 1162->1179 1180 4098ef-4098f1 1162->1180 1170 409956-40996d call 4010e2 1163->1170 1164->1170 1165->1166 1166->1159 1181 40997b-4099a0 call 409fb4 1170->1181 1182 40996f-409978 1170->1182 1179->1180 1180->1110 1186 4099a2-4099a7 1181->1186 1187 4099e3-4099e6 1181->1187 1182->1181 1190 4099a9-4099ab 1186->1190 1191 4099af-4099b4 1186->1191 1188 4099ec-409a49 call 409603 call 4094b1 call 408ea4 1187->1188 1189 409b4e-409b53 1187->1189 1205 409a4e-409a53 1188->1205 1194 409b55-409b56 1189->1194 1195 409b5b-409b7f 1189->1195 1190->1191 1192 4099b6-4099b8 1191->1192 1193 4099bc-4099d4 call 409530 call 409425 1191->1193 1192->1193 1206 4099d6-4099d8 1193->1206 1207 4099dc-4099de 1193->1207 1194->1195 1195->1153 1208 409ab5-409abb 1205->1208 1209 409a55 1205->1209 1206->1207 1207->1110 1211 409ac1-409ac3 1208->1211 1212 409abd-409abf 1208->1212 1210 409a57 1209->1210 1213 409a5a-409a63 call 409f49 1210->1213 1214 409a65-409a67 1211->1214 1215 409ac5-409ad1 1211->1215 1212->1210 1213->1214 1225 409aa2-409aa4 1213->1225 1217 409a69-409a6a 1214->1217 1218 409a6f-409a71 1214->1218 1219 409ad3-409ad5 1215->1219 1220 409ad7-409add 1215->1220 1217->1218 1222 409a73-409a75 1218->1222 1223 409a79-409a91 call 409530 call 409425 1218->1223 1219->1213 1220->1195 1224 409adf-409ae5 1220->1224 1222->1223 1223->1144 1233 409a97-409a9d 1223->1233 1224->1195 1228 409aa6-409aa8 1225->1228 1229 409aac-409ab0 1225->1229 1228->1229 1229->1195 1233->1144
                                                                                          APIs
                                                                                          • _EH_prolog.MSVCRT ref: 004096D0
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941
                                                                                            • Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??2@$H_prolog
                                                                                          • String ID: HIA
                                                                                          • API String ID: 3431946709-2712174624
                                                                                          • Opcode ID: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
                                                                                          • Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
                                                                                          • Opcode Fuzzy Hash: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
                                                                                          • Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54
                                                                                          Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118stringCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1236 402844-40288e call 411c20 call 40dcfb lstrlenA * 2 1240 402893-4028af call 40dcc7 1236->1240 1242 4028b5-4028ba 1240->1242 1243 40297f 1240->1243 1242->1243 1244 4028c0-4028ca 1242->1244 1245 402981-402985 1243->1245 1246 4028cd-4028d2 1244->1246 1247 402911-402916 1246->1247 1248 4028d4-4028d9 1246->1248 1249 40293b-40295f memmove 1247->1249 1251 402918-40292b memcmp 1247->1251 1248->1249 1250 4028db-4028ee memcmp 1248->1250 1256 402961-402968 1249->1256 1257 40296e-402979 1249->1257 1252 4028f4-4028fe 1250->1252 1253 40297b-40297d 1250->1253 1254 40290b-40290f 1251->1254 1255 40292d-402939 1251->1255 1252->1243 1258 402900-402906 call 402640 1252->1258 1253->1245 1254->1246 1255->1246 1256->1257 1259 402890 1256->1259 1257->1245 1258->1254 1259->1240
                                                                                          APIs
                                                                                          • lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                                                                          • lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                                                                          • memcmp.MSVCRT(?,?,?), ref: 004028E4
                                                                                          • memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                                                                          • memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: lstrlenmemcmp$memmove
                                                                                          • String ID:
                                                                                          • API String ID: 3251180759-0
                                                                                          • Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                                                                          • Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
                                                                                          • Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                                                                          • Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55
                                                                                          Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100synchronizationthreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1263 40150b-401561 call 408726 call 401329 call 401429 CreateThread 1270 401563 call 40786b 1263->1270 1271 401568-401583 WaitForSingleObject 1263->1271 1270->1271 1273 401585-401588 1271->1273 1274 4015b7-4015bd 1271->1274 1277 40158a-40158d 1273->1277 1278 4015ab 1273->1278 1275 40161b 1274->1275 1276 4015bf-4015d4 GetExitCodeThread 1274->1276 1280 401620-401623 1275->1280 1281 4015d6-4015d8 1276->1281 1282 4015de-4015e9 1276->1282 1283 4015a7-4015a9 1277->1283 1284 40158f-401592 1277->1284 1279 4015ad-4015b5 call 407776 1278->1279 1279->1275 1281->1282 1286 4015da-4015dc 1281->1286 1287 4015f1-4015fa 1282->1287 1288 4015eb-4015ec 1282->1288 1283->1279 1289 4015a3-4015a5 1284->1289 1290 401594-401597 1284->1290 1286->1280 1293 401605-401611 SetLastError 1287->1293 1294 4015fc-401603 1287->1294 1292 4015ee-4015ef 1288->1292 1289->1279 1295 401599-40159c 1290->1295 1296 40159e-4015a1 1290->1296 1297 401613-401618 call 407776 1292->1297 1293->1297 1294->1275 1294->1293 1295->1275 1295->1296 1296->1292 1297->1275
                                                                                          APIs
                                                                                          • CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
                                                                                          • WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570
                                                                                            • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                                                            • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                                                            • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                                                            • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                                                            • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                                                            • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                                                            • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                                                            • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                                                            • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                                                            • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                                                            • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 359084233-0
                                                                                          • Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                                                                          • Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
                                                                                          • Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                                                                          • Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E
                                                                                          Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1300 401986-401995 CreateDirectoryW 1301 4019c7-4019cb 1300->1301 1302 401997-4019a4 GetLastError 1300->1302 1303 4019b1-4019be GetFileAttributesW 1302->1303 1304 4019a6 1302->1304 1303->1301 1306 4019c0-4019c2 1303->1306 1305 4019a7-4019b0 SetLastError 1304->1305 1306->1301 1307 4019c4-4019c5 1306->1307 1307->1305
                                                                                          APIs
                                                                                          • CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
                                                                                          • GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
                                                                                          • SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
                                                                                          • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$AttributesCreateDirectoryFile
                                                                                          • String ID:
                                                                                          • API String ID: 635176117-0
                                                                                          • Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                                                                          • Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
                                                                                          • Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                                                                          • Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89
                                                                                          Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1308 404a44-404a62 call 408676 ??2@YAPAXI@Z 1311 404a64-404a6b call 40a9f8 1308->1311 1312 404a6d 1308->1312 1314 404a6f-404a91 call 408726 call 40dcfb 1311->1314 1312->1314 1341 404a92 call 40b2fc 1314->1341 1342 404a92 call 40a7de 1314->1342 1319 404a95-404a97 1320 404ab3-404abd 1319->1320 1321 404a99-404aa9 call 407776 1319->1321 1323 404ada-404ae4 ??2@YAPAXI@Z 1320->1323 1324 404abf-404ac1 call 403354 1320->1324 1337 404aae-404ab2 1321->1337 1325 404ae6-404aed call 404292 1323->1325 1326 404aef 1323->1326 1331 404ac6-404ac9 1324->1331 1330 404af1-404af6 call 40150b 1325->1330 1326->1330 1336 404afb-404afd 1330->1336 1331->1323 1335 404acb 1331->1335 1338 404ad0-404ad8 1335->1338 1336->1338 1338->1337 1341->1319 1342->1319
                                                                                          APIs
                                                                                          • ??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000020,?,00405D20,?,00417788,00417788), ref: 00404A5A
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??2@
                                                                                          • String ID: ExecuteFile
                                                                                          • API String ID: 1033339047-323923146
                                                                                          • Opcode ID: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
                                                                                          • Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
                                                                                          • Opcode Fuzzy Hash: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
                                                                                          • Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D
                                                                                          Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1343 40adc3-40adce 1344 40add0-40add3 1343->1344 1345 40ae0d-40ae0f 1343->1345 1346 40add5-40ade3 ??2@YAPAXI@Z 1344->1346 1347 40adfb 1344->1347 1348 40adfd-40ae0c ??3@YAXPAX@Z 1346->1348 1349 40ade5-40ade7 1346->1349 1347->1348 1348->1345 1350 40ade9 1349->1350 1351 40adeb-40adf9 memmove 1349->1351 1350->1351 1351->1348
                                                                                          APIs
                                                                                          • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                                                          • memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??2@??3@memmove
                                                                                          • String ID:
                                                                                          • API String ID: 3828600508-0
                                                                                          • Opcode ID: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
                                                                                          • Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
                                                                                          • Opcode Fuzzy Hash: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
                                                                                          • Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A
                                                                                          Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: GlobalMemoryStatus
                                                                                          • String ID: @
                                                                                          • API String ID: 1890195054-2766056989
                                                                                          • Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                                                                          • Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
                                                                                          • Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                                                                          • Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D
                                                                                          Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5
                                                                                            • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                                                            • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                                                            • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@$??2@ExceptionThrowmemmove
                                                                                          • String ID:
                                                                                          • API String ID: 4269121280-0
                                                                                          • Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                                                                          • Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
                                                                                          • Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                                                                          • Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99
                                                                                          Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@H_prolog
                                                                                          • String ID:
                                                                                          • API String ID: 1329742358-0
                                                                                          • Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                                                                          • Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
                                                                                          • Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                                                                          • Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B
                                                                                          Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??2@??3@
                                                                                          • String ID:
                                                                                          • API String ID: 1936579350-0
                                                                                          • Opcode ID: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
                                                                                          • Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
                                                                                          • Opcode Fuzzy Hash: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
                                                                                          • Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754
                                                                                          Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
                                                                                          • GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastPointer
                                                                                          • String ID:
                                                                                          • API String ID: 2976181284-0
                                                                                          • Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                                                                          • Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
                                                                                          • Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                                                                          • Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64
                                                                                          Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SysAllocString.OLEAUT32(?), ref: 0040ED05
                                                                                          • _CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocExceptionStringThrow
                                                                                          • String ID:
                                                                                          • API String ID: 3773818493-0
                                                                                          • Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                                                                          • Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
                                                                                          • Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                                                                          • Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9
                                                                                          Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0040E745
                                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                          • String ID:
                                                                                          • API String ID: 3168844106-0
                                                                                          • Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                                                                          • Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
                                                                                          • Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                                                                          • Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4
                                                                                          Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: H_prolog
                                                                                          • String ID:
                                                                                          • API String ID: 3519838083-0
                                                                                          • Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                                                                          • Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
                                                                                          • Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                                                                          • Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A
                                                                                          Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesFile
                                                                                          • String ID:
                                                                                          • API String ID: 3188754299-0
                                                                                          • Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                                                                          • Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
                                                                                          • Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                                                                          • Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59
                                                                                          Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                                                                          • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseCreateFileHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3498533004-0
                                                                                          • Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                                                                          • Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
                                                                                          • Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                                                                          • Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94
                                                                                          Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3934441357-0
                                                                                          • Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                                                                          • Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
                                                                                          • Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                                                                          • Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54
                                                                                          Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _beginthreadex.MSVCRT ref: 00406552
                                                                                            • Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast_beginthreadex
                                                                                          • String ID:
                                                                                          • API String ID: 4034172046-0
                                                                                          • Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                                                                          • Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
                                                                                          • Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                                                                          • Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60
                                                                                          Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: H_prolog
                                                                                          • String ID:
                                                                                          • API String ID: 3519838083-0
                                                                                          • Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                                                                          • Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
                                                                                          • Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                                                                          • Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD
                                                                                          Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileRead
                                                                                          • String ID:
                                                                                          • API String ID: 2738559852-0
                                                                                          • Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                                                                          • Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
                                                                                          • Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                                                                          • Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54
                                                                                          Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileTime
                                                                                          • String ID:
                                                                                          • API String ID: 1425588814-0
                                                                                          • Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                                                                          • Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
                                                                                          • Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                                                                          • Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02
                                                                                          Function 0040D89F Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000060,?,?,00000000,?,0040D96E,00000000,?,00000000,00000000,000000FF,?,00000001,?,?,?), ref: 0040D91A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??2@
                                                                                          • String ID:
                                                                                          • API String ID: 1033339047-0
                                                                                          • Opcode ID: 938f96ef33963dfecdccb7339ec6814480dc8f914b3861dbfe03219cdb677223
                                                                                          • Instruction ID: 1ceb60bf2594cd826c4dcd58ac8a3e75a9726935558582f6c117c88f0dd7e0c4
                                                                                          • Opcode Fuzzy Hash: 938f96ef33963dfecdccb7339ec6814480dc8f914b3861dbfe03219cdb677223
                                                                                          • Instruction Fuzzy Hash: 4A219372A042858FCF30FF91D98096B77A5AF50358320853FE093732C1DA38AD49D75A
                                                                                          Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: free
                                                                                          • String ID:
                                                                                          • API String ID: 1294909896-0
                                                                                          • Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                                                                          • Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
                                                                                          • Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                                                                          • Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59
                                                                                          Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??2@
                                                                                          • String ID:
                                                                                          • API String ID: 1033339047-0
                                                                                          • Opcode ID: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
                                                                                          • Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
                                                                                          • Opcode Fuzzy Hash: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
                                                                                          • Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299
                                                                                          Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle
                                                                                          • String ID:
                                                                                          • API String ID: 2962429428-0
                                                                                          • Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                                                                          • Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
                                                                                          • Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                                                                          • Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698
                                                                                          Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                                                                          • Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
                                                                                          • Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                                                                          • Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509
                                                                                          Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 1263568516-0
                                                                                          • Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                                                                          • Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
                                                                                          • Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                                                                          • Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09
                                                                                          Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: free
                                                                                          • String ID:
                                                                                          • API String ID: 1294909896-0
                                                                                          • Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                                                                          • Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
                                                                                          • Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                                                                          • Instruction Fuzzy Hash:

                                                                                          Non-executed Functions

                                                                                          Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wtol.MSVCRT ref: 004034E5
                                                                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
                                                                                          • _wtol.MSVCRT ref: 0040367F
                                                                                          • CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
                                                                                          • String ID: .lnk
                                                                                          • API String ID: 408529070-24824748
                                                                                          • Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                                                                          • Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
                                                                                          • Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                                                                          • Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18
                                                                                          Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                                                          • wsprintfW.USER32 ref: 00401FFD
                                                                                          • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                                                          • GetLastError.KERNEL32 ref: 00402017
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                                                          • GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                                                          • GetLastError.KERNEL32 ref: 0040204C
                                                                                          • lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                                                                          • SetLastError.KERNEL32(00000000), ref: 00402098
                                                                                          • lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                                                          • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                                                          • _wtol.MSVCRT ref: 0040212A
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
                                                                                          • String ID: 7zSfxString%d$XpA$\3A
                                                                                          • API String ID: 2117570002-3108448011
                                                                                          • Opcode ID: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
                                                                                          • Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
                                                                                          • Opcode Fuzzy Hash: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
                                                                                          • Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18
                                                                                          Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                                                                          • FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                                                                          • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                                                                          • SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                                                                          • LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                                                                          • LockResource.KERNEL32(00000000), ref: 00401C41
                                                                                          • LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00401C76
                                                                                          • wsprintfW.USER32 ref: 00401C95
                                                                                          • LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00401CAD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
                                                                                          • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
                                                                                          • API String ID: 2639302590-365843014
                                                                                          • Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                                                                          • Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
                                                                                          • Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                                                                          • Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8
                                                                                          Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                                                          • GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                                                          • FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                                                          • FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                                                          • lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                                                          • lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                                                          • lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                                                          • lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                                                          • LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 829399097-0
                                                                                          • Opcode ID: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
                                                                                          • Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
                                                                                          • Opcode Fuzzy Hash: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
                                                                                          • Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4
                                                                                          Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
                                                                                          • lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
                                                                                          • lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
                                                                                          • SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
                                                                                          • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
                                                                                          • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
                                                                                          • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
                                                                                          • RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
                                                                                          • String ID:
                                                                                          • API String ID: 1862581289-0
                                                                                          • Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                                                                          • Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
                                                                                          • Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                                                                          • Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C
                                                                                          Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
                                                                                          • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
                                                                                          • GetWindow.USER32(?,00000005), ref: 00406D8F
                                                                                          • GetWindow.USER32(00000000,00000002), ref: 00406DA5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$AddressLibraryLoadProc
                                                                                          • String ID: SetWindowTheme$\EA$uxtheme
                                                                                          • API String ID: 324724604-1613512829
                                                                                          • Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                                                                          • Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
                                                                                          • Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                                                                          • Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC
                                                                                          Function 0041022D Relevance: .5, Instructions: 501COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                                                                          • Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
                                                                                          • Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                                                                          • Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84
                                                                                          Function 0041206B Relevance: .1, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                                                                          • Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
                                                                                          • Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                                                                          • Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0
                                                                                          Function 00411F91 Relevance: .1, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                                          • Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
                                                                                          • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                                          • Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0
                                                                                          Function 0040D72E Relevance: .0, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                                                                          • Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
                                                                                          • Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                                                                          • Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50
                                                                                          Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
                                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
                                                                                          • WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
                                                                                          • CloseHandle.KERNEL32(004177C4), ref: 00404C40
                                                                                          • SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
                                                                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
                                                                                          • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
                                                                                          • API String ID: 3007203151-3467708659
                                                                                          • Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                                                                          • Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
                                                                                          • Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                                                                          • Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58
                                                                                          Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF
                                                                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                                                            • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                                                                            • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                                                                            • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                                                            • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                                                                            • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                                                            • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                                                            • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                                                                            • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                                                            • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                                                            • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                                                          • _wtol.MSVCRT ref: 004047DC
                                                                                          • _wtol.MSVCRT ref: 004047F8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
                                                                                          • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
                                                                                          • API String ID: 2725485552-3187639848
                                                                                          • Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                                                                          • Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
                                                                                          • Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                                                                          • Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D
                                                                                          Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
                                                                                          • lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00402DF3
                                                                                            • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                                                            • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                                                            • Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                                                            • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
                                                                                          • GetParent.USER32(?), ref: 00402E2E
                                                                                          • LoadLibraryA.KERNEL32(riched20), ref: 00402E42
                                                                                          • GetMenu.USER32(?), ref: 00402E55
                                                                                          • SetThreadLocale.KERNEL32(00000419), ref: 00402E62
                                                                                          • CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
                                                                                          • DestroyWindow.USER32(?), ref: 00402EA3
                                                                                          • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
                                                                                          • GetSysColor.USER32(0000000F), ref: 00402EBC
                                                                                          • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
                                                                                          • SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
                                                                                          • String ID: RichEdit20W$STATIC$riched20${\rtf
                                                                                          • API String ID: 1731037045-2281146334
                                                                                          • Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                                                                          • Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
                                                                                          • Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                                                                          • Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68
                                                                                          Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetWindowDC.USER32(00000000), ref: 00401CD4
                                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                                                                          • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                                                                          • GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                                                                          • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                                                                          • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                                                                          • CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                                                                          • CreateCompatibleDC.GDI32(?), ref: 00401D52
                                                                                          • SelectObject.GDI32(00000000,?), ref: 00401D60
                                                                                          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                                                                          • SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                                                                          • GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                                                                          • SelectObject.GDI32(00000000,?), ref: 00401DB3
                                                                                          • SelectObject.GDI32(00000000,?), ref: 00401DB9
                                                                                          • DeleteDC.GDI32(00000000), ref: 00401DC2
                                                                                          • DeleteDC.GDI32(00000000), ref: 00401DC5
                                                                                          • ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                                                                          • ReleaseDC.USER32(00000000,?), ref: 00401DDB
                                                                                          • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
                                                                                          • String ID:
                                                                                          • API String ID: 3462224810-0
                                                                                          • Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                                                                          • Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
                                                                                          • Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                                                                          • Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64
                                                                                          Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetClassNameA.USER32(?,?,00000040), ref: 00401E05
                                                                                          • lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
                                                                                          • GetMenu.USER32(?), ref: 00401E44
                                                                                            • Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                                                                            • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                                                                            • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                                                                            • Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                                                                            • Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                                                                            • Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41
                                                                                          • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
                                                                                          • memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
                                                                                          • CoInitialize.OLE32(00000000), ref: 00401E8C
                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
                                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00401ECD
                                                                                            • Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
                                                                                            • Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                                                                            • Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                                                                            • Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                                                                            • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                                                                            • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                                                                            • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                                                                            • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
                                                                                            • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
                                                                                            • Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                                                                            • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                                                                            • Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                                                                            • Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                                                                            • Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                                                                            • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
                                                                                            • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
                                                                                            • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
                                                                                            • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
                                                                                            • Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                                                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
                                                                                          • SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
                                                                                          • SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00401F3A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
                                                                                          • String ID: IMAGES$STATIC
                                                                                          • API String ID: 4202116410-1168396491
                                                                                          • Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                                                                          • Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
                                                                                          • Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                                                                          • Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68
                                                                                          Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                                                            • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                                                          • GetDlgItem.USER32(?,000004B8), ref: 0040816A
                                                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
                                                                                          • GetDlgItem.USER32(?,000004B5), ref: 004081C0
                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
                                                                                          • GetDlgItem.USER32(?,000004B5), ref: 004081D5
                                                                                          • SetWindowLongW.USER32(00000000), ref: 004081D8
                                                                                          • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
                                                                                          • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
                                                                                          • GetDlgItem.USER32(?,000004B4), ref: 0040821A
                                                                                          • SetFocus.USER32(00000000), ref: 0040821D
                                                                                          • SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
                                                                                          • CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
                                                                                          • GetDlgItem.USER32(?,00000002), ref: 00408294
                                                                                          • IsWindow.USER32(00000000), ref: 00408297
                                                                                          • GetDlgItem.USER32(?,00000002), ref: 004082A7
                                                                                          • EnableWindow.USER32(00000000), ref: 004082AA
                                                                                          • GetDlgItem.USER32(?,000004B5), ref: 004082BE
                                                                                          • ShowWindow.USER32(00000000), ref: 004082C1
                                                                                            • Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142
                                                                                            • Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                                                                                            • Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                                                                            • Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                                                                            • Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
                                                                                            • Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                                                                            • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                                                            • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                                                                            • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                                                            • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                                                            • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                                                            • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                                                                            • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                                                            • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                                                            • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                                                                            • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 855516470-0
                                                                                          • Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                                                                          • Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
                                                                                          • Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                                                                          • Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C
                                                                                          Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
                                                                                          • strncmp.MSVCRT ref: 004031F1
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
                                                                                          • lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
                                                                                          • ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@$lstrcmpstrncmp
                                                                                          • String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
                                                                                          • API String ID: 2881732429-172299233
                                                                                          • Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                                                                          • Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
                                                                                          • Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                                                                          • Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59
                                                                                          Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDlgItem.USER32(?,000004B3), ref: 00406A69
                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
                                                                                          • GetDlgItem.USER32(?,000004B4), ref: 00406AA5
                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
                                                                                          • GetSystemMetrics.USER32(00000010), ref: 00406B0B
                                                                                          • GetSystemMetrics.USER32(00000011), ref: 00406B11
                                                                                          • GetSystemMetrics.USER32(00000008), ref: 00406B18
                                                                                          • GetSystemMetrics.USER32(00000007), ref: 00406B1F
                                                                                          • GetParent.USER32(?), ref: 00406B43
                                                                                          • GetClientRect.USER32(00000000,?), ref: 00406B55
                                                                                          • ClientToScreen.USER32(?,?), ref: 00406B68
                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
                                                                                          • GetClientRect.USER32(?,?), ref: 00406C55
                                                                                          • ClientToScreen.USER32(?,?), ref: 00406B71
                                                                                            • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                                                                          • GetSystemMetrics.USER32(00000008), ref: 00406CD6
                                                                                          • GetSystemMetrics.USER32(00000007), ref: 00406CDD
                                                                                            • Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
                                                                                            • Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
                                                                                          • String ID:
                                                                                          • API String ID: 747815384-0
                                                                                          • Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                                                                          • Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
                                                                                          • Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                                                                          • Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64
                                                                                          Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                                                          • LoadIconW.USER32(00000000), ref: 00407D33
                                                                                          • GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                                                          • GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                                                          • LoadImageW.USER32(00000000), ref: 00407D54
                                                                                          • SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                                                          • SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                                                          • GetWindow.USER32(?,00000005), ref: 00407E76
                                                                                          • GetWindow.USER32(?,00000005), ref: 00407E92
                                                                                          • GetWindow.USER32(?,00000005), ref: 00407EAA
                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
                                                                                          • LoadIconW.USER32(00000000), ref: 00407F0D
                                                                                          • GetDlgItem.USER32(?,000004B1), ref: 00407F28
                                                                                          • SendMessageW.USER32(00000000), ref: 00407F2F
                                                                                            • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                                                                            • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                                                                            • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                                                            • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
                                                                                          • String ID:
                                                                                          • API String ID: 1889686859-0
                                                                                          • Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                                                                          • Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
                                                                                          • Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                                                                          • Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF
                                                                                          Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetParent.USER32(?), ref: 00406F45
                                                                                          • GetWindowLongW.USER32(00000000), ref: 00406F4C
                                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
                                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
                                                                                          • GetSystemMetrics.USER32(00000031), ref: 00406F91
                                                                                          • GetSystemMetrics.USER32(00000032), ref: 00406F98
                                                                                          • GetWindowDC.USER32(?), ref: 00406FAA
                                                                                          • GetWindowRect.USER32(?,?), ref: 00406FB7
                                                                                          • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00406FF3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
                                                                                          • String ID:
                                                                                          • API String ID: 2586545124-0
                                                                                          • Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                                                                          • Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
                                                                                          • Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                                                                          • Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64
                                                                                          Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDlgItem.USER32(?,000004B3), ref: 0040678E
                                                                                          • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
                                                                                          • GetDlgItem.USER32(?,000004B4), ref: 004067AB
                                                                                          • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
                                                                                          • SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
                                                                                          • GetDlgItem.USER32(?,?), ref: 004067CC
                                                                                          • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
                                                                                          • GetDlgItem.USER32(?,?), ref: 004067DD
                                                                                          • SetFocus.USER32(00000000,?,000004B4,74DF0E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ItemMessageSend$Focus
                                                                                          • String ID:
                                                                                          • API String ID: 3946207451-0
                                                                                          • Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                                                                          • Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
                                                                                          • Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                                                                          • Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28
                                                                                          Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@
                                                                                          • String ID: IA$IA$IA$IA$IA$IA
                                                                                          • API String ID: 613200358-3743982587
                                                                                          • Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                                                                          • Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
                                                                                          • Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                                                                          • Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58
                                                                                          Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@
                                                                                          • String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
                                                                                          • API String ID: 613200358-994561823
                                                                                          • Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                                                                          • Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
                                                                                          • Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                                                                          • Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E
                                                                                          Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
                                                                                          • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
                                                                                          • GetDC.USER32(00000000), ref: 00406DFB
                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
                                                                                          • MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
                                                                                          • ReleaseDC.USER32(00000000,?), ref: 00406E24
                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
                                                                                          • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
                                                                                          • String ID:
                                                                                          • API String ID: 2693764856-0
                                                                                          • Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                                                                          • Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
                                                                                          • Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                                                                          • Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65
                                                                                          Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDC.USER32(?), ref: 0040696E
                                                                                          • GetSystemMetrics.USER32(0000000B), ref: 0040698A
                                                                                          • GetSystemMetrics.USER32(0000003D), ref: 00406993
                                                                                          • GetSystemMetrics.USER32(0000003E), ref: 0040699B
                                                                                          • SelectObject.GDI32(?,?), ref: 004069B8
                                                                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
                                                                                          • SelectObject.GDI32(?,?), ref: 004069F9
                                                                                          • ReleaseDC.USER32(?,?), ref: 00406A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
                                                                                          • String ID:
                                                                                          • API String ID: 2466489532-0
                                                                                          • Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                                                                          • Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
                                                                                          • Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                                                                          • Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40
                                                                                          Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                                                                                          • GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                                                                          • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                                                                          • wsprintfW.USER32 ref: 00407BBB
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                                                                          • String ID: %d%%
                                                                                          • API String ID: 3753976982-1518462796
                                                                                          • Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                                                                          • Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
                                                                                          • Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                                                                          • Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59
                                                                                          Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4
                                                                                            • Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                                                            • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@$CharUpper$lstrlen
                                                                                          • String ID: hAA
                                                                                          • API String ID: 2587799592-1362906312
                                                                                          • Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                                                                                          • Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
                                                                                          • Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                                                                                          • Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658
                                                                                          Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8
                                                                                            • Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                                                                            • Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                                                                            • Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                                                                            • Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@$FileTime$AttributesSystemlstrlen
                                                                                          • String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                                          • API String ID: 4038993085-2279431206
                                                                                          • Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                                                                          • Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
                                                                                          • Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                                                                          • Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98
                                                                                          Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • EndDialog.USER32(?,00000000), ref: 00407579
                                                                                          • KillTimer.USER32(?,00000001), ref: 0040758A
                                                                                          • SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
                                                                                          • SuspendThread.KERNEL32(00000294), ref: 004075CD
                                                                                          • ResumeThread.KERNEL32(00000294), ref: 004075EA
                                                                                          • EndDialog.USER32(?,00000000), ref: 0040760C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: DialogThreadTimer$KillResumeSuspend
                                                                                          • String ID:
                                                                                          • API String ID: 4151135813-0
                                                                                          • Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                                                                          • Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
                                                                                          • Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                                                                          • Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D
                                                                                          Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000022,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                                                                            • Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6
                                                                                          • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000022,004177C4,004177C4,00000000,00000022,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                                                                          • wsprintfA.USER32 ref: 00404EBC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@$wsprintf
                                                                                          • String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                                          • API String ID: 2704270482-1550708412
                                                                                          • Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                                                                          • Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
                                                                                          • Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                                                                          • Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799
                                                                                          Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@
                                                                                          • String ID: %%T/$%%T\
                                                                                          • API String ID: 613200358-2679640699
                                                                                          • Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                                                                          • Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
                                                                                          • Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                                                                          • Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98
                                                                                          Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@
                                                                                          • String ID: %%S/$%%S\
                                                                                          • API String ID: 613200358-358529586
                                                                                          • Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                                                                          • Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
                                                                                          • Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                                                                          • Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98
                                                                                          Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@
                                                                                          • String ID: %%M/$%%M\
                                                                                          • API String ID: 613200358-4143866494
                                                                                          • Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                                                                          • Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
                                                                                          • Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                                                                          • Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58
                                                                                          Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExceptionThrow
                                                                                          • String ID: $JA$4JA$DJA$TJA$hJA$xJA
                                                                                          • API String ID: 432778473-803145960
                                                                                          • Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                                                                          • Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
                                                                                          • Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                                                                          • Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C
                                                                                          Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D
                                                                                            • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                                                            • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                                                            • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??2@$??3@$memmove
                                                                                          • String ID: IA$IA$IA
                                                                                          • API String ID: 4294387087-924693538
                                                                                          • Opcode ID: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
                                                                                          • Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
                                                                                          • Opcode Fuzzy Hash: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
                                                                                          • Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54
                                                                                          Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
                                                                                          • ??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
                                                                                          • memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??2@??3@ExceptionThrowmemcpy
                                                                                          • String ID: IA
                                                                                          • API String ID: 3462485524-3293647318
                                                                                          • Opcode ID: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
                                                                                          • Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
                                                                                          • Opcode Fuzzy Hash: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
                                                                                          • Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794
                                                                                          Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: wsprintf$ExitProcesslstrcat
                                                                                          • String ID: 0x%p
                                                                                          • API String ID: 2530384128-1745605757
                                                                                          • Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                                                                          • Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
                                                                                          • Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                                                                          • Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA
                                                                                          Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
                                                                                            • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9
                                                                                          • GetSystemMetrics.USER32(00000007), ref: 00407A51
                                                                                          • GetSystemMetrics.USER32(00000007), ref: 00407A62
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: MetricsSystem$??3@
                                                                                          • String ID: 100%%
                                                                                          • API String ID: 2562992111-568723177
                                                                                          • Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                                                                          • Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
                                                                                          • Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                                                                          • Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99
                                                                                          Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • wsprintfW.USER32 ref: 00407A12
                                                                                            • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                                                                            • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                                                                          • GetDlgItem.USER32(?,000004B3), ref: 004079C6
                                                                                            • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                                                            • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: TextWindow$ItemLength$??3@wsprintf
                                                                                          • String ID: (%u%s)
                                                                                          • API String ID: 3595513934-2496177969
                                                                                          • Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                                                                          • Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
                                                                                          • Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                                                                          • Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68
                                                                                          Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00402211
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: GetNativeSystemInfo$kernel32
                                                                                          • API String ID: 2574300362-3846845290
                                                                                          • Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                                                                          • Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
                                                                                          • Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                                                                          • Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE
                                                                                          Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040219F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32
                                                                                          • API String ID: 2574300362-3900151262
                                                                                          • Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                                                                          • Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
                                                                                          • Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                                                                          • Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C
                                                                                          Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004021D1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32
                                                                                          • API String ID: 2574300362-736604160
                                                                                          • Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                                                                          • Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
                                                                                          • Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                                                                          • Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC
                                                                                          Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                                                                            • Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@$ByteCharMultiWide
                                                                                          • String ID:
                                                                                          • API String ID: 1731127917-0
                                                                                          • Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                                                                          • Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
                                                                                          • Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                                                                          • Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658
                                                                                          Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
                                                                                          • GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
                                                                                          • wsprintfW.USER32 ref: 00403FFB
                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00404016
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: PathTemp$AttributesFilewsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 1746483863-0
                                                                                          • Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                                                                          • Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
                                                                                          • Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                                                                          • Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88
                                                                                          Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                                                          • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                                                          • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
                                                                                          • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: CharUpper
                                                                                          • String ID:
                                                                                          • API String ID: 9403516-0
                                                                                          • Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                                                                          • Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
                                                                                          • Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                                                                          • Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64
                                                                                          Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                                                                            • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                                                            • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
                                                                                          • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
                                                                                          • GetDlgItem.USER32(?,000004B7), ref: 00408020
                                                                                          • SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E
                                                                                            • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                                                            • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                                                                            • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                                                            • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                                                            • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                                                            • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                                                                            • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                                                            • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                                                            • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                                                                            • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                                                                            • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                                                                            • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
                                                                                          • String ID:
                                                                                          • API String ID: 2538916108-0
                                                                                          • Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                                                                          • Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
                                                                                          • Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                                                                          • Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54
                                                                                          Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
                                                                                          • GetSystemMetrics.USER32(00000031), ref: 0040683A
                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00406849
                                                                                          • DeleteObject.GDI32(00000000), ref: 00406878
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
                                                                                          • String ID:
                                                                                          • API String ID: 1900162674-0
                                                                                          • Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                                                                          • Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
                                                                                          • Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                                                                          • Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54
                                                                                          Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 0040749F
                                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 004074B8
                                                                                          • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
                                                                                          • SHGetMalloc.SHELL32(00000000), ref: 004074FE
                                                                                            • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                                                                            • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: BrowseFocusFolderFromItemListMallocPathmemset
                                                                                          • String ID:
                                                                                          • API String ID: 1557639607-0
                                                                                          • Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                                                                          • Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
                                                                                          • Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                                                                          • Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75
                                                                                          Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801
                                                                                            • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                                                            • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                                                          • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@$EnvironmentExpandStrings$??2@
                                                                                          • String ID:
                                                                                          • API String ID: 612612615-0
                                                                                          • Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                                                                          • Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
                                                                                          • Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                                                                          • Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8
                                                                                          Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                                                            • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
                                                                                          • SetWindowTextW.USER32(?,?), ref: 00403B12
                                                                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ??3@TextWindow$Length
                                                                                          • String ID:
                                                                                          • API String ID: 2308334395-0
                                                                                          • Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                                                                          • Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
                                                                                          • Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                                                                          • Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98
                                                                                          Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetObjectW.GDI32(?,0000005C,?), ref: 00407045
                                                                                          • CreateFontIndirectW.GDI32(?), ref: 0040705B
                                                                                          • GetDlgItem.USER32(?,000004B5), ref: 0040706F
                                                                                          • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFontIndirectItemMessageObjectSend
                                                                                          • String ID:
                                                                                          • API String ID: 2001801573-0
                                                                                          • Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                                                                          • Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
                                                                                          • Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                                                                          • Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19
                                                                                          Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetParent.USER32(?), ref: 00401BA8
                                                                                          • GetWindowRect.USER32(?,?), ref: 00401BC1
                                                                                          • ScreenToClient.USER32(00000000,?), ref: 00401BCF
                                                                                          • ScreenToClient.USER32(00000000,?), ref: 00401BD6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClientScreen$ParentRectWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2099118873-0
                                                                                          • Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                                                                          • Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
                                                                                          • Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                                                                          • Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61
                                                                                          Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wtol
                                                                                          • String ID: GUIFlags$[G@
                                                                                          • API String ID: 2131799477-2126219683
                                                                                          • Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                                                                          • Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
                                                                                          • Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                                                                          • Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D
                                                                                          Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
                                                                                          • GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2019891168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2019872417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019916207.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019938786.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2019959920.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_ATLEQQXO.jbxd
                                                                                          Similarity
                                                                                          • API ID: EnvironmentVariable
                                                                                          • String ID: ?O@
                                                                                          • API String ID: 1431749950-3511380453
                                                                                          • Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                                                                          • Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
                                                                                          • Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                                                                          • Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

                                                                                          Execution Graph

                                                                                          Execution Coverage:1.3%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:11.5%
                                                                                          Total number of Nodes:130
                                                                                          Total number of Limit Nodes:9
                                                                                          execution_graph 24329 4029a1 24350 402f2c 24329->24350 24331 4029ad GetStartupInfoA 24332 4029db InterlockedCompareExchange 24331->24332 24333 4029ed 24332->24333 24334 4029e9 24332->24334 24336 402a17 24333->24336 24337 402a0d _amsg_exit 24333->24337 24334->24333 24335 4029f4 Sleep 24334->24335 24335->24332 24338 402a40 24336->24338 24339 402a20 _initterm_e 24336->24339 24337->24338 24340 402a6a 24338->24340 24341 402a4f _initterm 24338->24341 24339->24338 24343 402a3b __onexit 24339->24343 24342 402a6e InterlockedExchange 24340->24342 24345 402a76 __IsNonwritableInCurrentImage 24340->24345 24341->24340 24342->24345 24344 402b05 _ismbblead 24344->24345 24345->24344 24347 402b4a 24345->24347 24348 402aef exit 24345->24348 24351 401110 24345->24351 24347->24343 24349 402b53 _cexit 24347->24349 24348->24345 24349->24343 24350->24331 24356 401a40 24351->24356 24353 401170 24353->24345 24354 40111a 24354->24353 24359 401b90 getenv __iob_func __iob_func 24354->24359 24360 4018e0 24356->24360 24358 401a4c 24358->24354 24359->24353 24411 401220 19 API calls 24360->24411 24362 4018eb 24363 4018f2 24362->24363 24383 4013e0 24362->24383 24363->24358 24365 4018ff 24365->24363 24366 401912 6 API calls 24365->24366 24367 401944 getenv 24365->24367 24366->24367 24368 401973 24367->24368 24369 401958 getenv atoi 24367->24369 24412 401660 strncpy GetFullPathNameA 24368->24412 24369->24368 24371 4019ba 24372 4019c4 24371->24372 24373 4019d5 24371->24373 24413 4016f0 7 API calls 24372->24413 24414 4017d0 9 API calls 24373->24414 24376 401a36 24376->24358 24377 4019c9 24377->24376 24378 4019e6 24377->24378 24381 401a0b 24377->24381 24415 401540 54 API calls 24378->24415 24416 401540 54 API calls 24381->24416 24382 401a03 24382->24358 24384 401400 FindResourceA 24383->24384 24385 4013f7 24383->24385 24387 401412 LoadResource LockResource 24384->24387 24388 401455 24384->24388 24423 401180 11 API calls 24385->24423 24424 401d60 24387->24424 24417 401350 CreateFileA 24388->24417 24389 4013fd 24389->24384 24392 401464 24394 4014a4 _snprintf 24392->24394 24395 40146d strncmp 24392->24395 24393 40142c 24396 401500 24393->24396 24397 401437 GetLastError 24393->24397 24400 401d60 48 API calls 24394->24400 24398 401485 24395->24398 24399 401498 UnmapViewOfFile 24395->24399 24396->24365 24434 401000 7 API calls 24397->24434 24402 401d60 48 API calls 24398->24402 24399->24394 24399->24396 24403 4014cf 24400->24403 24405 401493 24402->24405 24403->24396 24406 4014d6 GetLastError 24403->24406 24404 401448 24404->24365 24405->24399 24435 401000 7 API calls 24406->24435 24408 4014e7 24436 401000 7 API calls 24408->24436 24410 4014f3 24410->24365 24411->24362 24412->24371 24413->24377 24414->24377 24415->24382 24416->24376 24418 401372 24417->24418 24419 401377 GetFileSize CreateFileMappingA CloseHandle 24417->24419 24418->24392 24420 4013a8 24419->24420 24421 4013af MapViewOfFile CloseHandle 24419->24421 24420->24392 24422 4013cc 24421->24422 24422->24392 24423->24389 24425 401d7d 24424->24425 24426 401d6e 24424->24426 24447 402520 39 API calls 24425->24447 24437 401cb0 24426->24437 24429 401d78 24429->24393 24430 401dbb 24430->24393 24431 401d89 24431->24430 24433 401dc3 OutputDebugStringA __iob_func fprintf 24431->24433 24448 402230 malloc qsort bsearch 24431->24448 24433->24430 24434->24404 24435->24408 24436->24410 24438 401cc1 GetModuleHandleA 24437->24438 24440 401cfa 24438->24440 24441 401ced LoadLibraryA 24438->24441 24443 401d03 24440->24443 24444 401d25 24440->24444 24441->24440 24442 401d54 24441->24442 24442->24429 24443->24444 24445 401d10 GetProcAddress 24443->24445 24444->24429 24445->24443 24446 401d2e OutputDebugStringA __iob_func fprintf 24445->24446 24446->24442 24447->24431 24448->24431 24449 6c8227b0 _PyArg_ParseTuple_SizeT 24450 6c8227da 24449->24450 24451 6c8227de 24449->24451 24452 6c822838 PyObject_AsReadBuffer 24451->24452 24453 6c8227ee PyString_FromStringAndSize 24451->24453 24456 6c822854 PyString_FromStringAndSize 24452->24456 24457 6c82284d 24452->24457 24454 6c822808 24453->24454 24455 6c82280e _Py_BuildValue_SizeT 24453->24455 24458 6c822824 24455->24458 24461 6c8216b0 24456->24461 24463 6c8216b9 24461->24463 24462 6c82192c CreateFileW 24467 6c821a22 24462->24467 24463->24462 24464 6c821bad 24465 6c821d9d ReadFile 24466 6c821df1 24465->24466 24468 6c822246 LoadLibraryA VirtualProtect 24466->24468 24467->24464 24467->24465 24471 6c8210a7 24468->24471 24472 6c8210bc VirtualProtect 24471->24472 24472->24464 24473 6c8211d7 GetPEB 24475 6c821244 24473->24475 24474 6c82147f LocalAlloc 24477 6c82153b 24474->24477 24475->24474 24476 6c82192c CreateFileW 24480 6c821a22 24476->24480 24477->24476 24478 6c821bad 24479 6c821d9d ReadFile 24482 6c821df1 24479->24482 24480->24478 24480->24479 24481 6c822246 LoadLibraryA VirtualProtect 24483 6c8210a7 24481->24483 24482->24481 24484 6c82233b VirtualProtect 24483->24484 24484->24478

                                                                                          Executed Functions

                                                                                          Function 6C8211D7 Relevance: 10.0, APIs: 6, Instructions: 1011memoryfilelibraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 23 6c8211d7-6c821241 GetPEB 24 6c821244-6c82124d 23->24 25 6c82128b 24->25 26 6c82124f-6c82126e call 6c821137 24->26 28 6c821295-6c821326 25->28 31 6c821270-6c82127f 26->31 32 6c821281-6c821289 26->32 30 6c82132d-6c821339 28->30 33 6c821475 30->33 34 6c82133f-6c821387 call 6c821197 30->34 31->28 32->24 35 6c82147f-6c821534 LocalAlloc 33->35 41 6c821391-6c82139d 34->41 37 6c82153b-6c821547 35->37 39 6c821683 37->39 40 6c82154d-6c821595 call 6c821197 37->40 42 6c82168d-6c8216d4 39->42 54 6c82159f-6c8215ab 40->54 44 6c8213a3-6c8213d7 41->44 45 6c821438-6c821444 41->45 53 6c8216d7-6c8216ee 42->53 50 6c8213e1-6c8213ed 44->50 46 6c821446-6c821465 45->46 47 6c821467-6c821470 45->47 46->35 47->30 51 6c821412-6c821433 50->51 52 6c8213ef-6c821410 50->52 51->41 52->50 55 6c8216f0-6c821705 53->55 56 6c821707 53->56 57 6c8215b1-6c8215e5 54->57 58 6c821646-6c821652 54->58 55->53 61 6c82170e-6c82171e 56->61 62 6c8215ef-6c8215fb 57->62 59 6c821654-6c821673 58->59 60 6c821675-6c82167e 58->60 59->42 60->37 63 6c821720-6c821749 61->63 64 6c82174b-6c8217d3 61->64 65 6c821620-6c821641 62->65 66 6c8215fd-6c82161e 62->66 63->61 67 6c8217da-6c8217e6 64->67 65->54 66->62 68 6c821922 67->68 69 6c8217ec-6c821834 call 6c821197 67->69 70 6c82192c-6c821a1b CreateFileW 68->70 74 6c82183e-6c82184a 69->74 73 6c821a22-6c821a2e 70->73 75 6c821a34-6c821a7c call 6c821197 73->75 76 6c821b6a 73->76 77 6c821850-6c821884 74->77 78 6c8218e5-6c8218f1 74->78 88 6c821a86-6c821a92 75->88 79 6c821b74-6c821bab 76->79 81 6c82188e-6c82189a 77->81 82 6c8218f3-6c821912 78->82 83 6c821914-6c82191d 78->83 91 6c821bb6-6c821c44 79->91 92 6c821bad-6c821bb1 79->92 85 6c8218bf-6c8218e0 81->85 86 6c82189c-6c8218bd 81->86 82->70 83->67 85->74 86->81 89 6c821a98-6c821acc 88->89 90 6c821b2d-6c821b39 88->90 93 6c821ad6-6c821ae2 89->93 94 6c821b3b-6c821b5a 90->94 95 6c821b5c-6c821b65 90->95 97 6c821c4b-6c821c57 91->97 96 6c822401-6c822413 92->96 98 6c821b07-6c821b28 93->98 99 6c821ae4-6c821b05 93->99 94->79 95->73 100 6c821d93 97->100 101 6c821c5d-6c821ca5 call 6c821197 97->101 98->88 99->93 102 6c821d9d-6c821def ReadFile 100->102 107 6c821caf-6c821cbb 101->107 105 6c821df3-6c821e3c 102->105 106 6c821df1 102->106 108 6c821e46-6c821e52 105->108 106->105 109 6c821cc1-6c821cf5 107->109 110 6c821d56-6c821d62 107->110 111 6c821e54-6c821e79 108->111 112 6c821e7b-6c821f0f 108->112 114 6c821cff-6c821d0b 109->114 115 6c821d64-6c821d83 110->115 116 6c821d85-6c821d8e 110->116 111->108 113 6c821f16-6c821f22 112->113 117 6c821f28-6c821f70 call 6c821197 113->117 118 6c82205e 113->118 119 6c821d30-6c821d51 114->119 120 6c821d0d-6c821d2e 114->120 115->102 116->97 125 6c821f7a-6c821f86 117->125 122 6c822068-6c8220f0 118->122 119->107 120->114 124 6c8220f7-6c822100 122->124 126 6c822106-6c82214e call 6c821197 124->126 127 6c82223c 124->127 129 6c822021-6c82202d 125->129 130 6c821f8c-6c821fc0 125->130 137 6c822158-6c822164 126->137 131 6c822246-6c822376 LoadLibraryA VirtualProtect call 6c8210a7 VirtualProtect 127->131 134 6c822050-6c822059 129->134 135 6c82202f-6c82204e 129->135 133 6c821fca-6c821fd6 130->133 143 6c82237d-6c82238d 131->143 138 6c821ffb-6c82201c 133->138 139 6c821fd8-6c821ff9 133->139 134->113 135->122 141 6c82216a-6c82219e 137->141 142 6c8221ff-6c82220b 137->142 138->125 139->133 144 6c8221a8-6c8221b4 141->144 145 6c82222e-6c822237 142->145 146 6c82220d-6c82222c 142->146 147 6c8223b4-6c8223f4 143->147 148 6c82238f-6c8223b2 143->148 149 6c8221b6-6c8221d7 144->149 150 6c8221d9-6c8221fa 144->150 145->124 146->131 151 6c8223fd 147->151 148->143 149->144 150->137 151->96
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileProtectVirtual$AllocCreateLibraryLoadLocalRead
                                                                                          • String ID:
                                                                                          • API String ID: 2652859266-0
                                                                                          • Opcode ID: 52386f893f1c19f02afe9457b705bd24dccb15846e45d028bbae4c74a8315876
                                                                                          • Instruction ID: d577b6052e8687adb6fb25ba651a60ba8f8470ffbfd09015228313bb0af738d7
                                                                                          • Opcode Fuzzy Hash: 52386f893f1c19f02afe9457b705bd24dccb15846e45d028bbae4c74a8315876
                                                                                          • Instruction Fuzzy Hash: 30D267B8E052298FCB64CF58C994B9DBBB1BF49304F2485DAD849AB341D735AE81CF50
                                                                                          Function 00401CB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67libraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000001,?,004056A8,?,00401D78,?,00000000,004014CF,?,00000000), ref: 00401CE1
                                                                                          • LoadLibraryA.KERNELBASE(00000000,?,004056A8,?,00401D78,?,00000000,004014CF,?,00000000), ref: 00401CEE
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00401D14
                                                                                          • OutputDebugStringA.KERNEL32(undef symbol,?,004056A8,?,00401D78,?,00000000,004014CF,?,00000000), ref: 00401D33
                                                                                          • __iob_func.MSVCR90 ref: 00401D41
                                                                                          • fprintf.MSVCR90 ref: 00401D4B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2016188585.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2016169143.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2016236192.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2016251772.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2016274258.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressDebugHandleLibraryLoadModuleOutputProcString__iob_funcfprintf
                                                                                          • String ID: undef symbol$undefined symbol %s -> exit(-1)
                                                                                          • API String ID: 3232099167-3880521481
                                                                                          • Opcode ID: a62e86013865cb6945eca6c9e6b857a4ad3fd4014c4c712411902039301153c0
                                                                                          • Instruction ID: ec091370b392768ebba2b9cbd08fa3fa07ccb6f4dd854fbc632097c7e97f4075
                                                                                          • Opcode Fuzzy Hash: a62e86013865cb6945eca6c9e6b857a4ad3fd4014c4c712411902039301153c0
                                                                                          • Instruction Fuzzy Hash: 9A11E2B16003029FEB216B699C487677798EFD4351F194437EA82F33B0D778DC958A18
                                                                                          Function 00401350 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64fileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • CreateFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\common.bin,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00401464,?), ref: 00401365
                                                                                          • GetFileSize.KERNEL32(00000000,00401464,?,?,?,00401464,?), ref: 0040137F
                                                                                          • CreateFileMappingA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00401392
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00401464,?), ref: 004013A1
                                                                                          Strings
                                                                                          • C:\Users\user\AppData\Local\Temp\common.bin, xrefs: 00401364
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2016188585.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2016169143.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2016236192.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2016251772.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2016274258.0000000000407000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$Create$CloseHandleMappingSize
                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\common.bin
                                                                                          • API String ID: 3089540790-2948388957
                                                                                          • Opcode ID: e8d0a1f2787124378ff6857ee086f689d906f27355de188c8710255d9154317e
                                                                                          • Instruction ID: 01b989ff9adac1588cbd50fc37617142f0a4378e713b607962af627c2eb096ff
                                                                                          • Opcode Fuzzy Hash: e8d0a1f2787124378ff6857ee086f689d906f27355de188c8710255d9154317e
                                                                                          • Instruction Fuzzy Hash: B3017172B513107AF63056B8BC4AF9AA798D785B72F21063AFB11FA1D0D6B468005668

                                                                                          Non-executed Functions

                                                                                          Function 6C833F10 Relevance: 30.4, APIs: 20, Instructions: 382COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • isalnum.MSVCR90 ref: 6C8340AE
                                                                                          • isalnum.MSVCR90 ref: 6C8340DB
                                                                                          • isalnum.MSVCR90 ref: 6C83412B
                                                                                          • isalnum.MSVCR90 ref: 6C834158
                                                                                          • _PyUnicodeUCS2_IsAlpha.PYTHON27(?), ref: 6C8341A3
                                                                                          • _PyUnicodeUCS2_IsDecimalDigit.PYTHON27(?), ref: 6C8341B0
                                                                                          • _PyUnicodeUCS2_IsDigit.PYTHON27(?), ref: 6C8341BD
                                                                                          • _PyUnicodeUCS2_IsNumeric.PYTHON27(?), ref: 6C8341CA
                                                                                          • _PyUnicodeUCS2_IsAlpha.PYTHON27 ref: 6C8341F1
                                                                                          • _PyUnicodeUCS2_IsDecimalDigit.PYTHON27 ref: 6C8341FE
                                                                                          • _PyUnicodeUCS2_IsDigit.PYTHON27 ref: 6C83420B
                                                                                          • _PyUnicodeUCS2_IsNumeric.PYTHON27 ref: 6C834218
                                                                                          • _PyUnicodeUCS2_IsAlpha.PYTHON27(?), ref: 6C834257
                                                                                          • _PyUnicodeUCS2_IsDecimalDigit.PYTHON27(?), ref: 6C834264
                                                                                          • _PyUnicodeUCS2_IsDigit.PYTHON27(?), ref: 6C834271
                                                                                          • _PyUnicodeUCS2_IsNumeric.PYTHON27(?), ref: 6C83427E
                                                                                          • _PyUnicodeUCS2_IsAlpha.PYTHON27 ref: 6C8342A5
                                                                                          • _PyUnicodeUCS2_IsDecimalDigit.PYTHON27 ref: 6C8342B2
                                                                                          • _PyUnicodeUCS2_IsDigit.PYTHON27 ref: 6C8342BF
                                                                                          • _PyUnicodeUCS2_IsNumeric.PYTHON27 ref: 6C8342CC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Unicode$Digit$AlphaDecimalNumericisalnum
                                                                                          • String ID:
                                                                                          • API String ID: 2555583657-0
                                                                                          • Opcode ID: 8de309c174c5ae2a32d5b5f7bc767bd39fbebbc2b8fee74c643132e4dd9110fc
                                                                                          • Instruction ID: b540fc3c7f25430b123b7178891e759d1ea8ffedb3cc6425b2d20ce7a216f87b
                                                                                          • Opcode Fuzzy Hash: 8de309c174c5ae2a32d5b5f7bc767bd39fbebbc2b8fee74c643132e4dd9110fc
                                                                                          • Instruction Fuzzy Hash: B0B18096B0453006E33016FA6E802AFB7B49BD0319B58BE3ADC9DC3E41F31AD8D592D1
                                                                                          Function 6C82FDD0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetACP.KERNEL32 ref: 6C82FDE4
                                                                                          • PyOS_snprintf.PYTHON27(?,00000064,cp%d,00000000), ref: 6C82FDF9
                                                                                          • GetLocaleInfoA.KERNEL32(00000400,00000059,?,00000064), ref: 6C82FE14
                                                                                          • GetLocaleInfoA.KERNEL32(00000400,0000005A,0000005F,00000064), ref: 6C82FE43
                                                                                          • GetLocaleInfoA.KERNEL32(00000400,00000009,?,00000062), ref: 6C82FE70
                                                                                          • Py_BuildValue.PYTHON27(6C96C53C,00000030,?), ref: 6C82FE8D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoLocale$BuildS_snprintfValue
                                                                                          • String ID: 0$cp%d$x
                                                                                          • API String ID: 2137356293-3685427448
                                                                                          • Opcode ID: fcc17edd1c502e949d62184dd532a45e8cf239f066cdee7ad8c1169e772eb884
                                                                                          • Instruction ID: b4482ac5da3f9c238df81a5e8b91bfb3b67ee1857b3f90744aa326c08eb40f3d
                                                                                          • Opcode Fuzzy Hash: fcc17edd1c502e949d62184dd532a45e8cf239f066cdee7ad8c1169e772eb884
                                                                                          • Instruction Fuzzy Hash: 98213870A0531DAEFB10DBA8CD04FFE7BB89B15704F008555FA09AB5C1EB349609CBA1
                                                                                          Function 6C968908 Relevance: 10.6, APIs: 7, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsDebuggerPresent.KERNEL32 ref: 6C9690A9
                                                                                          • _crt_debugger_hook.MSVCR90(00000001), ref: 6C9690B6
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C9690BE
                                                                                          • UnhandledExceptionFilter.KERNEL32(6C96A540), ref: 6C9690C9
                                                                                          • _crt_debugger_hook.MSVCR90(00000001), ref: 6C9690DA
                                                                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 6C9690E5
                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 6C9690EC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 3369434319-0
                                                                                          • Opcode ID: 5eb02ba833fdbe0d16fc5237ed5e8740e1b9066ba98be7d821f8e7b975b38929
                                                                                          • Instruction ID: 9f600cb542b962cf0226946cd4c1cd2cba4bae0b3a0dcb17a29e84aff1cc0563
                                                                                          • Opcode Fuzzy Hash: 5eb02ba833fdbe0d16fc5237ed5e8740e1b9066ba98be7d821f8e7b975b38929
                                                                                          • Instruction Fuzzy Hash: 7D21E4B8A243179FDF08DF5AD546AA43BF8FB0A311F50901AE60982790EB70D5828F44
                                                                                          Function 6C908DF0 Relevance: 6.1, APIs: 4, Instructions: 143COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_NoMemory.PYTHON27(?), ref: 6C908E35
                                                                                          • PyString_FromStringAndSize.PYTHON27(?,00000014,?,?), ref: 6C908F3B
                                                                                          • _PyString_Resize.PYTHON27(?,00000000,?,?), ref: 6C908F69
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String_$Err_FromMemoryResizeSizeString
                                                                                          • String ID:
                                                                                          • API String ID: 3221442098-0
                                                                                          • Opcode ID: 9e46ac1e5b76fbbe6f1548e04b763ff5126337db9fe352edd18ef1f79d8b77b5
                                                                                          • Instruction ID: e787c961bfa7d91758972ab43b7762bd4ca896dd6996689ad6b48f80b4f1573e
                                                                                          • Opcode Fuzzy Hash: 9e46ac1e5b76fbbe6f1548e04b763ff5126337db9fe352edd18ef1f79d8b77b5
                                                                                          • Instruction Fuzzy Hash: 9B413332B012054BDB5C8A7CCC902BD776ADB96214F0807BFDE1B9BBC1DB34DA548699
                                                                                          Function 6C82F6B0 Relevance: 94.9, APIs: 36, Strings: 18, Instructions: 375COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 152 6c82f6b0-6c82f6ba PyDict_New 153 6c82f6be-6c82f6d7 localeconv PyString_FromString 152->153 154 6c82f6bc-6c82f6bd 152->154 155 6c82fa67-6c82fa6a 153->155 156 6c82f6dd-6c82f6ef PyDict_SetItemString 153->156 159 6c82fa78-6c82fa7a 155->159 160 6c82fa6c-6c82fa75 155->160 157 6c82f6f1-6c82f6fa 156->157 158 6c82f6fd-6c82f70d PyString_FromString 156->158 157->158 158->155 163 6c82f713-6c82f725 PyDict_SetItemString 158->163 161 6c82fa7c-6c82fa7f 159->161 162 6c82fa8d-6c82fa92 159->162 160->159 161->162 165 6c82fa81-6c82fa8a 161->165 167 6c82f733 163->167 168 6c82f727-6c82f730 163->168 165->162 169 6c82f736 call 6c82f110 167->169 168->167 170 6c82f73b-6c82f73f 169->170 170->155 173 6c82f745-6c82f757 PyDict_SetItemString 170->173 174 6c82f765-6c82f775 PyString_FromString 173->174 175 6c82f759-6c82f762 173->175 174->155 176 6c82f77b-6c82f78d PyDict_SetItemString 174->176 175->174 178 6c82f79b-6c82f7ab PyString_FromString 176->178 179 6c82f78f-6c82f798 176->179 178->155 180 6c82f7b1-6c82f7c3 PyDict_SetItemString 178->180 179->178 182 6c82f7d1-6c82f7e1 PyString_FromString 180->182 183 6c82f7c5-6c82f7ce 180->183 182->155 184 6c82f7e7-6c82f7f9 PyDict_SetItemString 182->184 183->182 185 6c82f807-6c82f817 PyString_FromString 184->185 186 6c82f7fb-6c82f804 184->186 185->155 188 6c82f81d-6c82f82f PyDict_SetItemString 185->188 186->185 190 6c82f831-6c82f83a 188->190 191 6c82f83d 188->191 190->191 192 6c82f840 call 6c82f110 191->192 194 6c82f845-6c82f849 192->194 194->155 195 6c82f84f-6c82f861 PyDict_SetItemString 194->195 196 6c82f863-6c82f86c 195->196 197 6c82f86f-6c82f87f PyString_FromString 195->197 196->197 197->155 198 6c82f885-6c82f897 PyDict_SetItemString 197->198 199 6c82f8a5-6c82f8b5 PyString_FromString 198->199 200 6c82f899-6c82f8a2 198->200 199->155 202 6c82f8bb-6c82f8cd PyDict_SetItemString 199->202 200->199 204 6c82f8db-6c82f8ec PyInt_FromLong 202->204 205 6c82f8cf-6c82f8d8 202->205 204->155 206 6c82f8f2-6c82f904 PyDict_SetItemString 204->206 205->204 208 6c82f912-6c82f923 PyInt_FromLong 206->208 209 6c82f906-6c82f90f 206->209 208->155 210 6c82f929-6c82f93b PyDict_SetItemString 208->210 209->208 211 6c82f949-6c82f95a PyInt_FromLong 210->211 212 6c82f93d-6c82f946 210->212 211->155 214 6c82f960-6c82f972 PyDict_SetItemString 211->214 212->211 216 6c82f980-6c82f991 PyInt_FromLong 214->216 217 6c82f974-6c82f97d 214->217 216->155 218 6c82f997-6c82f9a9 PyDict_SetItemString 216->218 217->216 220 6c82f9b7-6c82f9c8 PyInt_FromLong 218->220 221 6c82f9ab-6c82f9b4 218->221 220->155 222 6c82f9ce-6c82f9e0 PyDict_SetItemString 220->222 221->220 223 6c82f9e2-6c82f9eb 222->223 224 6c82f9ee-6c82f9ff PyInt_FromLong 222->224 223->224 224->155 226 6c82fa01-6c82fa13 PyDict_SetItemString 224->226 228 6c82fa21-6c82fa32 PyInt_FromLong 226->228 229 6c82fa15-6c82fa1e 226->229 228->155 230 6c82fa34-6c82fa46 PyDict_SetItemString 228->230 229->228 232 6c82fa54-6c82fa65 PyInt_FromLong 230->232 233 6c82fa48-6c82fa51 230->233 232->155 234 6c82fa93-6c82faa5 PyDict_SetItemString 232->234 233->232 235 6c82fab3-6c82fab8 234->235 236 6c82faa7-6c82fab0 234->236 236->235
                                                                                          APIs
                                                                                          • PyDict_New.PYTHON27 ref: 6C82F6B1
                                                                                            • Part of subcall function 6C8C4510: PyString_FromString.PYTHON27(<dummy key>,00000000,00000000,00000000,?,?,6C8E50C0,?,00000014,?,6C94DEB4), ref: 6C8C4529
                                                                                          • localeconv.MSVCR90 ref: 6C82F6C0
                                                                                          • PyString_FromString.PYTHON27(00000000), ref: 6C82F6CB
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,decimal_point,00000000), ref: 6C82F6E4
                                                                                          • PyString_FromString.PYTHON27(?), ref: 6C82F701
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,thousands_sep,00000000), ref: 6C82F71A
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,grouping,00000000), ref: 6C82F74C
                                                                                          • PyString_FromString.PYTHON27(?), ref: 6C82F769
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,int_curr_symbol,00000000), ref: 6C82F782
                                                                                          • PyString_FromString.PYTHON27(?), ref: 6C82F79F
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,currency_symbol,00000000), ref: 6C82F7B8
                                                                                          • PyString_FromString.PYTHON27(?), ref: 6C82F7D5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$Dict_FromString_$Item$localeconv
                                                                                          • String ID: currency_symbol$decimal_point$frac_digits$grouping$int_curr_symbol$int_frac_digits$mon_decimal_point$mon_grouping$mon_thousands_sep$n_cs_precedes$n_sep_by_space$n_sign_posn$negative_sign$p_cs_precedes$p_sep_by_space$p_sign_posn$positive_sign$thousands_sep
                                                                                          • API String ID: 3913525369-2270419579
                                                                                          • Opcode ID: 1afff6a4418cdee085fbc1cc208429bcccbe590857f1e29ba1ed825d4b281464
                                                                                          • Instruction ID: 597106f2ebb48f46924eb590d2f46100034c551e53a8f7de61e98ee59f8a74cb
                                                                                          • Opcode Fuzzy Hash: 1afff6a4418cdee085fbc1cc208429bcccbe590857f1e29ba1ed825d4b281464
                                                                                          • Instruction Fuzzy Hash: 3EB1F7F2D0192157C730DB68AE40CAB36A05F5563CB154B38EC661BB81E72DEE86C7D2
                                                                                          Function 6C8B9940 Relevance: 66.8, APIs: 27, Strings: 11, Instructions: 341COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 416 6c8b9940-6c8b9953 417 6c8b9988-6c8b998f 416->417 418 6c8b9955-6c8b9968 PyString_FromString 416->418 419 6c8b9991-6c8b99a4 PyString_FromString 417->419 420 6c8b99c4-6c8b99cb 417->420 421 6c8b997b-6c8b9982 418->421 422 6c8b996a-6c8b9978 PyString_InternInPlace 418->422 424 6c8b99b7-6c8b99be 419->424 425 6c8b99a6-6c8b99b4 PyString_InternInPlace 419->425 426 6c8b99cd-6c8b99e0 PyString_FromString 420->426 427 6c8b9a00-6c8b9a05 420->427 421->417 423 6c8b9d50-6c8b9d58 421->423 422->421 424->420 424->423 425->424 428 6c8b99f3-6c8b99fa 426->428 429 6c8b99e2-6c8b99f0 PyString_InternInPlace 426->429 430 6c8b9a0b-6c8b9a15 427->430 431 6c8b9d1f-6c8b9d3d PyString_FromString PyErr_SetObject 427->431 428->423 428->427 429->428 430->431 432 6c8b9a1b-6c8b9a20 430->432 431->423 433 6c8b9d3f-6c8b9d42 431->433 434 6c8b9d02-6c8b9d1e PyErr_SetString 432->434 435 6c8b9a26-6c8b9a30 432->435 433->423 436 6c8b9d44-6c8b9d4d 433->436 435->434 437 6c8b9a36-6c8b9a48 PyDict_GetItem 435->437 436->423 439 6c8b9a4a-6c8b9a60 PyDict_SetItem 437->439 440 6c8b9a66-6c8b9a78 PyDict_GetItem 437->440 439->423 439->440 441 6c8b9a7a-6c8b9a81 PyEval_GetGlobals 440->441 442 6c8b9aaf-6c8b9ab4 440->442 441->442 443 6c8b9a83-6c8b9a95 PyDict_GetItem 441->443 444 6c8b9b2b-6c8b9b35 442->444 445 6c8b9ab6-6c8b9abd 442->445 443->442 446 6c8b9a97-6c8b9aa9 PyDict_SetItem 443->446 449 6c8b9b37-6c8b9b53 PyErr_SetString 444->449 450 6c8b9b54-6c8b9b61 PyTuple_Size 444->450 447 6c8b9ac8-6c8b9adb _PyObject_GC_NewVar 445->447 448 6c8b9abf-6c8b9ac3 445->448 446->423 446->442 447->423 452 6c8b9ae1-6c8b9af6 447->452 451 6c8b9b89-6c8b9b90 448->451 453 6c8b9b63-6c8b9b66 450->453 454 6c8b9b87 450->454 455 6c8b9b92-6c8b9ba6 PyString_InternFromString 451->455 456 6c8b9bd4-6c8b9be5 _PyObject_GC_New 451->456 457 6c8b9af8-6c8b9b02 Py_FatalError 452->457 458 6c8b9b05-6c8b9b29 452->458 459 6c8b9b70-6c8b9b79 453->459 454->451 460 6c8b9ba8-6c8b9bbc PyString_InternFromString 455->460 461 6c8b9be7-6c8b9bea 455->461 456->461 462 6c8b9c4d-6c8b9caa call 6c8b9fa0 * 3 456->462 457->458 458->451 463 6c8b9b7f-6c8b9b85 459->463 464 6c8b9c05-6c8b9c13 PyCallable_Check 459->464 460->461 465 6c8b9bbe-6c8b9bd2 PyString_InternFromString 460->465 461->423 466 6c8b9bf0-6c8b9c04 461->466 476 6c8b9cae-6c8b9cb3 462->476 477 6c8b9cac 462->477 463->454 463->459 467 6c8b9c30-6c8b9c4c PyErr_SetString 464->467 468 6c8b9c15-6c8b9c2f PyObject_CallFunctionObjArgs 464->468 465->456 465->461 478 6c8b9cb7-6c8b9cbc 476->478 479 6c8b9cb5 476->479 477->476 480 6c8b9cbe 478->480 481 6c8b9cc0-6c8b9cc7 478->481 479->478 480->481 482 6c8b9cc9-6c8b9cd3 Py_FatalError 481->482 483 6c8b9cd6-6c8b9d01 481->483 482->483
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(__doc__), ref: 6C8B995A
                                                                                          • PyString_InternInPlace.PYTHON27(?), ref: 6C8B996F
                                                                                          • PyString_FromString.PYTHON27(__module__), ref: 6C8B9996
                                                                                          • PyString_InternInPlace.PYTHON27(?), ref: 6C8B99AB
                                                                                          • PyString_FromString.PYTHON27(__name__), ref: 6C8B99D2
                                                                                          • PyString_InternInPlace.PYTHON27(?), ref: 6C8B99E7
                                                                                          • PyDict_GetItem.PYTHON27(?,?), ref: 6C8B9A3E
                                                                                          • PyDict_SetItem.PYTHON27(?,?,?), ref: 6C8B9A56
                                                                                          • PyDict_GetItem.PYTHON27(?,?), ref: 6C8B9A6E
                                                                                          • PyEval_GetGlobals.PYTHON27 ref: 6C8B9A7A
                                                                                          • PyDict_GetItem.PYTHON27(00000000,?), ref: 6C8B9A8B
                                                                                          • PyDict_SetItem.PYTHON27(?,?,00000000), ref: 6C8B9A9F
                                                                                          • _PyObject_GC_NewVar.PYTHON27(?,00000000), ref: 6C8B9ACF
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8B9AFD
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,PyClass_New: bases must be a tuple), ref: 6C8B9B43
                                                                                          • PyTuple_Size.PYTHON27(?), ref: 6C8B9B55
                                                                                          • PyString_InternFromString.PYTHON27(__getattr__), ref: 6C8B9B97
                                                                                          • PyString_InternFromString.PYTHON27(__setattr__), ref: 6C8B9BAD
                                                                                          • PyString_InternFromString.PYTHON27(__delattr__), ref: 6C8B9BC3
                                                                                          • _PyObject_GC_New.PYTHON27(?), ref: 6C8B9BD9
                                                                                          • PyCallable_Check.PYTHON27(6CA69BF8), ref: 6C8B9C09
                                                                                          • PyObject_CallFunctionObjArgs.PYTHON27(6CA69BF8,?,?,?,00000000), ref: 6C8B9C21
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String_$String$FromIntern$Dict_Item$Object_Place$ArgsCallCallable_CheckErr_ErrorEval_FatalFunctionGlobalsSizeTuple_
                                                                                          • String ID: GC object already tracked$PyClass_New: base must be a class$PyClass_New: bases must be a tuple$PyClass_New: dict must be a dictionary$PyClass_New: name must be a string$__delattr__$__doc__$__getattr__$__module__$__name__$__setattr__
                                                                                          • API String ID: 1439401794-468072166
                                                                                          • Opcode ID: 2a20996296b39cca2235c5adc9a2140f9c6ab7348d673b658ac80a770c1a657c
                                                                                          • Instruction ID: 4a21191d89884104698af5ddb8f0f6130ddfc7927919aaa027cfd4dfb7083ce6
                                                                                          • Opcode Fuzzy Hash: 2a20996296b39cca2235c5adc9a2140f9c6ab7348d673b658ac80a770c1a657c
                                                                                          • Instruction Fuzzy Hash: 23B1F9B16113029FEB24CF69EE41A6773B4FB65219B144E39E82997B41EB30E409C7A1
                                                                                          Function 6C9495A0 Relevance: 59.8, APIs: 23, Strings: 11, Instructions: 292stringCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 537 6c9495a0-6c9495b1 538 6c9495b7-6c9495c1 537->538 539 6c9497ba-6c9497c4 537->539 538->539 540 6c9495c7-6c9495c9 538->540 540->539 541 6c9495cf-6c9495d6 540->541 542 6c9495f2-6c9495f9 541->542 543 6c9495d8-6c9495ec PyString_InternFromString 541->543 545 6c949611-6c949618 542->545 546 6c9495fb-6c94960f PyString_InternFromString 542->546 543->542 544 6c949678-6c94967f 543->544 547 6c949630-6c949648 PyDict_GetItem 545->547 548 6c94961a-6c94962e PyString_InternFromString 545->548 546->544 546->545 549 6c9496e5-6c9496f8 PyDict_GetItem 547->549 550 6c94964e-6c949653 547->550 548->544 548->547 549->539 551 6c9496fe-6c949708 549->551 550->549 552 6c949659-6c949663 550->552 551->539 553 6c94970e-6c949720 PyDict_GetItem 551->553 554 6c949665 552->554 555 6c949680-6c949685 552->555 556 6c949722-6c949729 553->556 557 6c94977f-6c949790 strrchr 553->557 558 6c94966a-6c949675 PyErr_SetString 554->558 559 6c949687-6c949689 555->559 560 6c9496ab-6c9496b1 555->560 563 6c949735-6c94973c 556->563 564 6c94972b-6c949730 556->564 566 6c9497c5-6c9497cf 557->566 567 6c949792-6c949795 557->567 558->544 559->539 565 6c94968f-6c9496aa PyErr_SetString 559->565 561 6c9496b3-6c9496ce PyErr_SetString 560->561 562 6c9496cf-6c9496d4 560->562 570 6c9496d6-6c9496de 562->570 572 6c949740-6c949748 563->572 564->558 566->564 571 6c9497d5-6c9497ee memcpy PyString_FromString 566->571 568 6c949797-6c94979c 567->568 569 6c9497a1-6c9497b8 PyDict_SetItem 567->569 568->558 569->539 573 6c949763-6c94977e PyErr_SetString 569->573 570->570 574 6c9496e0 570->574 571->544 575 6c9497f4-6c94980d PyDict_SetItem 571->575 572->572 576 6c94974a-6c94975b PyDict_SetItem 572->576 577 6c949825-6c949828 574->577 578 6c94980f-6c949818 575->578 579 6c94981b-6c94981d 575->579 580 6c94975d 576->580 581 6c94984c-6c94984e 577->581 582 6c94982a 577->582 578->579 579->580 580->573 583 6c949822 580->583 584 6c949851-6c949856 581->584 586 6c949830-6c94983e strrchr 582->586 583->577 584->584 587 6c949858-6c949872 PyImport_GetModuleDict PyDict_GetItemString 584->587 588 6c949844-6c94984a 586->588 589 6c9498da-6c9498df 586->589 590 6c9498f7-6c9498fe 587->590 591 6c949878-6c94987d 587->591 588->581 588->586 589->558 592 6c9498e4-6c9498f4 PyErr_Format 591->592 593 6c94987f-6c949890 PyString_FromFormat 591->593 592->590 593->544 594 6c949896-6c9498b3 PyString_AsString PyErr_WarnEx 593->594 595 6c9498b5-6c9498bc 594->595 596 6c9498c1-6c9498c4 594->596 595->596 596->590 597 6c9498c6-6c9498d9 596->597
                                                                                          APIs
                                                                                          • PyString_InternFromString.PYTHON27(__name__,00000000,6C94A352,?,?,6C94936C,?,?), ref: 6C9495DD
                                                                                            • Part of subcall function 6C8F6990: PyString_FromString.PYTHON27(?,?,?,6C949624,__package__,00000000,6C94A352,?,?,6C94936C,?,?), ref: 6C8F6998
                                                                                          • PyString_InternFromString.PYTHON27(__path__,00000000,6C94A352,?,?,6C94936C,?,?), ref: 6C949600
                                                                                          • PyString_InternFromString.PYTHON27(__package__,00000000,6C94A352,?,?,6C94936C,?,?), ref: 6C94961F
                                                                                          • PyDict_GetItem.PYTHON27(?,?,00000000,6C94A352,?,?,6C94936C,?,?), ref: 6C94963E
                                                                                          • PyErr_SetString.PYTHON27(6CA65D10,Module name too long,?,?,?,?,?,?,?), ref: 6C949670
                                                                                          • PyErr_SetString.PYTHON27(6CA65D10,Attempted relative import in non-package,?), ref: 6C94969B
                                                                                          • PyErr_SetString.PYTHON27(6CA65D10,Package name too long,?), ref: 6C9496BF
                                                                                          • PyDict_GetItem.PYTHON27(?,?,?), ref: 6C9496EC
                                                                                          • PyDict_GetItem.PYTHON27(?,?,?,?,?), ref: 6C949716
                                                                                          • PyDict_SetItem.PYTHON27(?,?,00000000,?,?,?,?,?), ref: 6C949753
                                                                                          • PyErr_SetString.PYTHON27(6CA65D10,Could not set __package__,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C94976F
                                                                                          • strrchr.MSVCR90 ref: 6C949785
                                                                                          • PyDict_SetItem.PYTHON27(?,?,?,?,?,?,?,?,?,?), ref: 6C9497AE
                                                                                          • memcpy.MSVCR90(00000000,-00000014,00000000,?,?,?,?,?,?,?), ref: 6C9497D8
                                                                                          • PyString_FromString.PYTHON27(00000000,00000000,-00000014,00000000,?,?,?,?,?,?,?), ref: 6C9497E2
                                                                                          • PyDict_SetItem.PYTHON27(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C949800
                                                                                          • strrchr.MSVCR90 ref: 6C949833
                                                                                          • PyImport_GetModuleDict.PYTHON27(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C94985F
                                                                                          • PyDict_GetItemString.PYTHON27(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C949866
                                                                                          • PyString_FromFormat.PYTHON27(Parent module '%.200s' not found while handling absolute import,00000000), ref: 6C949884
                                                                                          • PyString_AsString.PYTHON27(00000000,00000001), ref: 6C949899
                                                                                          • PyErr_WarnEx.PYTHON27(6CA66D98,00000000,00000001), ref: 6C9498A9
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,Parent module '%.200s' not loaded, cannot perform relative import,00000000), ref: 6C9498EF
                                                                                          Strings
                                                                                          • __package__, xrefs: 6C94961A
                                                                                          • Could not set __package__, xrefs: 6C949769
                                                                                          • __path__, xrefs: 6C9495FB
                                                                                          • Package name too long, xrefs: 6C9496B9
                                                                                          • __name__, xrefs: 6C9495D8
                                                                                          • Attempted relative import beyond toplevel package, xrefs: 6C9498DA
                                                                                          • Parent module '%.200s' not found while handling absolute import, xrefs: 6C94987F
                                                                                          • Module name too long, xrefs: 6C94972B
                                                                                          • __package__ set to non-string, xrefs: 6C949665
                                                                                          • Parent module '%.200s' not loaded, cannot perform relative import, xrefs: 6C9498E9
                                                                                          • Attempted relative import in non-package, xrefs: 6C949695, 6C949797
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$Dict_ItemString_$Err_From$Intern$Formatstrrchr$DictImport_ModuleWarnmemcpy
                                                                                          • String ID: Attempted relative import beyond toplevel package$Attempted relative import in non-package$Could not set __package__$Module name too long$Package name too long$Parent module '%.200s' not found while handling absolute import$Parent module '%.200s' not loaded, cannot perform relative import$__name__$__package__$__package__ set to non-string$__path__
                                                                                          • API String ID: 2025534777-3665187588
                                                                                          • Opcode ID: 529e1314d802e3d171bd6040fa6cce7e9011170701652568c604c2310e6b627c
                                                                                          • Instruction ID: 42543aa2ac951e04159010213f544e25a2ae4fcb1537144b1175ace0bd31665c
                                                                                          • Opcode Fuzzy Hash: 529e1314d802e3d171bd6040fa6cce7e9011170701652568c604c2310e6b627c
                                                                                          • Instruction Fuzzy Hash: FB917B71B013124FDB118E69AE84B9A33ACEB4671CF15C6A8EC08CBB41E731D859C7E1
                                                                                          Function 6C8CE130 Relevance: 56.3, APIs: 29, Strings: 3, Instructions: 298synchronizationthreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 599 6c8ce130-6c8ce15a 600 6c8ce160-6c8ce17a 599->600 601 6c8ce17c-6c8ce186 Py_FatalError 600->601 602 6c8ce189-6c8ce190 600->602 601->602 603 6c8ce1b0-6c8ce1e3 memset fgets 602->603 604 6c8ce192-6c8ce1a4 InterlockedDecrement 602->604 606 6c8ce1e5-6c8ce1ef Py_FatalError 603->606 607 6c8ce1f2-6c8ce1f9 603->607 604->603 605 6c8ce1a6-6c8ce1aa SetEvent 604->605 605->603 606->607 608 6c8ce1fb-6c8ce216 _errno 607->608 609 6c8ce252-6c8ce26d 607->609 612 6c8ce218-6c8ce221 InterlockedIncrement 608->612 613 6c8ce244-6c8ce250 _errno 608->613 610 6c8ce26f-6c8ce27e memchr 609->610 611 6c8ce2a1-6c8ce2b8 clearerr PyErr_CheckSignals 609->611 614 6c8ce280-6c8ce288 610->614 615 6c8ce2e3-6c8ce2e8 610->615 616 6c8ce2be-6c8ce2d8 PyString_FromStringAndSize 611->616 617 6c8ce51b 611->617 618 6c8ce235-6c8ce241 GetCurrentThreadId 612->618 619 6c8ce223-6c8ce22f WaitForSingleObject 612->619 613->609 620 6c8ce28e-6c8ce29c 614->620 621 6c8ce319-6c8ce33a PyString_FromStringAndSize 614->621 623 6c8ce2ea-6c8ce2ed 615->623 624 6c8ce2f3 615->624 622 6c8ce2da call 6c968908 616->622 625 6c8ce51d-6c8ce524 617->625 618->613 619->618 620->600 621->617 630 6c8ce340-6c8ce359 621->630 627 6c8ce2df-6c8ce2e2 622->627 623->624 628 6c8ce2ef-6c8ce2f1 623->628 629 6c8ce2f4-6c8ce30e PyString_FromStringAndSize 624->629 626 6c8ce525 call 6c968908 625->626 632 6c8ce52a-6c8ce52d 626->632 628->629 633 6c8ce310 call 6c968908 629->633 631 6c8ce360-6c8ce3b4 PyEval_SaveThread memset fgets 630->631 634 6c8ce3b6-6c8ce3c0 Py_FatalError 631->634 635 6c8ce3c3-6c8ce3ca 631->635 636 6c8ce315-6c8ce318 633->636 634->635 637 6c8ce3cc-6c8ce3e1 _errno 635->637 638 6c8ce403-6c8ce418 635->638 639 6c8ce3f5-6c8ce401 _errno 637->639 640 6c8ce3e3-6c8ce3f2 call 6c9679b0 637->640 641 6c8ce47c-6c8ce493 clearerr PyErr_CheckSignals 638->641 642 6c8ce41a-6c8ce42b memchr 638->642 639->638 640->639 646 6c8ce504-6c8ce50d 641->646 647 6c8ce495 641->647 644 6c8ce42d-6c8ce444 642->644 645 6c8ce497-6c8ce4a0 642->645 652 6c8ce44a-6c8ce44f 644->652 653 6c8ce4f0-6c8ce501 PyErr_SetString 644->653 649 6c8ce4ab 645->649 650 6c8ce4a2-6c8ce4a5 645->650 646->617 654 6c8ce50f-6c8ce518 646->654 648 6c8ce4ac-6c8ce4be 647->648 648->625 656 6c8ce4c0-6c8ce4d7 _PyString_Resize 648->656 649->648 650->649 655 6c8ce4a7-6c8ce4a9 650->655 652->653 657 6c8ce455-6c8ce467 _PyString_Resize 652->657 653->646 654->617 655->648 656->617 658 6c8ce4d9-6c8ce4e5 656->658 657->617 659 6c8ce46d-6c8ce477 657->659 661 6c8ce4e7 call 6c968908 658->661 659->631 662 6c8ce4ec-6c8ce4ef 661->662
                                                                                          APIs
                                                                                          • Py_FatalError.PYTHON27(PyEval_SaveThread: NULL tstate), ref: 6C8CE181
                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6C8CE19C
                                                                                          • SetEvent.KERNEL32(00000000), ref: 6C8CE1AA
                                                                                          • memset.MSVCR90 ref: 6C8CE1BF
                                                                                          • fgets.MSVCR90 ref: 6C8CE1CD
                                                                                          • Py_FatalError.PYTHON27(PyEval_RestoreThread: NULL tstate), ref: 6C8CE1EA
                                                                                          • _errno.MSVCR90 ref: 6C8CE1FB
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 6C8CE219
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6C8CE22F
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 6C8CE235
                                                                                          • _errno.MSVCR90 ref: 6C8CE244
                                                                                          • memchr.MSVCR90 ref: 6C8CE273
                                                                                          • clearerr.MSVCR90(?), ref: 6C8CE2A8
                                                                                          • PyErr_CheckSignals.PYTHON27 ref: 6C8CE2B1
                                                                                          • PyString_FromStringAndSize.PYTHON27(?,?), ref: 6C8CE2CA
                                                                                          Strings
                                                                                          • PyEval_RestoreThread: NULL tstate, xrefs: 6C8CE1E5, 6C8CE3B6
                                                                                          • line is longer than a Python string can hold, xrefs: 6C8CE4F6
                                                                                          • PyEval_SaveThread: NULL tstate, xrefs: 6C8CE17C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFatalInterlocked_errno$CheckCurrentDecrementErr_EventFromIncrementObjectSignalsSingleSizeStringString_ThreadWaitclearerrfgetsmemchrmemset
                                                                                          • String ID: PyEval_RestoreThread: NULL tstate$PyEval_SaveThread: NULL tstate$line is longer than a Python string can hold
                                                                                          • API String ID: 642221721-73556018
                                                                                          • Opcode ID: 0c37ed2262e96d6ee491c1678723af6ce22c4a2ad351f2c9219fc067950d7443
                                                                                          • Instruction ID: 7d3b0f73721222dc78e4068d989f79597b0e51e668708bb1598e830257596a92
                                                                                          • Opcode Fuzzy Hash: 0c37ed2262e96d6ee491c1678723af6ce22c4a2ad351f2c9219fc067950d7443
                                                                                          • Instruction Fuzzy Hash: 18B1B370B002198FDB24CF65DD85BDA77B4EB49319F0045A8E80997780EB34EE85CF92
                                                                                          Function 6C82FEB0 Relevance: 56.2, APIs: 20, Strings: 12, Instructions: 162COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • Py_InitModule4.PYTHON27(_locale,6CA8B3F0,00000000,00000000,000003F5), ref: 6C82FEC3
                                                                                          • PyModule_GetDict.PYTHON27(00000000), ref: 6C82FED6
                                                                                            • Part of subcall function 6C8E5170: PyType_IsSubtype.PYTHON27(F08BFC45,?,00000000,?,?,6C8D5195,00000000), ref: 6C8E518B
                                                                                            • Part of subcall function 6C8E5170: PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\moduleobject.c,00000032,6C8D5195,00000000), ref: 6C8E51A9
                                                                                          • PyInt_FromLong.PYTHON27(00000002,00000000), ref: 6C82FEDF
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,LC_CTYPE,00000000,00000002,00000000), ref: 6C82FEED
                                                                                            • Part of subcall function 6C8C7460: PyString_FromString.PYTHON27(00000000,?,?,6C8E50D7,00000000,__name__,00000000,?,00000014,?,6C94DEB4), ref: 6C8C7468
                                                                                          • PyInt_FromLong.PYTHON27(00000005), ref: 6C82FF0C
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,LC_TIME,00000000,00000005), ref: 6C82FF1A
                                                                                          • PyInt_FromLong.PYTHON27(00000001), ref: 6C82FF39
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,LC_COLLATE,00000000,00000001), ref: 6C82FF47
                                                                                          • PyInt_FromLong.PYTHON27(00000003), ref: 6C82FF66
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,LC_MONETARY,00000000,00000003), ref: 6C82FF74
                                                                                          • PyInt_FromLong.PYTHON27(00000004), ref: 6C82FF93
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,LC_NUMERIC,00000000,00000004), ref: 6C82FFA1
                                                                                          • PyInt_FromLong.PYTHON27(00000000), ref: 6C82FFC0
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,LC_ALL,00000000,00000000), ref: 6C82FFCE
                                                                                          • PyInt_FromLong.PYTHON27(0000007F), ref: 6C82FFED
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,CHAR_MAX,00000000,0000007F), ref: 6C82FFFB
                                                                                          • PyErr_NewException.PYTHON27(locale.Error,00000000,00000000), ref: 6C830021
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,Error,00000000,locale.Error,00000000,00000000), ref: 6C830032
                                                                                          • PyString_FromString.PYTHON27(Support for POSIX locales.,00000000,Error,00000000,locale.Error,00000000,00000000), ref: 6C83003C
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,__doc__,00000000,Support for POSIX locales.,00000000,Error,00000000,locale.Error,00000000,00000000), ref: 6C83004A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$Dict_FromItem$Int_Long$Err_String_$DictExceptionFormatInitModule4Module_SubtypeType_
                                                                                          • String ID: CHAR_MAX$Error$LC_ALL$LC_COLLATE$LC_CTYPE$LC_MONETARY$LC_NUMERIC$LC_TIME$Support for POSIX locales.$__doc__$_locale$locale.Error
                                                                                          • API String ID: 215864015-3707555184
                                                                                          • Opcode ID: b82a30d972219df0a42b6f0962a25d35ef2991b27a11bffa4b5afe493f5a629d
                                                                                          • Instruction ID: ca4f01320c2eabcec713f4a83fd9483ac80092187733dee9151495d5f0d2744a
                                                                                          • Opcode Fuzzy Hash: b82a30d972219df0a42b6f0962a25d35ef2991b27a11bffa4b5afe493f5a629d
                                                                                          • Instruction Fuzzy Hash: FA41D4B290090267E32067298E01FAB76249FD273CF250B24F92416FC1EB3DED42C2D2
                                                                                          Function 6C8CE530 Relevance: 52.8, APIs: 26, Strings: 4, Instructions: 297threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 698 6c8ce530-6c8ce558 699 6c8ce56d-6c8ce570 698->699 700 6c8ce55a-6c8ce55c 698->700 701 6c8ce57c-6c8ce58c PyString_FromStringAndSize 699->701 702 6c8ce55e-6c8ce56c call 6c8ce130 700->702 703 6c8ce572-6c8ce579 700->703 704 6c8ce58e-6c8ce593 701->704 705 6c8ce594-6c8ce59f 701->705 703->701 707 6c8ce5a0-6c8ce5b5 705->707 709 6c8ce5c4-6c8ce5cc 707->709 710 6c8ce5b7-6c8ce5c1 Py_FatalError 707->710 711 6c8ce5ce-6c8ce5da InterlockedDecrement 709->711 712 6c8ce5e6-6c8ce5e9 709->712 710->709 711->712 713 6c8ce5dc-6c8ce5e0 SetEvent 711->713 714 6c8ce5ef-6c8ce5fa 712->714 715 6c8ce6e0-6c8ce6f2 fgetc 712->715 713->712 717 6c8ce707-6c8ce70b 714->717 718 6c8ce600-6c8ce614 fgetc 714->718 716 6c8ce6f4-6c8ce700 715->716 715->717 716->717 719 6c8ce702-6c8ce705 716->719 720 6c8ce70d-6c8ce717 Py_FatalError 717->720 721 6c8ce71a-6c8ce721 717->721 722 6c8ce67a-6c8ce689 ferror 718->722 723 6c8ce616-6c8ce61a 718->723 719->715 719->717 720->721 724 6c8ce74b-6c8ce766 721->724 725 6c8ce723-6c8ce732 _errno 721->725 726 6c8ce6cd-6c8ce6d1 722->726 727 6c8ce68b-6c8ce694 _errno 722->727 728 6c8ce61c-6c8ce626 723->728 729 6c8ce642-6c8ce645 723->729 734 6c8ce76c-6c8ce76f 724->734 735 6c8ce843-6c8ce84f 724->735 732 6c8ce734-6c8ce740 call 6c9679b0 725->732 733 6c8ce743-6c8ce749 _errno 725->733 726->717 737 6c8ce6d3-6c8ce6d7 726->737 727->726 736 6c8ce696-6c8ce6b8 PyEval_RestoreThread PyErr_CheckSignals 727->736 738 6c8ce63e 728->738 739 6c8ce628-6c8ce63a fgetc 728->739 730 6c8ce655-6c8ce658 729->730 731 6c8ce647-6c8ce653 729->731 741 6c8ce65e-6c8ce66a 730->741 742 6c8ce65a 730->742 731->741 732->733 733->724 746 6c8ce7a9-6c8ce7ad 734->746 747 6c8ce771-6c8ce780 ferror 734->747 744 6c8ce851-6c8ce860 _PyString_Resize 735->744 745 6c8ce862-6c8ce86b 735->745 748 6c8ce6be-6c8ce6c8 clearerr 736->748 749 6c8ce813-6c8ce819 736->749 737->717 738->729 739->722 740 6c8ce63c 739->740 740->729 753 6c8ce66c-6c8ce66f 741->753 754 6c8ce671-6c8ce674 741->754 742->741 744->745 752 6c8ce894-6c8ce89c 744->752 746->735 750 6c8ce7b3-6c8ce7c8 746->750 756 6c8ce786-6c8ce78f _errno 747->756 757 6c8ce830-6c8ce841 clearerr PyErr_CheckSignals 747->757 748->707 751 6c8ce81b-6c8ce82f 749->751 749->752 758 6c8ce86c-6c8ce886 PyErr_SetString 750->758 759 6c8ce7ce-6c8ce7dd _PyString_Resize 750->759 753->718 753->754 754->717 754->722 760 6c8ce7fc-6c8ce810 PyErr_SetFromErrnoWithFilenameObject clearerr 756->760 761 6c8ce791-6c8ce798 PyErr_CheckSignals 756->761 757->735 757->749 758->752 764 6c8ce888-6c8ce891 758->764 759->752 762 6c8ce7e3-6c8ce7f7 759->762 760->749 761->749 765 6c8ce79a-6c8ce7a4 clearerr 761->765 762->707 764->752 765->707
                                                                                          APIs
                                                                                          • PyString_FromStringAndSize.PYTHON27(00000000,?,?,?), ref: 6C8CE57F
                                                                                          • Py_FatalError.PYTHON27(PyEval_SaveThread: NULL tstate), ref: 6C8CE5BC
                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6C8CE5D2
                                                                                          • SetEvent.KERNEL32(00000000,?,?,?,?,?,?), ref: 6C8CE5E0
                                                                                          • fgetc.MSVCR90 ref: 6C8CE60A
                                                                                          • fgetc.MSVCR90 ref: 6C8CE630
                                                                                          • ferror.MSVCR90 ref: 6C8CE67E
                                                                                          • _errno.MSVCR90 ref: 6C8CE68B
                                                                                          • PyEval_RestoreThread.PYTHON27(00000000,?,?,?,?,?,?,?,?), ref: 6C8CE69A
                                                                                          • PyErr_CheckSignals.PYTHON27(?,?,?,?,?,?,?,?,?), ref: 6C8CE6B1
                                                                                          • clearerr.MSVCR90(?,?,?,?,?,?,?,?,?,?), ref: 6C8CE6BF
                                                                                            • Part of subcall function 6C8CE130: Py_FatalError.PYTHON27(PyEval_SaveThread: NULL tstate), ref: 6C8CE181
                                                                                            • Part of subcall function 6C8CE130: InterlockedDecrement.KERNEL32(?), ref: 6C8CE19C
                                                                                            • Part of subcall function 6C8CE130: SetEvent.KERNEL32(00000000), ref: 6C8CE1AA
                                                                                            • Part of subcall function 6C8CE130: memset.MSVCR90 ref: 6C8CE1BF
                                                                                            • Part of subcall function 6C8CE130: fgets.MSVCR90 ref: 6C8CE1CD
                                                                                            • Part of subcall function 6C8CE130: Py_FatalError.PYTHON27(PyEval_RestoreThread: NULL tstate), ref: 6C8CE1EA
                                                                                            • Part of subcall function 6C8CE130: _errno.MSVCR90 ref: 6C8CE1FB
                                                                                            • Part of subcall function 6C8CE130: InterlockedIncrement.KERNEL32(?), ref: 6C8CE219
                                                                                            • Part of subcall function 6C8CE130: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6C8CE22F
                                                                                            • Part of subcall function 6C8CE130: GetCurrentThreadId.KERNEL32 ref: 6C8CE235
                                                                                            • Part of subcall function 6C8CE130: _errno.MSVCR90 ref: 6C8CE244
                                                                                            • Part of subcall function 6C8CE130: memchr.MSVCR90 ref: 6C8CE273
                                                                                          Strings
                                                                                          • PyEval_RestoreThread: NULL tstate, xrefs: 6C8CE70D
                                                                                          • d, xrefs: 6C8CE572
                                                                                          • line is longer than a Python string can hold, xrefs: 6C8CE872
                                                                                          • PyEval_SaveThread: NULL tstate, xrefs: 6C8CE5B7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFatalInterlocked_errno$DecrementEventThreadfgetc$CheckCurrentErr_Eval_FromIncrementObjectRestoreSignalsSingleSizeStringString_Waitclearerrferrorfgetsmemchrmemset
                                                                                          • String ID: PyEval_RestoreThread: NULL tstate$PyEval_SaveThread: NULL tstate$d$line is longer than a Python string can hold
                                                                                          • API String ID: 2239595103-3565407359
                                                                                          • Opcode ID: 4c78b349cd889e6d6af72a5a2e750c1c73be7bf648f1e3f4b80343672564151a
                                                                                          • Instruction ID: 0f0bd2f7f3e3b88c9bc39a1268cb7d410d6ebee863a631c7f80edf97672c3010
                                                                                          • Opcode Fuzzy Hash: 4c78b349cd889e6d6af72a5a2e750c1c73be7bf648f1e3f4b80343672564151a
                                                                                          • Instruction Fuzzy Hash: 6CB11070F052158FCB20CFA9DA82A9E77B4FF05328F144A25D815A3B80E735EA50CBD2
                                                                                          Function 6C82A620 Relevance: 52.7, APIs: 11, Strings: 19, Instructions: 227COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 767 6c82a620-6c82a63d 768 6c82a63f call 6c82a5b0 767->768 769 6c82a644-6c82a648 768->769 770 6c82a667-6c82a683 call 6c8298b0 769->770 771 6c82a64a-6c82a65c PyErr_NoMemory 769->771 776 6c82a685 770->776 777 6c82a68a-6c82a6a6 call 6c8298b0 770->777 772 6c82a65e call 6c968908 771->772 774 6c82a663-6c82a666 772->774 776->777 780 6c82a6a8 777->780 781 6c82a6ad-6c82a6c9 call 6c8298b0 777->781 780->781 784 6c82a6d0-6c82a6f8 call 6c8298b0 * 2 781->784 785 6c82a6cb 781->785 790 6c82a6fa call 6c920900 784->790 791 6c82a6ff-6c82a7b2 call 6c8298b0 free Py_GetBuildInfo PyOS_snprintf call 6c8298b0 PyOS_snprintf call 6c8298b0 _getcwd call 6c8298b0 PySys_GetObject 784->791 785->784 790->791 801 6c82a8c6-6c82a8e7 PyString_FromString PyErr_SetObject 791->801 802 6c82a7b8-6c82a7c2 791->802 804 6c82a8fa-6c82a906 801->804 805 6c82a8e9-6c82a8ec 801->805 802->801 803 6c82a7c8-6c82a7d3 802->803 806 6c82a7d5-6c82a7e5 803->806 807 6c82a83f-6c82a84f 803->807 809 6c82a909 call 6c968908 804->809 805->804 808 6c82a8ee-6c82a8f7 805->808 811 6c82a806 806->811 812 6c82a7e7-6c82a804 PyString_AsStringAndSize 806->812 813 6c82a851 807->813 814 6c82a85e-6c82a877 807->814 808->804 810 6c82a90e-6c82a911 809->810 816 6c82a809-6c82a80b 811->816 812->816 818 6c82a852 call 6c829700 813->818 815 6c82a87a-6c82a884 814->815 819 6c82a893-6c82a8ac 815->819 820 6c82a886 815->820 821 6c82a828-6c82a835 call 6c8298b0 816->821 822 6c82a80d-6c82a826 call 6c8298b0 PyErr_Clear 816->822 823 6c82a857-6c82a85c 818->823 825 6c82a8af-6c82a8bb 819->825 824 6c82a887 call 6c829700 820->824 833 6c82a838-6c82a83d 821->833 822->833 823->814 823->815 828 6c82a88c-6c82a891 824->828 829 6c82a8bd call 6c968908 825->829 828->819 828->825 832 6c82a8c2-6c82a8c5 829->832 833->806 833->807
                                                                                          APIs
                                                                                            • Part of subcall function 6C82A5B0: isdigit.MSVCR90 ref: 6C82A5D4
                                                                                            • Part of subcall function 6C82A5B0: malloc.MSVCR90 ref: 6C82A5F9
                                                                                            • Part of subcall function 6C82A5B0: memmove.MSVCR90(00000000,$Revision$,00000000), ref: 6C82A60B
                                                                                          • PyErr_NoMemory.PYTHON27 ref: 6C82A64A
                                                                                            • Part of subcall function 6C940380: PyErr_GivenExceptionMatches.PYTHON27(00000000,6CA667A8,?,6C8F7E82,00000000,6C8AB1D5,?,?,?,6C8AF66F,00000000,?,00000000,6C8AF785,00000000), ref: 6C940396
                                                                                            • Part of subcall function 6C940380: PyErr_SetObject.PYTHON27(6CA667A8,?), ref: 6C9403B3
                                                                                          • free.MSVCR90 ref: 6C82A711
                                                                                          • Py_GetBuildInfo.PYTHON27([MSC v.1500 32 bit (Intel)]), ref: 6C82A71F
                                                                                          • PyOS_snprintf.PYTHON27(6CAA2138,000000FA,%.80s (%.80s) %.80s,2.7.18,00000000,[MSC v.1500 32 bit (Intel)]), ref: 6C82A739
                                                                                          • PyOS_snprintf.PYTHON27(?,00000104,%I64d,?,?,executable-version,6CAA2138,6CAA2138,000000FA,%.80s (%.80s) %.80s,2.7.18,00000000,[MSC v.1500 32 bit (Intel)]), ref: 6C82A76B
                                                                                          • _getcwd.MSVCR90 ref: 6C82A78E
                                                                                          • PySys_GetObject.PYTHON27(path,current-directory,00000000), ref: 6C82A7A6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$ObjectS_snprintf$BuildExceptionGivenInfoMatchesMemorySys__getcwdfreeisdigitmallocmemmove
                                                                                          • String ID: %.80s (%.80s) %.80s$%I64d$2.7.18$<non-string-path-entry>$[MSC v.1500 32 bit (Intel)]$current-directory$executable$executable-version$hotshot-version$path$platform$reported-performance-frequency$requested-frame-timings$requested-line-events$requested-line-timings$sys-path-entry$sys.path must be a list$win32$yes
                                                                                          • API String ID: 200927239-4293030901
                                                                                          • Opcode ID: 428979b569dcfac645cf3790ba7843e3eb657ea9c0e781712683b7f1d6cd2b53
                                                                                          • Instruction ID: 545aef2c655d56fdc26aadd9279e8f7f6b42e66bbad2418bf540f2331c3e236f
                                                                                          • Opcode Fuzzy Hash: 428979b569dcfac645cf3790ba7843e3eb657ea9c0e781712683b7f1d6cd2b53
                                                                                          • Instruction Fuzzy Hash: B171EA756047105BE3309A3D9D49E9A73B4EF9121CF084E39F85987F81EB28D98AC7D2
                                                                                          Function 6C824890 Relevance: 51.0, APIs: 24, Strings: 5, Instructions: 207threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 834 6c824890-6c8248b2 Py_ReprEnter 835 6c8248e2-6c8248f3 PyObject_GetIter 834->835 836 6c8248b4 834->836 839 6c824ac7-6c824ad0 835->839 840 6c8248f9-6c824915 PyEval_SaveThread fputs PyEval_RestoreThread 835->840 837 6c8248ba-6c8248e1 PyEval_SaveThread fputs PyEval_RestoreThread 836->837 838 6c824aef-6c824af5 836->838 841 6c824918-6c824928 840->841 843 6c824a17-6c824a22 841->843 844 6c82492e-6c824944 841->844 847 6c824a24-6c824a36 PyErr_GivenExceptionMatches 843->847 848 6c824a3d-6c824a4c Py_ReprLeave 843->848 845 6c824953-6c82495a 844->845 846 6c824946-6c824950 Py_FatalError 844->846 849 6c82497e-6c824992 fputs 845->849 850 6c82495c-6c82496e InterlockedDecrement 845->850 846->845 847->848 851 6c824a38 PyErr_Clear 847->851 852 6c824a5a-6c824a64 848->852 853 6c824a4e-6c824a57 848->853 856 6c8249a1-6c8249a8 849->856 857 6c824994-6c82499e Py_FatalError 849->857 854 6c824970-6c824974 SetEvent 850->854 855 6c82497a 850->855 851->848 852->839 858 6c824a66-6c824a73 PyEval_SaveThread 852->858 853->852 854->855 855->849 859 6c8249d6-6c8249f7 call 6c8e57a0 856->859 860 6c8249aa-6c8249ba _errno 856->860 857->856 862 6c824ad1-6c824aed fprintf PyEval_RestoreThread 858->862 863 6c824a75-6c824a98 fputs PyEval_RestoreThread 858->863 869 6c824a99-6c824a9c 859->869 870 6c8249fd-6c824a00 859->870 864 6c8249c6-6c8249d2 _errno 860->864 865 6c8249bc-6c8249c3 call 6c9679b0 860->865 862->838 864->859 865->864 873 6c824aaa-6c824aad 869->873 874 6c824a9e-6c824aa7 869->874 870->841 872 6c824a06-6c824a12 870->872 872->841 875 6c824abb-6c824ac4 Py_ReprLeave 873->875 876 6c824aaf-6c824ab8 873->876 874->873 875->839 876->875
                                                                                          APIs
                                                                                          • Py_ReprEnter.PYTHON27 ref: 6C8248A8
                                                                                            • Part of subcall function 6C8E7E70: PyDict_New.PYTHON27 ref: 6C8E7E8E
                                                                                            • Part of subcall function 6C8E7E70: PyErr_Clear.PYTHON27 ref: 6C8E7EA0
                                                                                            • Part of subcall function 6C8E7E70: PyString_FromString.PYTHON27(Py_Repr), ref: 6C8E7EBB
                                                                                            • Part of subcall function 6C8E7E70: PyDict_GetItem.PYTHON27(?,00000000), ref: 6C8E7ECB
                                                                                            • Part of subcall function 6C8E7E70: Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8E7F4F
                                                                                            • Part of subcall function 6C8E7E70: PyDict_SetItemString.PYTHON27(?,Py_Repr,00000000), ref: 6C8E7F81
                                                                                            • Part of subcall function 6C8E7E70: PyList_Append.PYTHON27(-000000FF,000000FE), ref: 6C8E7FBE
                                                                                          • fputs.MSVCR90 ref: 6C8248CA
                                                                                          • PyEval_RestoreThread.PYTHON27(00000000), ref: 6C8248D1
                                                                                            • Part of subcall function 6C92E540: Py_FatalError.PYTHON27(PyEval_RestoreThread: NULL tstate,?,?,6C9467F6,00000000,00000000,00000000,?,?,6C94A352,__builtin__,00000000,00000000,00000000,00000000), ref: 6C92E550
                                                                                            • Part of subcall function 6C92E540: _errno.MSVCR90 ref: 6C92E569
                                                                                            • Part of subcall function 6C92E540: _errno.MSVCR90 ref: 6C92E585
                                                                                          • PyEval_SaveThread.PYTHON27 ref: 6C8248BA
                                                                                            • Part of subcall function 6C92E4E0: Py_FatalError.PYTHON27(PyEval_SaveThread: NULL tstate,00000000,6C9467DA,00000000,00000000,?,?,6C94A352,__builtin__,00000000,00000000,00000000,00000000), ref: 6C92E4FA
                                                                                            • Part of subcall function 6C92E4E0: InterlockedDecrement.KERNEL32(?), ref: 6C92E516
                                                                                            • Part of subcall function 6C92E4E0: SetEvent.KERNEL32(?,?,?,6C94A352,__builtin__,00000000,00000000,00000000,00000000), ref: 6C92E524
                                                                                          • PyObject_GetIter.PYTHON27(?), ref: 6C8248E3
                                                                                          • PyEval_SaveThread.PYTHON27 ref: 6C8248F9
                                                                                          • fputs.MSVCR90 ref: 6C824909
                                                                                          • PyEval_RestoreThread.PYTHON27(00000000), ref: 6C824910
                                                                                          • Py_FatalError.PYTHON27(PyEval_SaveThread: NULL tstate), ref: 6C82494B
                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6C824966
                                                                                          • SetEvent.KERNEL32(?), ref: 6C824974
                                                                                          • fputs.MSVCR90 ref: 6C824987
                                                                                          • Py_FatalError.PYTHON27(PyEval_RestoreThread: NULL tstate), ref: 6C824999
                                                                                          • _errno.MSVCR90 ref: 6C8249AA
                                                                                          • _errno.MSVCR90 ref: 6C8249C6
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA64978), ref: 6C824A2C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFatal$Eval_Thread_errno$Dict_fputs$DecrementErr_EventInterlockedItemRestoreSaveString$AppendClearEnterExceptionFromGivenIterList_MatchesObject_ReprString_
                                                                                          • String ID: PyEval_RestoreThread: NULL tstate$PyEval_SaveThread: NULL tstate$[...]$], maxlen=%d)$deque([
                                                                                          • API String ID: 3753504503-3822557589
                                                                                          • Opcode ID: e70497b32e850311661ebf61740f55f568ed6021b1052a98baf9293d38077da2
                                                                                          • Instruction ID: f873f18e9255efe1703b222c1496d4d4492f091a82b1587be4ea3ac4b6b9898e
                                                                                          • Opcode Fuzzy Hash: e70497b32e850311661ebf61740f55f568ed6021b1052a98baf9293d38077da2
                                                                                          • Instruction Fuzzy Hash: 80613AB6A002015FD7109FA5ED44A9A33B4EFD9228F148724FC2987780EB38E955C7E2
                                                                                          Function 6C82E6F0 Relevance: 49.4, APIs: 26, Strings: 2, Instructions: 420COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1033 6c82e6f0-6c82e70c 1034 6c82e723-6c82e735 PyString_FromString 1033->1034 1035 6c82e70e-6c82e714 1033->1035 1036 6c82e737-6c82e739 1034->1036 1037 6c82e73b-6c82e747 PyString_InternInPlace 1034->1037 1035->1034 1038 6c82e716-6c82e71d 1035->1038 1040 6c82e74a-6c82e761 PyString_FromString 1036->1040 1037->1040 1038->1034 1039 6c82e7c7-6c82e7cd 1038->1039 1043 6c82e7e3-6c82e7ee 1039->1043 1044 6c82e7cf-6c82e7e2 PyList_Append 1039->1044 1041 6c82e763-6c82e765 1040->1041 1042 6c82e767-6c82e773 PyString_InternInPlace 1040->1042 1045 6c82e776-6c82e78d PyString_FromString 1041->1045 1042->1045 1046 6c82e7f0-6c82e800 PyLong_FromVoidPtr 1043->1046 1047 6c82e858-6c82e86d PyList_Append 1043->1047 1052 6c82e793-6c82e79f PyString_InternInPlace 1045->1052 1053 6c82e78f-6c82e791 1045->1053 1048 6c82e806-6c82e818 PyDict_Contains 1046->1048 1049 6c82e9c8-6c82e9d1 1046->1049 1050 6c82e9b3-6c82e9b5 1047->1050 1051 6c82e873-6c82e879 1047->1051 1054 6c82e81a-6c82e81d 1048->1054 1055 6c82e83c-6c82e852 PyDict_SetItem 1048->1055 1050->1049 1059 6c82e9b7-6c82e9ba 1050->1059 1056 6c82e87b 1051->1056 1057 6c82e87e-6c82e88f PyObject_GetIter 1051->1057 1058 6c82e7a2-6c82e7ad 1052->1058 1053->1058 1054->1050 1061 6c82e823-6c82e837 PyErr_SetString 1054->1061 1055->1047 1055->1050 1056->1057 1057->1050 1062 6c82e895-6c82e8a9 PyObject_IsTrue 1057->1062 1058->1049 1063 6c82e7b3-6c82e7b9 1058->1063 1059->1049 1060 6c82e9bc-6c82e9c5 1059->1060 1060->1049 1061->1050 1064 6c82e957-6c82e95d 1062->1064 1065 6c82e8af-6c82e8c2 PyIter_Next 1062->1065 1063->1049 1066 6c82e7bf-6c82e7c1 1063->1066 1070 6c82e96b 1064->1070 1071 6c82e95f-6c82e968 1064->1071 1068 6c82e8c8 1065->1068 1069 6c82eb2d-6c82eb37 1065->1069 1066->1039 1066->1049 1072 6c82e8d0-6c82e8dc 1068->1072 1069->1064 1073 6c82eb3d-6c82eb43 1069->1073 1074 6c82e96e-6c82e970 1070->1074 1071->1070 1077 6c82e8e2-6c82e8e8 1072->1077 1078 6c82ea01-6c82ea03 1072->1078 1079 6c82eb51-6c82eb56 1073->1079 1080 6c82eb45-6c82eb4e 1073->1080 1075 6c82e972-6c82e975 1074->1075 1076 6c82e983-6c82e988 1074->1076 1075->1076 1082 6c82e977-6c82e980 1075->1082 1085 6c82e98a-6c82e98d 1076->1085 1086 6c82e99b-6c82e9a0 1076->1086 1088 6c82e9e8-6c82e9f9 call 6c82e2a0 1077->1088 1089 6c82e8ee-6c82e8fe PyType_IsSubtype 1077->1089 1087 6c82ea06-6c82ea0a 1078->1087 1083 6c82eb85-6c82eb99 PyList_Append 1079->1083 1084 6c82eb58-6c82eb6a PyDict_DelItem 1079->1084 1080->1079 1082->1076 1083->1074 1092 6c82eb9f-6c82eba5 1083->1092 1084->1074 1090 6c82eb70-6c82eb77 1084->1090 1085->1086 1091 6c82e98f-6c82e998 1085->1091 1086->1050 1094 6c82e9a2-6c82e9a5 1086->1094 1095 6c82ea27-6c82ea39 PyObject_GetItem 1087->1095 1096 6c82ea0c-6c82ea21 PyList_Append 1087->1096 1088->1064 1110 6c82e9ff 1088->1110 1089->1088 1097 6c82e904-6c82e90a 1089->1097 1090->1083 1100 6c82eb79-6c82eb82 1090->1100 1091->1086 1094->1050 1102 6c82e9a7-6c82e9b0 1094->1102 1095->1064 1103 6c82ea3f-6c82ea49 1095->1103 1096->1064 1096->1095 1104 6c82e9d2-6c82e9e0 PyObject_Str 1097->1104 1105 6c82e910-6c82e916 1097->1105 1100->1083 1102->1050 1111 6c82ea54-6c82ea60 PyObject_CallFunctionObjArgs 1103->1111 1112 6c82ea4b-6c82ea52 call 6c82e340 1103->1112 1104->1064 1108 6c82e9e6 1104->1108 1106 6c82e945-6c82e951 call 6c82e1e0 1105->1106 1107 6c82e918-6c82e91e 1105->1107 1106->1064 1106->1087 1107->1106 1114 6c82e920-6c82e926 1107->1114 1108->1087 1110->1087 1115 6c82ea63-6c82ea67 1111->1115 1112->1115 1114->1106 1120 6c82e928-6c82e92b 1114->1120 1121 6c82ea83-6c82ea85 1115->1121 1122 6c82ea69-6c82ea75 1115->1122 1124 6c82e931-6c82e934 1120->1124 1125 6c82eba6-6c82ebba PyErr_SetString 1120->1125 1121->1064 1127 6c82ea8b-6c82ea9a PyList_Append 1121->1127 1122->1121 1126 6c82ea77-6c82ea80 1122->1126 1128 6c82eb17-6c82eb27 PyIter_Next 1124->1128 1129 6c82e93a-6c82e940 1124->1129 1125->1064 1126->1121 1130 6c82eaa0-6c82eaa3 1127->1130 1131 6c82ebbf-6c82ebc2 1127->1131 1128->1069 1128->1072 1139 6c82eb14 1129->1139 1134 6c82eab1-6c82eac3 PyList_Append 1130->1134 1135 6c82eaa5-6c82eaae 1130->1135 1131->1064 1133 6c82ebc8-6c82ebd4 1131->1133 1133->1064 1134->1064 1137 6c82eac9-6c82eae2 call 6c82e3c0 1134->1137 1135->1134 1137->1064 1143 6c82eae8-6c82eaf8 1137->1143 1139->1128 1144 6c82eb06-6c82eb09 1143->1144 1145 6c82eafa-6c82eb03 1143->1145 1144->1128 1146 6c82eb0b-6c82eb11 1144->1146 1145->1144 1146->1139
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(6C96C2B4,?,000000FE,?,?,?,6C82E485,?,?,000000FE,?,?,?), ref: 6C82E728
                                                                                          • PyString_InternInPlace.PYTHON27(?,?,?,?,6C82E485,?,?,000000FE,?,?,?), ref: 6C82E73F
                                                                                          • PyString_FromString.PYTHON27(6C96C2B8,?,?,?,?,6C82E485,?,?,000000FE,?,?,?), ref: 6C82E754
                                                                                          • PyString_InternInPlace.PYTHON27(?,?,?,?,?,?,6C82E485,?,?,000000FE,?,?,?), ref: 6C82E76B
                                                                                          • PyString_FromString.PYTHON27(6C96C2BC,?,?,?,?,?,?,6C82E485,?,?,000000FE,?,?,?), ref: 6C82E780
                                                                                          • PyString_InternInPlace.PYTHON27(?,?,?,?,?,?,?,?,6C82E485,?,?,000000FE,?,?,?), ref: 6C82E797
                                                                                          • PyList_Append.PYTHON27(?,?,?,?,?,?,?,?,?,?,6C82E485,?,?,000000FE,?,?), ref: 6C82E7D4
                                                                                          • PyLong_FromVoidPtr.PYTHON27(?,?,?,?,?,?,?,?,?,6C82E485,?,?,000000FE,?,?,?), ref: 6C82E7F1
                                                                                          • PyDict_Contains.PYTHON27(?,00000000,?,?,?,?,?,?,?,?,?,6C82E485,?,?,000000FE,?), ref: 6C82E80E
                                                                                          • PyErr_SetString.PYTHON27(6CA65D10,Circular reference detected,?,?,?,?,?,?,?,?,?,?,?,6C82E485,?,?), ref: 6C82E82F
                                                                                          • PyDict_SetItem.PYTHON27(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C82E485,?), ref: 6C82E848
                                                                                          • PyList_Append.PYTHON27(?,?,?,?,?,?,?,?,?,?,6C82E485,?,?,000000FE,?,?), ref: 6C82E863
                                                                                          • PyObject_GetIter.PYTHON27(?,?,?,?,?,?,?,?,?,?,?,6C82E485,?,?,000000FE,?), ref: 6C82E882
                                                                                          • PyObject_IsTrue.PYTHON27(?,?,?,?,?,?,?,?,?,?,?,?,6C82E485,?,?,000000FE), ref: 6C82E89C
                                                                                          • PyIter_Next.PYTHON27(?,?,?,?,?,?,?,?,?,?,?,?,?,6C82E485,?,?), ref: 6C82E8B6
                                                                                          • PyType_IsSubtype.PYTHON27(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C82E485), ref: 6C82E8F4
                                                                                          • PyIter_Next.PYTHON27(?), ref: 6C82EB1B
                                                                                          Strings
                                                                                          • keys must be a string, xrefs: 6C82EBAC
                                                                                          • Circular reference detected, xrefs: 6C82E829
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String_$FromString$InternPlace$AppendDict_Iter_List_NextObject_$ContainsErr_ItemIterLong_SubtypeTrueType_Void
                                                                                          • String ID: Circular reference detected$keys must be a string
                                                                                          • API String ID: 570287457-2421305520
                                                                                          • Opcode ID: 421c812b5d745662145c7b6dd8f4df019d836c0de74220740799bfe0760b492c
                                                                                          • Instruction ID: 3097e4c86a6bab29119f4c609301b601e1f9524ec2bfedcabdf7e558fbe65db3
                                                                                          • Opcode Fuzzy Hash: 421c812b5d745662145c7b6dd8f4df019d836c0de74220740799bfe0760b492c
                                                                                          • Instruction Fuzzy Hash: 29E11AB1E006069BDB20CFB5DE4899E7374AF45329F144B29E82487B81E738E986C7D5
                                                                                          Function 6C945710 Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 409stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • strchr.MSVCR90 ref: 6C94575F
                                                                                          • strchr.MSVCR90 ref: 6C94577D
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\dictobject.c,000006DD), ref: 6C9457E1
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%s%s takes at most %d argument%s (%d given),?,6C96AFEC,00000000,6C96AF8E), ref: 6C94582F
                                                                                          • PyString_FromString.PYTHON27(?), ref: 6C9458AF
                                                                                          • PyDict_GetItem.PYTHON27(?,00000000), ref: 6C9458C7
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,Argument given by name ('%s') and position (%d),?,?), ref: 6C945904
                                                                                          • PyErr_Format.PYTHON27(6CA65248,more argument specifiers than keyword list entries (remaining format:'%s'),?), ref: 6C945A23
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,Required argument '%s' (pos %d) not found,?,?), ref: 6C945A53
                                                                                          • PyErr_Format.PYTHON27(6CA65248,More keyword list entries (%d) than format specifiers (%d),?,00000000), ref: 6C945A9F
                                                                                          • PyDict_Next.PYTHON27 ref: 6C945AFD
                                                                                          • PyString_AsString.PYTHON27(?,?,?,?,?), ref: 6C945B26
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,'%s' is an invalid keyword argument for this function,00000000,?,?,?,?,?), ref: 6C945B7A
                                                                                          • PyDict_Next.PYTHON27(?,?,?,?,?,?,?,?,?), ref: 6C945B9B
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,keywords must be strings,?,?,?,?), ref: 6C945BDA
                                                                                          Strings
                                                                                          • More keyword list entries (%d) than format specifiers (%d), xrefs: 6C945A99
                                                                                          • %s%s takes at most %d argument%s (%d given), xrefs: 6C945829
                                                                                          • more argument specifiers than keyword list entries (remaining format:'%s'), xrefs: 6C945A1D
                                                                                          • ..\Objects\dictobject.c, xrefs: 6C9457D6
                                                                                          • Argument given by name ('%s') and position (%d), xrefs: 6C9458FE
                                                                                          • function, xrefs: 6C945819, 6C945828
                                                                                          • Required argument '%s' (pos %d) not found, xrefs: 6C945A3A
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C9457DB
                                                                                          • '%s' is an invalid keyword argument for this function, xrefs: 6C945B74
                                                                                          • keywords must be strings, xrefs: 6C945BD4
                                                                                          • %s: '%s', xrefs: 6C945A4D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$Format$Dict_String$NextString_strchr$FromItem
                                                                                          • String ID: %s%s takes at most %d argument%s (%d given)$%s: '%s'$%s:%d: bad argument to internal function$'%s' is an invalid keyword argument for this function$..\Objects\dictobject.c$Argument given by name ('%s') and position (%d)$More keyword list entries (%d) than format specifiers (%d)$Required argument '%s' (pos %d) not found$function$keywords must be strings$more argument specifiers than keyword list entries (remaining format:'%s')
                                                                                          • API String ID: 3616505498-1988118272
                                                                                          • Opcode ID: 2ee13a1d19f21bff5b11d19e5b12d5f20e1556e020e1958f9b25136d7b9a061e
                                                                                          • Instruction ID: be0501be466be65e8cdfb30d6c9d3182722612470d5e5ce31ae64558492a97df
                                                                                          • Opcode Fuzzy Hash: 2ee13a1d19f21bff5b11d19e5b12d5f20e1556e020e1958f9b25136d7b9a061e
                                                                                          • Instruction Fuzzy Hash: B6D1C1716083019FD314CFA5C880A6BB7E9EF95318F548A5DF89987B41EB31D846CB92
                                                                                          Function 6C8ABD70 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 230COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_GetBuffer.PYTHON27(?,?,0000011D), ref: 6C8ABDD4
                                                                                          • PyObject_GetBuffer.PYTHON27(?,?,0000011C), ref: 6C8ABDEF
                                                                                            • Part of subcall function 6C8AB8D0: PyErr_Format.PYTHON27(6CA648B0,'%100s' does not have the buffer interface,?), ref: 6C8AB90F
                                                                                          • PyBuffer_Release.PYTHON27(?), ref: 6C8ABE00
                                                                                          • PyErr_SetString.PYTHON27(6CA66898,destination is too small to receive data from source), ref: 6C8ABE27
                                                                                          • PyBuffer_Release.PYTHON27(?,6CA66898,destination is too small to receive data from source), ref: 6C8ABE31
                                                                                          • PyBuffer_Release.PYTHON27(?,?,6CA66898,destination is too small to receive data from source), ref: 6C8ABE3B
                                                                                          • PyString_FromString.PYTHON27(both destination and source must have the buffer interface), ref: 6C8ABFB6
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,both destination and source must have the buffer interface), ref: 6C8ABFBF
                                                                                          Strings
                                                                                          • both destination and source must have the buffer interface, xrefs: 6C8ABFB1
                                                                                          • destination is too small to receive data from source, xrefs: 6C8ABE21
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Buffer_Err_Release$BufferObject_String$FormatFromObjectString_
                                                                                          • String ID: both destination and source must have the buffer interface$destination is too small to receive data from source
                                                                                          • API String ID: 32417970-1250155686
                                                                                          • Opcode ID: cffab9ccac69f58ef255bef1f63cfed80379ba89c62fbf91c894e78e82c6994f
                                                                                          • Instruction ID: 3d83db683509f7601ba992b244d0e0e977b12d199cb2d3608b52a0930efc8c42
                                                                                          • Opcode Fuzzy Hash: cffab9ccac69f58ef255bef1f63cfed80379ba89c62fbf91c894e78e82c6994f
                                                                                          • Instruction Fuzzy Hash: 0C6109326042085BD324DAA9DA40ABF73E89F8572CF140E7DFD5493A41E732D94BCAD2
                                                                                          Function 6C8CB1F0 Relevance: 39.1, APIs: 26, Instructions: 136COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_Ready.PYTHON27(6CA64658), ref: 6C8CB1FC
                                                                                          • PyType_Ready.PYTHON27(6CA64720), ref: 6C8CB21A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: ReadyType_
                                                                                          • String ID:
                                                                                          • API String ID: 1795249144-0
                                                                                          • Opcode ID: d06586ad0ba5bcb195a2e2e5d4042cdf82fae654a7b632676f71538b76a8257a
                                                                                          • Instruction ID: 7e50063d392ca37896e42e43cb26b452bf3a9b7e6e8c1f2f3465912e020b3068
                                                                                          • Opcode Fuzzy Hash: d06586ad0ba5bcb195a2e2e5d4042cdf82fae654a7b632676f71538b76a8257a
                                                                                          • Instruction Fuzzy Hash: 383147E5E099012AA13056BF7F15B6BA0D85F7118CF091E31ECA9D1F23F701DA5AC0AB
                                                                                          Function 6C920430 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 271registrystringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • malloc.MSVCR90 ref: 6C920483
                                                                                          • memcpy.MSVCR90(00000000,6CAA2F2C,?,00000000), ref: 6C9204BE
                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,00000000), ref: 6C9204FE
                                                                                          • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000), ref: 6C92052A
                                                                                          • malloc.MSVCR90 ref: 6C920551
                                                                                          • memset.MSVCR90 ref: 6C92057B
                                                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000), ref: 6C9205C2
                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,00000000,?,?,?,?,?,?,00000000), ref: 6C9205EB
                                                                                          • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000105,?,?,?,?,?,?,00000000), ref: 6C920611
                                                                                          • malloc.MSVCR90 ref: 6C92061E
                                                                                          • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000105,?,?,?,?,?,?,?,00000000), ref: 6C920643
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,00000000), ref: 6C920662
                                                                                          • malloc.MSVCR90 ref: 6C920685
                                                                                          • strncpy.MSVCR90 ref: 6C9206DE
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 6C92072E
                                                                                          • free.MSVCR90 ref: 6C920758
                                                                                          • free.MSVCR90 ref: 6C92076B
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 6C920782
                                                                                          • free.MSVCR90 ref: 6C920793
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Querymalloc$Valuefree$CloseOpen$EnumInfomemcpymemsetstrncpy
                                                                                          • String ID: Software\Python\PythonCore\$\PythonPath
                                                                                          • API String ID: 1430883583-3737880225
                                                                                          • Opcode ID: fc841c1a3820ecd33bb5ffb5dd2bc24472a711cde80eaae14ea1b409e330b346
                                                                                          • Instruction ID: 876f1e119d0ba0000826ea606dd97d134ee1b531a87615d595f355506c901af9
                                                                                          • Opcode Fuzzy Hash: fc841c1a3820ecd33bb5ffb5dd2bc24472a711cde80eaae14ea1b409e330b346
                                                                                          • Instruction Fuzzy Hash: 01A17270A002699BEB14CF65CC95FEA77BCAB49704F104198E989E7244DB74EE85CFA0
                                                                                          Function 6C82DDF0 Relevance: 36.9, APIs: 11, Strings: 10, Instructions: 145COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_ParseTupleAndKeywords.PYTHON27(?,?,O:make_scanner,6CA8B7F0,?), ref: 6C82DE0A
                                                                                          • PyObject_GetAttrString.PYTHON27(?,encoding), ref: 6C82DE3F
                                                                                          • PyString_InternFromString.PYTHON27(utf-8), ref: 6C82DE7A
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,encoding must be a string, not %.80s,?), ref: 6C82DEDB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$Arg_AttrErr_FormatFromInternKeywordsObject_ParseString_Tuple
                                                                                          • String ID: O:make_scanner$encoding$encoding must be a string, not %.80s$object_hook$object_pairs_hook$parse_constant$parse_float$parse_int$strict$utf-8
                                                                                          • API String ID: 1133056520-3636494817
                                                                                          • Opcode ID: 282c0ec81570497667ff91be239fe7104852997585d28603165b842b788c4220
                                                                                          • Instruction ID: 4f20483d1e765560a86f27c284307e0dd703dd79fd067dbcaa89ef44027ac5bc
                                                                                          • Opcode Fuzzy Hash: 282c0ec81570497667ff91be239fe7104852997585d28603165b842b788c4220
                                                                                          • Instruction Fuzzy Hash: 2D4105B5A00605ABE730CB65DD44A9A77B8AF55318F108E29F918DBF80EB35E944C7D0
                                                                                          Function 6C83A0B0 Relevance: 35.3, APIs: 7, Strings: 13, Instructions: 285COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • isspace.MSVCR90 ref: 6C83A0F9
                                                                                          • PyErr_NoMemory.PYTHON27 ref: 6C83A174
                                                                                          • PyString_FromString.PYTHON27(total struct size too long), ref: 6C83A223
                                                                                          • PyErr_SetObject.PYTHON27(00000000,00000000,total struct size too long), ref: 6C83A22C
                                                                                          • malloc.MSVCR90 ref: 6C83A27D
                                                                                          • free.MSVCR90 ref: 6C83A29F
                                                                                          • isspace.MSVCR90 ref: 6C83A2C9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_isspace$FromMemoryObjectStringString_freemalloc
                                                                                          • String ID: 0$0$0$0$9$9$p$p$s$s$total struct size too long$x$x
                                                                                          • API String ID: 4246848272-282387100
                                                                                          • Opcode ID: 0e07ac0125c5abc62615e81c11907247f1557be6df77eab2f927b52115a13b0b
                                                                                          • Instruction ID: 7d910a034876de08cf1f6deac5870e39fcc44b393b8c806abb812dddb9fd1021
                                                                                          • Opcode Fuzzy Hash: 0e07ac0125c5abc62615e81c11907247f1557be6df77eab2f927b52115a13b0b
                                                                                          • Instruction Fuzzy Hash: 15A1E771A4A2218FDB20CFE9C650299B7E5EB81324F187E1ED8AD87791D335D40987C1
                                                                                          Function 6C8E57A0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 121COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA65248,print recursion,?,?,6C8D0298,00000001,00000000,?,00000000), ref: 6C8E57B7
                                                                                          • PyErr_CheckSignals.PYTHON27(?,?,6C8D0298,00000001,00000000,?,00000000), ref: 6C8E57C5
                                                                                          • PyOS_CheckStack.PYTHON27(?,?,6C8D0298,00000001,00000000,?,00000000), ref: 6C8E57CE
                                                                                          • PyErr_SetString.PYTHON27(6CA667A8,stack overflow,?,?,6C8D0298,00000001,00000000,?,00000000), ref: 6C8E57E3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$CheckString$SignalsStack
                                                                                          • String ID: <nil>$<refcnt %ld at %p>$print recursion$stack overflow
                                                                                          • API String ID: 1213917722-2658149411
                                                                                          • Opcode ID: 1f9c4a4293c3664415df091c6880e625fe243f9aebbf8a4f60e7659079a6f3b8
                                                                                          • Instruction ID: 26cf56483bbfbc5302c19bf2810ab0025952845c360375ba50f3a914706d7091
                                                                                          • Opcode Fuzzy Hash: 1f9c4a4293c3664415df091c6880e625fe243f9aebbf8a4f60e7659079a6f3b8
                                                                                          • Instruction Fuzzy Hash: DB316131A053305BDB209FB5AD84D9B37B8AF5732C7140E28FC1582B41EB35D91587A2
                                                                                          Function 6C838880 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 132COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_Ready.PYTHON27(6CA8A140), ref: 6C838889
                                                                                          • PyType_Ready.PYTHON27(6CA8A7B0), ref: 6C83889E
                                                                                          • PyType_Ready.PYTHON27(6CA8A8D0), ref: 6C8388B3
                                                                                          • Py_InitModule4.PYTHON27(_sre,6CA8A998,00000000,00000000,000003F5), ref: 6C8388D4
                                                                                          • PyModule_GetDict.PYTHON27(00000000), ref: 6C8388E7
                                                                                            • Part of subcall function 6C8E5170: PyType_IsSubtype.PYTHON27(F08BFC45,?,00000000,?,?,6C8D5195,00000000), ref: 6C8E518B
                                                                                            • Part of subcall function 6C8E5170: PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\moduleobject.c,00000032,6C8D5195,00000000), ref: 6C8E51A9
                                                                                          • PyInt_FromLong.PYTHON27(0131A629,00000000), ref: 6C8388F6
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,MAGIC,00000000), ref: 6C83890B
                                                                                            • Part of subcall function 6C8C7460: PyString_FromString.PYTHON27(00000000,?,?,6C8E50D7,00000000,__name__,00000000,?,00000014,?,6C94DEB4), ref: 6C8C7468
                                                                                          • PyInt_FromLong.PYTHON27(00000004), ref: 6C838926
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,CODESIZE,00000000), ref: 6C83893B
                                                                                          • _PyLong_New.PYTHON27(00000001), ref: 6C83896A
                                                                                          • PyDict_SetItemString.PYTHON27(?,MAXREPEAT,00000000), ref: 6C83899F
                                                                                          • PyString_FromString.PYTHON27( SRE 2.2.2 Copyright (c) 1997-2002 by Secret Labs AB ), ref: 6C8389BD
                                                                                          • PyDict_SetItemString.PYTHON27(?,copyright,00000000), ref: 6C8389D6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$Dict_FromItemType_$Ready$Int_LongString_$DictErr_FormatInitLong_Module4Module_Subtype
                                                                                          • String ID: SRE 2.2.2 Copyright (c) 1997-2002 by Secret Labs AB $CODESIZE$MAGIC$MAXREPEAT$_sre$copyright
                                                                                          • API String ID: 2678407790-2209444679
                                                                                          • Opcode ID: 1fde6b81f19d27daf2b3923d27f68066c025fb9e165d544c62651519cd82bf0e
                                                                                          • Instruction ID: 44e3877ac28a2baaf4e13a52182a8e03101fd7cbd9cd5aec94462fdbf59feb85
                                                                                          • Opcode Fuzzy Hash: 1fde6b81f19d27daf2b3923d27f68066c025fb9e165d544c62651519cd82bf0e
                                                                                          • Instruction Fuzzy Hash: B1315EF3D012115BD32056A5AE41DA732A89F5027CB151B36EC1DE7B81F724EE06C2E3
                                                                                          Function 6C827600 Relevance: 33.3, APIs: 11, Strings: 8, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_Ready.PYTHON27(6CA8E5E8), ref: 6C827605
                                                                                          • PyType_Ready.PYTHON27(6CA8E710), ref: 6C82761A
                                                                                          • PyType_Ready.PYTHON27(6CA8E9B8), ref: 6C82762F
                                                                                          • Py_InitModule4.PYTHON27(_csv,6CA8FA70,CSV parsing and writing.This module provides classes that assist in the reading and writingof Comma Separated Value (CSV) files, and implements the interfacedescribed by PEP 305. Although many CSV files are simple to parse,the format is not formally defi,00000000,000003F5), ref: 6C827656
                                                                                          • PyModule_AddStringConstant.PYTHON27(00000000,__version__,1.0), ref: 6C827673
                                                                                            • Part of subcall function 6C94ED90: PyString_FromString.PYTHON27(6C827678,?,?,6C827678,00000000,__version__,1.0), ref: 6C94ED98
                                                                                            • Part of subcall function 6C94ED90: PyModule_AddObject.PYTHON27(?,?,00000000,1.0), ref: 6C94EDAF
                                                                                          • PyDict_New.PYTHON27 ref: 6C827684
                                                                                            • Part of subcall function 6C8C4510: PyString_FromString.PYTHON27(<dummy key>,00000000,00000000,00000000,?,?,6C8E50C0,?,00000014,?,6C94DEB4), ref: 6C8C4529
                                                                                          • PyModule_AddObject.PYTHON27(00000000,_dialects,00000000), ref: 6C82769D
                                                                                            • Part of subcall function 6C94EC70: PyType_IsSubtype.PYTHON27(?,?,?,?,6C8257F9,00000000,deque,6CA8FF60), ref: 6C94EC87
                                                                                            • Part of subcall function 6C94EC70: PyErr_SetString.PYTHON27(6CA648B0,PyModule_AddObject() needs module as first arg,deque,6CA8FF60), ref: 6C94EC9E
                                                                                          • PyModule_AddIntConstant.PYTHON27(00000000,?,00000000), ref: 6C8276BF
                                                                                            • Part of subcall function 6C94ED40: PyInt_FromLong.PYTHON27(00000000,6CA8E478,?,6C8276C4,00000000,?,00000000), ref: 6C94ED48
                                                                                            • Part of subcall function 6C94ED40: PyModule_AddObject.PYTHON27(?,?,00000000), ref: 6C94ED5F
                                                                                          • PyModule_AddObject.PYTHON27(00000000,Dialect,6CA8E5E8), ref: 6C8276E5
                                                                                          • PyErr_NewException.PYTHON27(_csv.Error,00000000,00000000), ref: 6C8276F8
                                                                                          • PyModule_AddObject.PYTHON27(00000000,Error,00000000), ref: 6C827710
                                                                                          Strings
                                                                                          • __version__, xrefs: 6C82766D
                                                                                          • CSV parsing and writing.This module provides classes that assist in the reading and writingof Comma Separated Value (CSV) files, and implements the interfacedescribed by PEP 305. Although many CSV files are simple to parse,the format is not formally defi, xrefs: 6C827647
                                                                                          • Dialect, xrefs: 6C8276DF
                                                                                          • _csv, xrefs: 6C827651
                                                                                          • _dialects, xrefs: 6C827697
                                                                                          • 1.0, xrefs: 6C827668
                                                                                          • _csv.Error, xrefs: 6C8276F3
                                                                                          • Error, xrefs: 6C82770A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Module_$Object$StringType_$FromReady$ConstantErr_String_$Dict_ExceptionInitInt_LongModule4Subtype
                                                                                          • String ID: 1.0$CSV parsing and writing.This module provides classes that assist in the reading and writingof Comma Separated Value (CSV) files, and implements the interfacedescribed by PEP 305. Although many CSV files are simple to parse,the format is not formally defi$Dialect$Error$__version__$_csv$_csv.Error$_dialects
                                                                                          • API String ID: 147260570-1047355127
                                                                                          • Opcode ID: f7e1e940ceedfe77b98078761cea57b9942e796b2a7b4b397beb48c3b0b21b3b
                                                                                          • Instruction ID: 38c4347293a5bc0f4a7087543515c8271d08f75e638671d8d6e1892125d5865e
                                                                                          • Opcode Fuzzy Hash: f7e1e940ceedfe77b98078761cea57b9942e796b2a7b4b397beb48c3b0b21b3b
                                                                                          • Instruction Fuzzy Hash: BA21F3A59021026BF320152AAE45EBB32B85BB325CB180D34FC94D1F82F718C58682F6
                                                                                          Function 6C836C50 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 393COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyCallable_Check.PYTHON27 ref: 6C836C62
                                                                                            • Part of subcall function 6C8E7170: PyObject_GetAttrString.PYTHON27(6C8AF42C,__call__,?,6C8AF42C,00000000), ref: 6C8E718B
                                                                                            • Part of subcall function 6C8E7170: PyErr_Clear.PYTHON27(6C8AF42C,00000000), ref: 6C8E7197
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000014), ref: 6C836D6F
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C836DAB
                                                                                          • free.MSVCR90 ref: 6C836E12
                                                                                          • PySequence_GetSlice.PYTHON27(?,?,?,?), ref: 6C836ECD
                                                                                          • PyList_Append.PYTHON27(?,00000000,?,?,?), ref: 6C836EE5
                                                                                          • PyTuple_Pack.PYTHON27(00000001,00000000,?), ref: 6C836F44
                                                                                          • PyEval_CallObjectWithKeywords.PYTHON27(?,00000000,00000000,?,?,?), ref: 6C836F5E
                                                                                          • PyList_Append.PYTHON27(?,?), ref: 6C836FA8
                                                                                          • PySequence_GetSlice.PYTHON27(?,?,?,?), ref: 6C837034
                                                                                          • PyList_Append.PYTHON27(?,00000000,?,?,?), ref: 6C837048
                                                                                          • _Py_BuildValue_SizeT.PYTHON27(6CA0FD28,00000000,?,?), ref: 6C8370E5
                                                                                            • Part of subcall function 6C835FD0: PyErr_SetString.PYTHON27(6CA65248,internal error in regular expression engine), ref: 6C835FEA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: AppendList_$Err_Object_Sequence_SliceString$AttrBuildCallCallable_CheckClearErrorEval_FatalKeywordsMallocObjectPackSizeTuple_Value_Withfree
                                                                                          • String ID: GC object already tracked$_subx
                                                                                          • API String ID: 255113379-2325474022
                                                                                          • Opcode ID: 15131408bb21d1141e40372ca09f84123703a4ebd41fcb153aa3d6357b4fd3b3
                                                                                          • Instruction ID: 0d1c92036f5846e0e6473c5041740954e21c8c40116864679dc1787f24282a08
                                                                                          • Opcode Fuzzy Hash: 15131408bb21d1141e40372ca09f84123703a4ebd41fcb153aa3d6357b4fd3b3
                                                                                          • Instruction Fuzzy Hash: 4AE192B19043118FC720CFA8DA8095AB7F4BB85328F156E2DE96C87741D735E94ACBD2
                                                                                          Function 6C827720 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 245COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_UnpackTuple.PYTHON27 ref: 6C82774F
                                                                                            • Part of subcall function 6C945D90: PyString_FromString.PYTHON27(PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DB2
                                                                                            • Part of subcall function 6C945D90: PyErr_SetObject.PYTHON27(6CA665C8,00000000,PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DBB
                                                                                          • PyObject_GetIter.PYTHON27(?), ref: 6C82776E
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,reduce() arg 2 must support iteration), ref: 6C82778C
                                                                                          • _PyObject_GC_NewVar.PYTHON27(?,00000002), ref: 6C8277E9
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C827817
                                                                                          • _PyObject_GC_NewVar.PYTHON27(?,00000002), ref: 6C827889
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8278B1
                                                                                          • PyTuple_SetItem.PYTHON27(00000000,00000000,?), ref: 6C82790F
                                                                                          • PyTuple_SetItem.PYTHON27(00000000,00000001,00000000,00000000,00000000,?), ref: 6C827918
                                                                                          • PyEval_CallObjectWithKeywords.PYTHON27(?,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?), ref: 6C827925
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA64978), ref: 6C827953
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C82795F
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,reduce() of empty sequence with no initial value), ref: 6C827994
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$Object_String$ErrorFatalItemObjectTuple_$Arg_CallClearEval_ExceptionFromGivenIterKeywordsMatchesString_TupleUnpackWith
                                                                                          • String ID: GC object already tracked$reduce$reduce() arg 2 must support iteration$reduce() of empty sequence with no initial value
                                                                                          • API String ID: 1261823125-4141807436
                                                                                          • Opcode ID: 1581c6c50a55076b01695db47f116230a3da85468c9754bef6b8f8a59daa87be
                                                                                          • Instruction ID: 70d822ca34750364fe41d7ff5dc29122a8c087f276098a58d0552762c38c2e0b
                                                                                          • Opcode Fuzzy Hash: 1581c6c50a55076b01695db47f116230a3da85468c9754bef6b8f8a59daa87be
                                                                                          • Instruction Fuzzy Hash: 1B91E5716057029FD724CF2AC945A5673F0FF85324F148B68E86987B91D738E886CBD1
                                                                                          Function 6C82B070 Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 359COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA667A8), ref: 6C82B0F4
                                                                                          • PyErr_SetObject.PYTHON27(6CA667A8,?), ref: 6C82B114
                                                                                          • PyUnicodeUCS2_DecodeUTF8Stateful.PYTHON27(?,?,strict,00000000), ref: 6C82B145
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,Negative size passed to PyString_FromStringAndSize), ref: 6C82B21B
                                                                                          • PyErr_SetString.PYTHON27(6CA663F8,string is too large), ref: 6C82B245
                                                                                          • PyObject_Malloc.PYTHON27(00000017), ref: 6C82B255
                                                                                          • PyErr_NoMemory.PYTHON27 ref: 6C82B261
                                                                                            • Part of subcall function 6C940380: PyErr_GivenExceptionMatches.PYTHON27(00000000,6CA667A8,?,6C8F7E82,00000000,6C8AB1D5,?,?,?,6C8AF66F,00000000,?,00000000,6C8AF785,00000000), ref: 6C940396
                                                                                            • Part of subcall function 6C940380: PyErr_SetObject.PYTHON27(6CA667A8,?), ref: 6C9403B3
                                                                                          • PyString_InternInPlace.PYTHON27(?), ref: 6C82B293
                                                                                          • memcpy.MSVCR90(00000015,?,?), ref: 6C82B2C9
                                                                                          • _PyString_Resize.PYTHON27(?,?), ref: 6C82B341
                                                                                          • _PyString_Resize.PYTHON27(?,?), ref: 6C82B377
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA667A8), ref: 6C82B3B4
                                                                                          • PyErr_SetObject.PYTHON27(6CA667A8,?), ref: 6C82B3D7
                                                                                          Strings
                                                                                          • string is too large, xrefs: 6C82B23F
                                                                                          • strict, xrefs: 6C82B13E
                                                                                          • Negative size passed to PyString_FromStringAndSize, xrefs: 6C82B215
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$ExceptionGivenMatchesObjectString_$ResizeString$DecodeInternMallocMemoryObject_PlaceStatefulUnicodememcpy
                                                                                          • String ID: Negative size passed to PyString_FromStringAndSize$strict$string is too large
                                                                                          • API String ID: 2040566279-589369557
                                                                                          • Opcode ID: 51caa5badd75f0017cf8d0c48d43474f1ba2cd4946394f29afd3b2eeeca29035
                                                                                          • Instruction ID: 4a4704ca907b3bf4fdad94b05aed34f4052b7a8d761fea3f64a0f2e8108bc230
                                                                                          • Opcode Fuzzy Hash: 51caa5badd75f0017cf8d0c48d43474f1ba2cd4946394f29afd3b2eeeca29035
                                                                                          • Instruction Fuzzy Hash: 71C11E726052028FC714CF69D9C887A73E4EB853287244F6DD92B87B51E739D886CBD1
                                                                                          Function 6C836910 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 282COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyDict_Size.PYTHON27(?), ref: 6C83692E
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%s() takes at most %d positional arguments (%zd given),split,00000002,?), ref: 6C83695A
                                                                                          • _PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,|OnO:split,6CA89B68,?,?,?), ref: 6C836982
                                                                                          • PyErr_WarnEx.PYTHON27(6CA66B30,split() requires a non-empty pattern match.,00000001), ref: 6C8369DE
                                                                                          • PyErr_WarnEx.PYTHON27(6CA66E60,split() requires a non-empty pattern match.,00000001), ref: 6C836A01
                                                                                            • Part of subcall function 6C835E20: memset.MSVCR90 ref: 6C835E31
                                                                                          • PyList_New.PYTHON27(00000000), ref: 6C836A32
                                                                                            • Part of subcall function 6C8D93A0: PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\listobject.c,0000007E,?,?,?,?,?,6C8C5BB1,?,?,?,?,6C8C67DF,?), ref: 6C8D93C3
                                                                                          • PySequence_GetSlice.PYTHON27(?,?,?,?), ref: 6C836B0B
                                                                                          • PyList_Append.PYTHON27(?,00000000,?,?,?), ref: 6C836B22
                                                                                          • PyList_Append.PYTHON27(?,00000000,?,?,?,?,?), ref: 6C836B71
                                                                                          • PySequence_GetSlice.PYTHON27(?,?,00000001,?,?), ref: 6C836BFA
                                                                                          • PyList_Append.PYTHON27(?,00000000,?,?,?), ref: 6C836C0D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_List_$Append$FormatSequence_SizeSliceWarn$Arg_Dict_Keywords_ParseTuplememset
                                                                                          • String ID: %s() takes at most %d positional arguments (%zd given)$source$split$split() requires a non-empty pattern match.$|OnO:split
                                                                                          • API String ID: 1086040982-4007574005
                                                                                          • Opcode ID: cff57c4406c14e6ff0c61dcb9ea5874cb3230e2c9aeec60714992c3ff10dd146
                                                                                          • Instruction ID: 3cf31afcf80f3ca7395368e6b855e8d8b69b6353f83dab0ebd520061f11c6ddb
                                                                                          • Opcode Fuzzy Hash: cff57c4406c14e6ff0c61dcb9ea5874cb3230e2c9aeec60714992c3ff10dd146
                                                                                          • Instruction Fuzzy Hash: F1918771A01225ABCB24DF9CDE8099E73B8BB44358F146AB8E81DD7B40D631EE45CBD0
                                                                                          Function 6C831680 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 240COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_UnpackTuple.PYTHON27(?,seed,00000000,00000001,?), ref: 6C8316A2
                                                                                            • Part of subcall function 6C945D90: PyString_FromString.PYTHON27(PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DB2
                                                                                            • Part of subcall function 6C945D90: PyErr_SetObject.PYTHON27(6CA665C8,00000000,PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DBB
                                                                                          • PyMem_Malloc.PYTHON27(00000020), ref: 6C831732
                                                                                          • _PyLong_New.PYTHON27(00000001), ref: 6C831759
                                                                                          • PyInt_FromLong.PYTHON27(00000020), ref: 6C83178B
                                                                                          • PyObject_IsTrue.PYTHON27(?), ref: 6C8317A2
                                                                                          • PyNumber_And.PYTHON27(?,?), ref: 6C8317C5
                                                                                          • PyLong_AsUnsignedLong.PYTHON27(00000000), ref: 6C8317D8
                                                                                          • PyNumber_Rshift.PYTHON27(?,?), ref: 6C83180F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: FromLongLong_Number_$Arg_Err_Int_MallocMem_ObjectObject_RshiftStringString_TrueTupleUnpackUnsigned
                                                                                          • String ID: seed
                                                                                          • API String ID: 2087077843-1149756166
                                                                                          • Opcode ID: 215b5b3e9f3ba924e71adbda0b939fc01c1c095a8a71167e9820e57d4a806e7a
                                                                                          • Instruction ID: c28efc02fa1cc1fdd8d8662ffd52344e90a4f7d5760192a53938ce058f17987e
                                                                                          • Opcode Fuzzy Hash: 215b5b3e9f3ba924e71adbda0b939fc01c1c095a8a71167e9820e57d4a806e7a
                                                                                          • Instruction Fuzzy Hash: 7E81E7B1E002259BDB20CBD9D9409EE73B4AF45728F146B68DC1997780E734ED46CBD1
                                                                                          Function 6C8D7560 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 190COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA65D10,int() base must be >= 2 and <= 36, or 0), ref: 6C8D7586
                                                                                          • isspace.MSVCR90 ref: 6C8D75A4
                                                                                          • _errno.MSVCR90 ref: 6C8D75B9
                                                                                          • PyOS_strtoul.PYTHON27(?,?,?), ref: 6C8D75D5
                                                                                          • PyLong_FromString.PYTHON27(?,?,?), ref: 6C8D75E9
                                                                                          • PyOS_strtol.PYTHON27(?,?,?), ref: 6C8D75FF
                                                                                            • Part of subcall function 6C94F0A0: isspace.MSVCR90 ref: 6C94F0B9
                                                                                            • Part of subcall function 6C94F0A0: PyOS_strtoul.PYTHON27(?,?,?,?,?,?,6C8D7604,?,?,?), ref: 6C94F0E1
                                                                                          • isalnum.MSVCR90 ref: 6C8D7616
                                                                                          • isspace.MSVCR90 ref: 6C8D7634
                                                                                          • _errno.MSVCR90 ref: 6C8D7650
                                                                                          • PyLong_FromString.PYTHON27(?,?,?), ref: 6C8D7664
                                                                                          • PyInt_FromLong.PYTHON27(00000000), ref: 6C8D767D
                                                                                          • PyString_FromStringAndSize.PYTHON27(?,000000C8), ref: 6C8D76B8
                                                                                          • PyObject_Repr.PYTHON27(00000000), ref: 6C8D76C7
                                                                                          • PyErr_Format.PYTHON27(6CA65D10,invalid literal for int() with base %d: %s,?,00000014), ref: 6C8D76FA
                                                                                          Strings
                                                                                          • invalid literal for int() with base %d: %s, xrefs: 6C8D76F4
                                                                                          • int() base must be >= 2 and <= 36, or 0, xrefs: 6C8D7580
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: FromString$isspace$Err_Long_S_strtoul_errno$FormatInt_LongObject_ReprS_strtolSizeString_isalnum
                                                                                          • String ID: int() base must be >= 2 and <= 36, or 0$invalid literal for int() with base %d: %s
                                                                                          • API String ID: 589373795-3519328525
                                                                                          • Opcode ID: d1e0c953af2d259f0e51f36ab232484f017c83ce52b095a3e7080cba58684daf
                                                                                          • Instruction ID: e222e0fadf1e1d2ddc23e3e4b3a9906d3c681239ce56b2a843956ee0a2578963
                                                                                          • Opcode Fuzzy Hash: d1e0c953af2d259f0e51f36ab232484f017c83ce52b095a3e7080cba58684daf
                                                                                          • Instruction Fuzzy Hash: 94514DB29042115BD7218E29BD40AB673B8DB82328F154F64FC9487749F725FD15C3E2
                                                                                          Function 6C830E80 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 103COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Py_InitModule4.PYTHON27(_lsprof,6CAA2624,Fast profiler,00000000,000003F5), ref: 6C830EA0
                                                                                          • PyModule_GetDict.PYTHON27(00000000), ref: 6C830EB3
                                                                                            • Part of subcall function 6C8E5170: PyType_IsSubtype.PYTHON27(F08BFC45,?,00000000,?,?,6C8D5195,00000000), ref: 6C8E518B
                                                                                            • Part of subcall function 6C8E5170: PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\moduleobject.c,00000032,6C8D5195,00000000), ref: 6C8E51A9
                                                                                          • PyType_Ready.PYTHON27(6CA8B208,00000000), ref: 6C830EBF
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,Profiler,6CA8B208), ref: 6C830EDA
                                                                                            • Part of subcall function 6C8C7460: PyString_FromString.PYTHON27(00000000,?,?,6C8E50D7,00000000,__name__,00000000,?,00000014,?,6C94DEB4), ref: 6C8C7468
                                                                                          • PyStructSequence_InitType.PYTHON27(6CA91B18,6CA8AC10), ref: 6C830EF5
                                                                                            • Part of subcall function 6C8F7970: malloc.MSVCR90 ref: 6C8F7A06
                                                                                            • Part of subcall function 6C8F7970: PyType_Ready.PYTHON27(6CA94458), ref: 6C8F7A89
                                                                                          • PyStructSequence_InitType.PYTHON27(6CA91A50,6CA8AC20,6CA91B18,6CA8AC10), ref: 6C830F04
                                                                                            • Part of subcall function 6C8F7970: PyString_FromString.PYTHON27(n_sequence_fields), ref: 6C8F7B44
                                                                                            • Part of subcall function 6C8F7970: PyString_InternInPlace.PYTHON27(00000000), ref: 6C8F7B57
                                                                                            • Part of subcall function 6C8F7970: PyDict_SetItem.PYTHON27(6CA94458,00000000,?,00000000), ref: 6C8F7B65
                                                                                            • Part of subcall function 6C8F7970: PyString_FromString.PYTHON27(n_fields), ref: 6C8F7C34
                                                                                            • Part of subcall function 6C8F7970: PyString_InternInPlace.PYTHON27(6CA94458), ref: 6C8F7C47
                                                                                            • Part of subcall function 6C8F7970: PyDict_SetItem.PYTHON27(6CA94458,6CA94458,?,6CA94458), ref: 6C8F7C55
                                                                                            • Part of subcall function 6C8F7970: PyString_FromString.PYTHON27(n_unnamed_fields), ref: 6C8F7D25
                                                                                            • Part of subcall function 6C8F7970: PyString_InternInPlace.PYTHON27(6CA62AA8), ref: 6C8F7D38
                                                                                          • PyModule_AddObject.PYTHON27(00000000,profiler_entry,6CA91B18), ref: 6C830F28
                                                                                          • PyModule_AddObject.PYTHON27(00000000,profiler_subentry,6CA91A50,00000000,profiler_entry,6CA91B18), ref: 6C830F38
                                                                                          • _PyObject_GC_NewVar.PYTHON27(?,00000000), ref: 6C830F67
                                                                                            • Part of subcall function 6C85BAA0: _PyObject_GC_Malloc.PYTHON27(?), ref: 6C85BABC
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C830FA4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String_$String$From$Dict_InitInternItemModule_PlaceType_$ObjectObject_ReadySequence_StructType$DictErr_ErrorFatalFormatMallocModule4Subtypemalloc
                                                                                          • String ID: Fast profiler$GC object already tracked$Profiler$_lsprof$profiler_entry$profiler_subentry
                                                                                          • API String ID: 931865609-500016676
                                                                                          • Opcode ID: b89d259fad3535aa4017697ff4b830a13396269db20cd9c8030ccdbb6f2fc4f5
                                                                                          • Instruction ID: 8c104a0025439c74b78bb2a560338bb611dea789079ba95b18a5feeb5c2ecafa
                                                                                          • Opcode Fuzzy Hash: b89d259fad3535aa4017697ff4b830a13396269db20cd9c8030ccdbb6f2fc4f5
                                                                                          • Instruction Fuzzy Hash: 64317D72B013055FD7205F5D9E42AA5B3E8F793229B004A3AE91852F81EB34985787E5
                                                                                          Function 6C82B6A0 Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 339COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C82B701
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C961440
                                                                                            • Part of subcall function 6C961420: fprintf.MSVCR90 ref: 6C961446
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C96144C
                                                                                            • Part of subcall function 6C961420: fflush.MSVCR90 ref: 6C961452
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(Fatal Python error: ), ref: 6C961499
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32 ref: 6C96149C
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(6CA33AD4), ref: 6C9614A3
                                                                                            • Part of subcall function 6C961420: abort.MSVCR90 ref: 6C9614A5
                                                                                          • PyString_FromString.PYTHON27(end is out of bounds), ref: 6C82B74F
                                                                                          • PyErr_SetObject.PYTHON27(6CA65D10,00000000,end is out of bounds), ref: 6C82B758
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000014), ref: 6C82B7A7
                                                                                          • PyString_FromStringAndSize.PYTHON27(?,?), ref: 6C82B829
                                                                                          • PyUnicodeUCS2_FromEncodedObject.PYTHON27(00000000,?,00000000), ref: 6C82B842
                                                                                          • PyList_Append.PYTHON27(?,00000000), ref: 6C82B86B
                                                                                          • PyList_Append.PYTHON27(?,?), ref: 6C82B9E5
                                                                                            • Part of subcall function 6C82B460: PyString_FromString.PYTHON27(json.decoder), ref: 6C82B473
                                                                                            • Part of subcall function 6C82B460: PyImport_Import.PYTHON27(00000000), ref: 6C82B486
                                                                                            • Part of subcall function 6C82B460: PyObject_GetAttrString.PYTHON27(00000000,errmsg), ref: 6C82B4AB
                                                                                            • Part of subcall function 6C82B460: PyObject_CallFunction.PYTHON27(?,(zOO&),?,?,Function_0000ADF0,?), ref: 6C82B4E9
                                                                                            • Part of subcall function 6C82B460: PyErr_SetObject.PYTHON27(6CA65D10,00000000), ref: 6C82B4FF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$From$DebugObjectObject_OutputString_$AppendErr_List___iob_func$AttrCallEncodedErrorFatalFunctionImportImport_MallocSizeUnicodeabortfflushfprintf
                                                                                          • String ID: GC object already tracked$Invalid \escape$Invalid \uXXXX escape$Invalid control character at$Unterminated string starting at$end is out of bounds
                                                                                          • API String ID: 3483052483-1491704308
                                                                                          • Opcode ID: b39cfdd4c986352aeeed992122a211a6f0d221e9c49f8940f1473b9f892eddef
                                                                                          • Instruction ID: 3033654ea5952e4fc9618ae11bfd3f81df6456c4efb9b0176e51f6eb1d550894
                                                                                          • Opcode Fuzzy Hash: b39cfdd4c986352aeeed992122a211a6f0d221e9c49f8940f1473b9f892eddef
                                                                                          • Instruction Fuzzy Hash: 69C127759072019FC720CF58D98497677F0EF46368F148E29E8AA47B91E738E882DBD1
                                                                                          Function 6C8E3740 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 221COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000040), ref: 6C8E3778
                                                                                          • PyObject_GetBuffer.PYTHON27(?,0000000C,0000011C), ref: 6C8E37B0
                                                                                          • PyBuffer_IsContiguous.PYTHON27(0000000C,?), ref: 6C8E37C5
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8E37E4
                                                                                          • PyErr_SetString.PYTHON27(6CA66898,writable contiguous buffer requested for a non-contiguousobject.), ref: 6C8E383F
                                                                                            • Part of subcall function 6C8E3660: PyErr_NoMemory.PYTHON27(?,?,6C8E38F0,00000014,?), ref: 6C8E366E
                                                                                          • PyString_FromStringAndSize.PYTHON27(00000000,?), ref: 6C8E3856
                                                                                          • PyTuple_Pack.PYTHON27(00000002,?,00000000), ref: 6C8E38AA
                                                                                          • PyBuffer_Release.PYTHON27(0000000C), ref: 6C8E3927
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8E3940
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C961440
                                                                                            • Part of subcall function 6C961420: fprintf.MSVCR90 ref: 6C961446
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C96144C
                                                                                            • Part of subcall function 6C961420: fflush.MSVCR90 ref: 6C961452
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(Fatal Python error: ), ref: 6C961499
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32 ref: 6C96149C
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(6CA33AD4), ref: 6C9614A3
                                                                                            • Part of subcall function 6C961420: abort.MSVCR90 ref: 6C9614A5
                                                                                          • PyString_FromString.PYTHON27(object does not have the buffer interface), ref: 6C8E397F
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,object does not have the buffer interface), ref: 6C8E3988
                                                                                          Strings
                                                                                          • object does not have the buffer interface, xrefs: 6C8E397A
                                                                                          • writable contiguous buffer requested for a non-contiguousobject., xrefs: 6C8E3839
                                                                                          • GC object already tracked, xrefs: 6C8E37DF, 6C8E393B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$DebugErr_Output$Buffer_ErrorFatalFromObject_String___iob_func$BufferContiguousMallocMemoryObjectPackReleaseSizeTuple_abortfflushfprintf
                                                                                          • String ID: GC object already tracked$object does not have the buffer interface$writable contiguous buffer requested for a non-contiguousobject.
                                                                                          • API String ID: 2061887235-4082899811
                                                                                          • Opcode ID: 2332d83c690c8d54bde94fdea830c8a031ab0502b7a181b5fabdaceae1421433
                                                                                          • Instruction ID: f5875b05dde619850b39e2560eeb4d4413b778383125db81d3d631c3526bf8d5
                                                                                          • Opcode Fuzzy Hash: 2332d83c690c8d54bde94fdea830c8a031ab0502b7a181b5fabdaceae1421433
                                                                                          • Instruction Fuzzy Hash: C771F7B16002119BD720DF59DD40AA6B3B4FB4A338F148B78D96887B91E335EC56CB91
                                                                                          Function 6C8E6E30 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyUnicodeUCS2_AsEncodedString.PYTHON27(?,00000000,00000000), ref: 6C8E6E6C
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,attribute name must be string, not '%.200s',?), ref: 6C8E6E94
                                                                                          • PyType_Ready.PYTHON27(?), ref: 6C8E6EB2
                                                                                          • _PyType_Lookup.PYTHON27(?,?), ref: 6C8E6EC4
                                                                                          • _PyObject_GetDictPtr.PYTHON27(?), ref: 6C8E6F0B
                                                                                          • PyDict_New.PYTHON27 ref: 6C8E6F2A
                                                                                          • PyDict_DelItem.PYTHON27(?,?), ref: 6C8E6F4A
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA65C10), ref: 6C8E6F78
                                                                                          • PyErr_SetObject.PYTHON27(6CA655C0,?), ref: 6C8E6F8C
                                                                                          Strings
                                                                                          • '%.100s' object has no attribute '%.200s', xrefs: 6C8E6FDC
                                                                                          • attribute name must be string, not '%.200s', xrefs: 6C8E6E8E
                                                                                          • '%.50s' object attribute '%.400s' is read-only, xrefs: 6C8E6FF5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$Dict_Type_$DictEncodedExceptionFormatGivenItemLookupMatchesObjectObject_ReadyStringUnicode
                                                                                          • String ID: '%.100s' object has no attribute '%.200s'$'%.50s' object attribute '%.400s' is read-only$attribute name must be string, not '%.200s'
                                                                                          • API String ID: 86432852-722485057
                                                                                          • Opcode ID: 362109da72b44ce12b342bbc43a314c1377f269c84ecd85fb04c67fd453ecbf4
                                                                                          • Instruction ID: 03097a2b5aaafd82eaa50709ec63aa83fd676c01e45e144eded9244894946c61
                                                                                          • Opcode Fuzzy Hash: 362109da72b44ce12b342bbc43a314c1377f269c84ecd85fb04c67fd453ecbf4
                                                                                          • Instruction Fuzzy Hash: 0551C3B5A052069FD720CF19DD40A6B73A8AF9A328F144E69FD28C7781E731D905CBE1
                                                                                          Function 6C82F590 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 109COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_ParseTuple.PYTHON27 ref: 6C82F5B6
                                                                                          • setlocale.MSVCR90 ref: 6C82F5DD
                                                                                          • PyErr_SetString.PYTHON27(00000000,unsupported locale setting), ref: 6C82F5F5
                                                                                          • PyString_FromString.PYTHON27(00000000), ref: 6C82F606
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C82F62A
                                                                                          • setlocale.MSVCR90 ref: 6C82F63A
                                                                                          • PyErr_SetString.PYTHON27(00000000,locale query failed), ref: 6C82F653
                                                                                          • PyString_FromString.PYTHON27(invalid locale category), ref: 6C82F67F
                                                                                          • PyErr_SetObject.PYTHON27(00000000,00000000,invalid locale category), ref: 6C82F688
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$FromString_setlocale$Arg_ClearObjectParseTuple
                                                                                          • String ID: invalid locale category$i|z:setlocale$locale query failed$unsupported locale setting
                                                                                          • API String ID: 710232110-2409507137
                                                                                          • Opcode ID: 8e8e8cbc435f7ee19b5e141eb4bbc1ecfa3a25d9f2cdbce76642e7e5ecb07db9
                                                                                          • Instruction ID: 9c0025b23c1cad773656f3b3c1c1806a123ae8c9e93142eb1b2f3a57580c9f5d
                                                                                          • Opcode Fuzzy Hash: 8e8e8cbc435f7ee19b5e141eb4bbc1ecfa3a25d9f2cdbce76642e7e5ecb07db9
                                                                                          • Instruction Fuzzy Hash: 2D212872A1412117E720EAA9BD09DAB3398DBA112DF140B69ED18C3F50FB25DD54C2D1
                                                                                          Function 6C825470 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 62threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyEval_SaveThread.PYTHON27 ref: 6C825476
                                                                                            • Part of subcall function 6C92E4E0: Py_FatalError.PYTHON27(PyEval_SaveThread: NULL tstate,00000000,6C9467DA,00000000,00000000,?,?,6C94A352,__builtin__,00000000,00000000,00000000,00000000), ref: 6C92E4FA
                                                                                            • Part of subcall function 6C92E4E0: InterlockedDecrement.KERNEL32(?), ref: 6C92E516
                                                                                            • Part of subcall function 6C92E4E0: SetEvent.KERNEL32(?,?,?,6C94A352,__builtin__,00000000,00000000,00000000,00000000), ref: 6C92E524
                                                                                          • fprintf.MSVCR90 ref: 6C82548C
                                                                                          • PyEval_RestoreThread.PYTHON27(00000000), ref: 6C82548F
                                                                                            • Part of subcall function 6C92E540: Py_FatalError.PYTHON27(PyEval_RestoreThread: NULL tstate,?,?,6C9467F6,00000000,00000000,00000000,?,?,6C94A352,__builtin__,00000000,00000000,00000000,00000000), ref: 6C92E550
                                                                                            • Part of subcall function 6C92E540: _errno.MSVCR90 ref: 6C92E569
                                                                                            • Part of subcall function 6C92E540: _errno.MSVCR90 ref: 6C92E585
                                                                                          • PyEval_SaveThread.PYTHON27 ref: 6C8254A1
                                                                                          • fprintf.MSVCR90 ref: 6C8254AE
                                                                                          • PyEval_RestoreThread.PYTHON27(00000000), ref: 6C8254B1
                                                                                          • PyEval_SaveThread.PYTHON27 ref: 6C8254C9
                                                                                          • fprintf.MSVCR90 ref: 6C8254D6
                                                                                          • PyEval_RestoreThread.PYTHON27(00000000), ref: 6C8254D9
                                                                                          • PyEval_SaveThread.PYTHON27 ref: 6C8254ED
                                                                                          • fprintf.MSVCR90 ref: 6C8254FB
                                                                                          • PyEval_RestoreThread.PYTHON27(?), ref: 6C825501
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Eval_Thread$RestoreSavefprintf$ErrorFatal_errno$DecrementEventInterlocked
                                                                                          • String ID: None$defaultdict(
                                                                                          • API String ID: 1827517810-219834825
                                                                                          • Opcode ID: d8c3e60be3157b21bd06778fad09c8147aeff690375704037b793b3d0bcc0a55
                                                                                          • Instruction ID: 2b65db16801dc7bf1271ea2f6d55240c445615678bbae94266b6f68cd51735ec
                                                                                          • Opcode Fuzzy Hash: d8c3e60be3157b21bd06778fad09c8147aeff690375704037b793b3d0bcc0a55
                                                                                          • Instruction Fuzzy Hash: 2E012670B2431477DB207BB69CC4FCB3A9C9FA925DF044C11B90497B4AFA78E40886E1
                                                                                          Function 6C831F30 Relevance: 24.2, APIs: 16, Instructions: 185COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • isalnum.MSVCR90 ref: 6C832025
                                                                                          • isalnum.MSVCR90 ref: 6C832043
                                                                                          • _PyUnicodeUCS2_IsDecimalDigit.PYTHON27 ref: 6C83205C
                                                                                          • _PyUnicodeUCS2_IsDecimalDigit.PYTHON27 ref: 6C832066
                                                                                          • _PyUnicodeUCS2_IsWhitespace.PYTHON27 ref: 6C83208A
                                                                                          • _PyUnicodeUCS2_IsWhitespace.PYTHON27 ref: 6C8320B2
                                                                                          • _PyUnicodeUCS2_IsAlpha.PYTHON27 ref: 6C8320C5
                                                                                          • _PyUnicodeUCS2_IsDecimalDigit.PYTHON27 ref: 6C8320D2
                                                                                          • _PyUnicodeUCS2_IsDigit.PYTHON27 ref: 6C8320E3
                                                                                          • _PyUnicodeUCS2_IsNumeric.PYTHON27 ref: 6C8320F4
                                                                                          • _PyUnicodeUCS2_IsAlpha.PYTHON27 ref: 6C8320FF
                                                                                          • _PyUnicodeUCS2_IsDecimalDigit.PYTHON27 ref: 6C832110
                                                                                          • _PyUnicodeUCS2_IsDigit.PYTHON27 ref: 6C832121
                                                                                          • _PyUnicodeUCS2_IsNumeric.PYTHON27 ref: 6C832132
                                                                                          • _PyUnicodeUCS2_IsLinebreak.PYTHON27 ref: 6C832152
                                                                                          • _PyUnicodeUCS2_IsLinebreak.PYTHON27 ref: 6C83215C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Unicode$Digit$Decimal$AlphaLinebreakNumericWhitespaceisalnum
                                                                                          • String ID:
                                                                                          • API String ID: 1297412580-0
                                                                                          • Opcode ID: efd2d4012f7dd7d95da7df5762a3f6e936bcbefb0574c5ff09bc9d3fbac6d56e
                                                                                          • Instruction ID: 37bfc745b68b72d23b0bcc52d459033b5ead05694c80f8e358bd51e86968c8cc
                                                                                          • Opcode Fuzzy Hash: efd2d4012f7dd7d95da7df5762a3f6e936bcbefb0574c5ff09bc9d3fbac6d56e
                                                                                          • Instruction Fuzzy Hash: 454108A3A0797006EB21227A5E6539B245D1F21349F8C2975E8DAC1E92FB0CD65EC1C7
                                                                                          Function 6C82C7B0 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 372COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_IsTrue.PYTHON27 ref: 6C82C7DB
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000014), ref: 6C82C818
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C82C85A
                                                                                          • PyTuple_Pack.PYTHON27(00000002,?,00000000), ref: 6C82C9EC
                                                                                          • PyList_Append.PYTHON27(?,00000000), ref: 6C82CA34
                                                                                          • PyObject_CallFunctionObjArgs.PYTHON27(?,?,00000000), ref: 6C82CB48
                                                                                          • PyObject_CallFunctionObjArgs.PYTHON27(?,?,00000000), ref: 6C82CB88
                                                                                            • Part of subcall function 6C8AF750: PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AF770
                                                                                          • PyObject_CallFunctionObjArgs.PYTHON27(?,00000000,00000000), ref: 6C82CBC0
                                                                                          Strings
                                                                                          • Expecting property name enclosed in double quotes, xrefs: 6C82CAE9
                                                                                          • Expecting ',' delimiter, xrefs: 6C82CB12
                                                                                          • Expecting ':' delimiter, xrefs: 6C82C939
                                                                                          • Expecting object, xrefs: 6C82C8B6
                                                                                          • GC object already tracked, xrefs: 6C82C855
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object_$ArgsCallFunction$AppendErr_ErrorFatalList_MallocPackStringTrueTuple_
                                                                                          • String ID: Expecting ',' delimiter$Expecting ':' delimiter$Expecting object$Expecting property name enclosed in double quotes$GC object already tracked
                                                                                          • API String ID: 2157364734-52499038
                                                                                          • Opcode ID: 47e55f56d2e1299ebd22cd91a454adc7cd14fdf45dc447bb9f5c761cb31979b1
                                                                                          • Instruction ID: b7d18b9f216bf3444cf7e84439ed4b368e060722699861d3971457c3f735455e
                                                                                          • Opcode Fuzzy Hash: 47e55f56d2e1299ebd22cd91a454adc7cd14fdf45dc447bb9f5c761cb31979b1
                                                                                          • Instruction Fuzzy Hash: 03C11AB15012025BE720FF59CA48A7673E4EB45328F648B29E86587B92D339ECC7C7D1
                                                                                          Function 6C908180 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 207COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyCodec_LookupError.PYTHON27(?,-000000FF,?,?,?,?,6C822548), ref: 6C9081B1
                                                                                          • _PyObject_CallFunction_SizeT.PYTHON27(6CA65FF0,ss#nns,?,6C822548,?,?,?,00000000,-000000FF,?,?,?,?,6C822548), ref: 6C9081EE
                                                                                          • PyUnicodeDecodeError_SetReason.PYTHON27(?,00000000,-000000FF,?,?,?,?,6C822548), ref: 6C908217
                                                                                            • Part of subcall function 6C8CAAB0: PyString_FromString.PYTHON27(?), ref: 6C8CAABB
                                                                                          • PyObject_CallFunctionObjArgs.PYTHON27(00000000,?,00000000,?,?,?,?,6C822548), ref: 6C90822F
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,decoding error handler must return (unicode, int) tuple,?,?,?,?,?,?,?,6C822548), ref: 6C90825C
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(00000000,O!n;decoding error handler must return (unicode, int) tuple,?,00000000,?,?,?,?,?,?,?,?,6C822548), ref: 6C908279
                                                                                          • PyErr_SetString.PYTHON27(6CA663F8,decoded result is too long for a Python string,?,?,?,?,?,?,?,?,?,?,?,?,6C822548), ref: 6C9082D7
                                                                                          • memcpy.MSVCR90(?,?,6C822548,?,?,?,?,?,?,?,?,?,?,?,?,6C822548), ref: 6C908360
                                                                                          • PyErr_Format.PYTHON27(6CA65B38,position %zd from error handler out of bounds,?,?,?,?,?,?,?,?,?,?,?,?,?,6C822548), ref: 6C9083AC
                                                                                          Strings
                                                                                          • O!n;decoding error handler must return (unicode, int) tuple, xrefs: 6C908273
                                                                                          • position %zd from error handler out of bounds, xrefs: 6C9083A6
                                                                                          • ss#nns, xrefs: 6C9081E8
                                                                                          • decoded result is too long for a Python string, xrefs: 6C9082D1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$CallObject_Size$Arg_ArgsCodec_DecodeErrorError_FormatFromFunctionFunction_LookupParseReasonString_Tuple_Unicodememcpy
                                                                                          • String ID: O!n;decoding error handler must return (unicode, int) tuple$decoded result is too long for a Python string$position %zd from error handler out of bounds$ss#nns
                                                                                          • API String ID: 3819994130-703452432
                                                                                          • Opcode ID: 29bba7efc80ac9e59d1158beb96cdf4dacfb11c71f952695cc3b7ce7304b6aa8
                                                                                          • Instruction ID: 015cd78b74c26833f434e2fecfd5e032eb6df5594b82351580d55b0bcbd93a71
                                                                                          • Opcode Fuzzy Hash: 29bba7efc80ac9e59d1158beb96cdf4dacfb11c71f952695cc3b7ce7304b6aa8
                                                                                          • Instruction Fuzzy Hash: 3C71C0B5B00605DFCB08CF6CC880AAA77B9FF99358B24426EE91497B41D731EC46CB94
                                                                                          Function 6C8D00C0 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 204COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,writeobject with NULL file), ref: 6C8D00D6
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8D00FA
                                                                                          • PyObject_GetAttrString.PYTHON27(?,write), ref: 6C8D0110
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$AttrErr_Object_SubtypeType_
                                                                                          • String ID: I/O operation on closed file$strict$write$writeobject with NULL file
                                                                                          • API String ID: 1296135835-1655942581
                                                                                          • Opcode ID: 0312b49caddbfa9be1a12cbfa1ee16b881be3bb9b40933793c4f3b7cada567ea
                                                                                          • Instruction ID: 8b79314c10fb2e33af742a81200f4f992355dd32605abcec4f7cb1cba750c3f8
                                                                                          • Opcode Fuzzy Hash: 0312b49caddbfa9be1a12cbfa1ee16b881be3bb9b40933793c4f3b7cada567ea
                                                                                          • Instruction Fuzzy Hash: 63512A726012419BC711CE69ED80A9A73B4EF85338F254B28E9398BBC1D335F856C791
                                                                                          Function 6C8E4800 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 190COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyDict_Size.PYTHON27(?), ref: 6C8E4834
                                                                                          • PyDict_Size.PYTHON27(?), ref: 6C8E4872
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s() takes no arguments (%zd given),?,?), ref: 6C8E48AC
                                                                                          • PyDict_Size.PYTHON27(?), ref: 6C8E48C5
                                                                                          • PyDict_Size.PYTHON27(?), ref: 6C8E4919
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s() takes no keyword arguments,00000000), ref: 6C8E4937
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\methodobject.c,00000078), ref: 6C8E498B
                                                                                          Strings
                                                                                          • %.200s() takes exactly one argument (%zd given), xrefs: 6C8E48FA
                                                                                          • %.200s() takes no arguments (%zd given), xrefs: 6C8E48A6
                                                                                          • %.200s() takes no keyword arguments, xrefs: 6C8E4931
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8E4985
                                                                                          • ..\Objects\methodobject.c, xrefs: 6C8E4980
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Dict_Size$Err_Format
                                                                                          • String ID: %.200s() takes exactly one argument (%zd given)$%.200s() takes no arguments (%zd given)$%.200s() takes no keyword arguments$%s:%d: bad argument to internal function$..\Objects\methodobject.c
                                                                                          • API String ID: 3553065328-1061343441
                                                                                          • Opcode ID: c4f3cdcd72f5c48d43794dbcce7155801f147b754bc201451984e9759feadf12
                                                                                          • Instruction ID: 1e16e01b4182d79fa8cbbb5bdea20b282e987691d3c2d002f520515d114183c8
                                                                                          • Opcode Fuzzy Hash: c4f3cdcd72f5c48d43794dbcce7155801f147b754bc201451984e9759feadf12
                                                                                          • Instruction Fuzzy Hash: 4741CD767002045BD710EEA9FD81D6AB3ACEBCA139B048A75FD1CC7F11E632E85486A1
                                                                                          Function 6C8DD480 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 160COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _finite.MSVCR90 ref: 6C8DD49D
                                                                                          • _isnan.MSVCR90 ref: 6C8DD4B9
                                                                                          • PyErr_SetString.PYTHON27(6CA663F8,cannot convert float infinity to integer), ref: 6C8DD4CD
                                                                                          • _isnan.MSVCR90 ref: 6C8DD4E7
                                                                                          • PyString_FromString.PYTHON27(cannot convert float NaN to integer), ref: 6C8DD4FB
                                                                                          • PyErr_SetObject.PYTHON27(6CA65D10,00000000,cannot convert float NaN to integer), ref: 6C8DD504
                                                                                          • frexp.MSVCR90 ref: 6C8DD54F
                                                                                          • PyLong_FromLong.PYTHON27(00000000), ref: 6C8DD566
                                                                                          Strings
                                                                                          • cannot convert float NaN to integer, xrefs: 6C8DD4F6
                                                                                          • cannot convert float infinity to integer, xrefs: 6C8DD4C7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromString_isnan$LongLong_ObjectString__finitefrexp
                                                                                          • String ID: cannot convert float NaN to integer$cannot convert float infinity to integer
                                                                                          • API String ID: 2678645882-126850158
                                                                                          • Opcode ID: 5537eb0a3bcf4f84763eacad4083e74d7d691100a49bf4b0032c02c974079fe1
                                                                                          • Instruction ID: 0193b653216e03f6c749bc4ec326ca65b73c539178d0487647d07893228ee515
                                                                                          • Opcode Fuzzy Hash: 5537eb0a3bcf4f84763eacad4083e74d7d691100a49bf4b0032c02c974079fe1
                                                                                          • Instruction Fuzzy Hash: CA413F71A0911097DB107F65ED4566ABBB4EF81319F110A79FDC886690FB32D828CBE2
                                                                                          Function 6C940920 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 154stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • strrchr.MSVCR90 ref: 6C940940
                                                                                          • PyString_FromString.PYTHON27(PyErr_NewException: name must be module.class,?,?,?,6C8276FD,_csv.Error,00000000,00000000), ref: 6C94095E
                                                                                          • PyErr_SetObject.PYTHON27(6CA665C8,00000000,PyErr_NewException: name must be module.class,?,?,?,6C8276FD,_csv.Error,00000000,00000000), ref: 6C940967
                                                                                          • PyDict_New.PYTHON27(?,?,?,6C8276FD,_csv.Error,00000000,00000000), ref: 6C9409A1
                                                                                          • PyString_FromString.PYTHON27(__module__,?,?,?,6C8276FD,_csv.Error,00000000,00000000), ref: 6C9409B9
                                                                                          • PyDict_GetItem.PYTHON27(6C8276FD,00000000,?,?,?,?,6C8276FD,_csv.Error,00000000,00000000), ref: 6C9409C9
                                                                                          • PyString_FromStringAndSize.PYTHON27(00000000,00000000,?,?,?,?,6C8276FD,_csv.Error,00000000,00000000), ref: 6C9409F3
                                                                                          • PyDict_SetItemString.PYTHON27(6C8276FD,__module__,00000000,?,?,?,?,?,?,6C8276FD,_csv.Error,00000000,00000000), ref: 6C940A0C
                                                                                          • PyTuple_Pack.PYTHON27(00000001,?), ref: 6C940A30
                                                                                          • PyObject_CallFunction.PYTHON27(?,sOO,?,00000000,6C8276FD), ref: 6C940A50
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$Dict_FromString_$Item$CallErr_FunctionObjectObject_PackSizeTuple_strrchr
                                                                                          • String ID: PyErr_NewException: name must be module.class$__module__$sOO
                                                                                          • API String ID: 1095792495-3598547424
                                                                                          • Opcode ID: 590ac6f4caee827d9841d054d15c036ff4ca06daf232224c6ed5678e3e51a0ae
                                                                                          • Instruction ID: 112ced6f48bcf7c0fca31223371f6c35544c7f9f2e2745f851efcb5b172dea5b
                                                                                          • Opcode Fuzzy Hash: 590ac6f4caee827d9841d054d15c036ff4ca06daf232224c6ed5678e3e51a0ae
                                                                                          • Instruction Fuzzy Hash: 8A4122B2A002025FC310DE699C449AB77E8EF95338F158729EC6847B81E734DC46CBE2
                                                                                          Function 6C967770 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 108COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PySys_GetObject.PYTHON27(stderr,?,0000005F,?), ref: 6C9677C4
                                                                                          • PyType_IsSubtype.PYTHON27(?,?,?), ref: 6C9677E6
                                                                                          • _vsnprintf.MSVCR90 ref: 6C967819
                                                                                          • PyFile_WriteString.PYTHON27(?,00000000), ref: 6C96782C
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C967838
                                                                                          • fputs.MSVCR90 ref: 6C96784B
                                                                                          • PyFile_WriteString.PYTHON27(... truncated,00000000), ref: 6C967866
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C967872
                                                                                          • fputs.MSVCR90 ref: 6C967883
                                                                                          • vfprintf.MSVCR90 ref: 6C96789D
                                                                                          • PyErr_Restore.PYTHON27(?,?,?), ref: 6C9678BB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$ClearFile_StringWritefputs$ObjectRestoreSubtypeSys_Type__vsnprintfvfprintf
                                                                                          • String ID: ... truncated$stderr
                                                                                          • API String ID: 1300025650-2073631001
                                                                                          • Opcode ID: a7acc814d8c250f40c4339758ee0c5c17d58793e80991aedf5462323b4fbc23d
                                                                                          • Instruction ID: 97ef9ea47ac5890c7eb7ccae364ebea0fd87b7d6fd0dd7cf043753d48cb503d1
                                                                                          • Opcode Fuzzy Hash: a7acc814d8c250f40c4339758ee0c5c17d58793e80991aedf5462323b4fbc23d
                                                                                          • Instruction Fuzzy Hash: 964161B1E402169BDB24CF5ACD80EAAB7BCEB49304F1145EDE50997B41D730EE44CBA5
                                                                                          Function 6C8D8C00 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: __iob_funcfprintf$ClearFreeInt_List
                                                                                          • String ID: # <int at %p, refcnt=%ld, val=%ld>$# cleanup ints$: %d unfreed int%s$R
                                                                                          • API String ID: 1369846620-1170346019
                                                                                          • Opcode ID: 61bf03330c575449ec4ce6caf5c9d5705244677c20e3b8e242d913b5c1310ea3
                                                                                          • Instruction ID: 56d2567296c38082d26c018ce10d70b063712a70f391b4dd2d4ed4213c432130
                                                                                          • Opcode Fuzzy Hash: 61bf03330c575449ec4ce6caf5c9d5705244677c20e3b8e242d913b5c1310ea3
                                                                                          • Instruction Fuzzy Hash: 6B3147B1A02215DBEB20AF69DE40B5A73B8AF01318F1B4966DC4597B40DB35FD41CBE1
                                                                                          Function 6C8E5900 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: __iob_func$fprintf$State_$EnsureRelease
                                                                                          • String ID: type : %srefcount: %ldaddress : %p$NULL$NULL$object :
                                                                                          • API String ID: 1153749589-2731072057
                                                                                          • Opcode ID: 5ddddb2ea43038cc5ea4571e07ad6a097b07197c974567aecbf69328eeb54c67
                                                                                          • Instruction ID: b6c04dbb71aa73c24152915af134c27150287ea5c7e780f9675a95a336378dc7
                                                                                          • Opcode Fuzzy Hash: 5ddddb2ea43038cc5ea4571e07ad6a097b07197c974567aecbf69328eeb54c67
                                                                                          • Instruction Fuzzy Hash: 7901F7B27042646FE71067AADC09FAB736CEF4236CF590815F805DBA41DA31F8508AF4
                                                                                          Function 6C90B6F0 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 408COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyUnicodeUCS2_DecodeLatin1.PYTHON27(?,?,?,?,00000000,?,?,?,6C822548,?,?,?,?), ref: 6C90B719
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: DecodeLatin1Unicode
                                                                                          • String ID: character mapping must be in range(0x110000)$character mapping must return integer, None or unicode$character maps to <undefined>$charmap
                                                                                          • API String ID: 2178874186-3975267084
                                                                                          • Opcode ID: f26a601dd0336851af32c07f7ab40a99661bed30f9c355b7023f2b2851f1fcc2
                                                                                          • Instruction ID: d65554367f67204c2b34e0b69a561b381a0b3d3a3c7a16d3f281326bb7601f98
                                                                                          • Opcode Fuzzy Hash: f26a601dd0336851af32c07f7ab40a99661bed30f9c355b7023f2b2851f1fcc2
                                                                                          • Instruction Fuzzy Hash: A6E16276F0010A9FCB04CFA8C8819AEB7B9BF54318F1582ADD8159BB51D734EE46CB91
                                                                                          Function 6C82D510 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 305COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(idx cannot be negative,?,?,?,?,?,6C82C59D,FFFFFFFD,?,?,?), ref: 6C82D532
                                                                                          • PyErr_SetObject.PYTHON27(6CA65D10,00000000,?), ref: 6C82D53E
                                                                                          • PyErr_SetObject.PYTHON27(6CA64978,00000000,?,?,?,?,?,6C82C59D,FFFFFFFD,?,?,?), ref: 6C82D571
                                                                                          • PyObject_IsTrue.PYTHON27(?,?,?,?,?,?,6C82C59D,FFFFFFFD,?,?,?), ref: 6C82D5A8
                                                                                          • _Py_CheckRecursiveCall.PYTHON27( while decoding a JSON object from a byte string), ref: 6C82D5F5
                                                                                            • Part of subcall function 6C92E7C0: PyOS_CheckStack.PYTHON27(?,?,6C8AF0AA, while calling a Python object,00000001,?,?,6C932AB3,00000000,?,6C880E50), ref: 6C92E7CA
                                                                                            • Part of subcall function 6C92E7C0: PyErr_SetString.PYTHON27(6CA667A8,Stack overflow,?,?,6C8AF0AA, while calling a Python object,00000001,?,?,6C932AB3,00000000,?,6C880E50), ref: 6C92E7E1
                                                                                          • _Py_CheckRecursiveCall.PYTHON27( while decoding a JSON array from a byte string), ref: 6C82D64D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckErr_$CallObjectRecursiveString$FromObject_StackString_True
                                                                                          • String ID: while decoding a JSON array from a byte string$ while decoding a JSON object from a byte string$-Infinity$Infinity$NaN$idx cannot be negative
                                                                                          • API String ID: 1039784377-1788033179
                                                                                          • Opcode ID: 3f6446fd5c07096347b1be6f0d55835abe7bc66b0e49b71e527e7676a8d98ae6
                                                                                          • Instruction ID: 96fca3e2c0d2cdeb5bcc04f7fcdf43d41c832e21c43feb1a00d6b3f553f83c60
                                                                                          • Opcode Fuzzy Hash: 3f6446fd5c07096347b1be6f0d55835abe7bc66b0e49b71e527e7676a8d98ae6
                                                                                          • Instruction Fuzzy Hash: 68A15C76A047115BDB30CE1EE548965BFB4EF4532CB088B6BDD1983B01D326EA99C3E1
                                                                                          Function 6C82D910 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 302COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(idx cannot be negative,?,?,?,?,?,6C82C9D7,FFFFFFFD,?,?,?), ref: 6C82D935
                                                                                          • PyErr_SetObject.PYTHON27(6CA65D10,00000000,?), ref: 6C82D941
                                                                                          • PyErr_SetObject.PYTHON27(6CA64978,00000000,?,?,?,?,?,6C82C9D7,FFFFFFFD,?,?,?), ref: 6C82D974
                                                                                          • PyObject_IsTrue.PYTHON27(?,?,?,?,?,?,6C82C9D7,FFFFFFFD,?,?,?), ref: 6C82D9AA
                                                                                          • _Py_CheckRecursiveCall.PYTHON27( while decoding a JSON object from a unicode string), ref: 6C82D9F0
                                                                                            • Part of subcall function 6C92E7C0: PyOS_CheckStack.PYTHON27(?,?,6C8AF0AA, while calling a Python object,00000001,?,?,6C932AB3,00000000,?,6C880E50), ref: 6C92E7CA
                                                                                            • Part of subcall function 6C92E7C0: PyErr_SetString.PYTHON27(6CA667A8,Stack overflow,?,?,6C8AF0AA, while calling a Python object,00000001,?,?,6C932AB3,00000000,?,6C880E50), ref: 6C92E7E1
                                                                                          • _Py_CheckRecursiveCall.PYTHON27( while decoding a JSON array from a unicode string), ref: 6C82DA47
                                                                                          Strings
                                                                                          • Infinity, xrefs: 6C82DC0D
                                                                                          • while decoding a JSON object from a unicode string, xrefs: 6C82D9EB
                                                                                          • NaN, xrefs: 6C82DB8B
                                                                                          • -Infinity, xrefs: 6C82DC77
                                                                                          • while decoding a JSON array from a unicode string, xrefs: 6C82DA42
                                                                                          • idx cannot be negative, xrefs: 6C82D930
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckErr_$CallObjectRecursiveString$FromObject_StackString_True
                                                                                          • String ID: while decoding a JSON array from a unicode string$ while decoding a JSON object from a unicode string$-Infinity$Infinity$NaN$idx cannot be negative
                                                                                          • API String ID: 1039784377-3695714963
                                                                                          • Opcode ID: ed88e82285f294bc0d09396d2701564c371cc632760072b289dabc4ca513818d
                                                                                          • Instruction ID: 78b70715c4befdff0ca523342217a3e0be27590e8d8056af7533485415f58d43
                                                                                          • Opcode Fuzzy Hash: ed88e82285f294bc0d09396d2701564c371cc632760072b289dabc4ca513818d
                                                                                          • Instruction Fuzzy Hash: 32A14232A042018B8B30DF89E544C557BBAEF85329B05C66BEC09C7B51EBB9D8D1C3D1
                                                                                          Function 6C8C6460 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 238COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyDict_GetItem.PYTHON27(00000000,?,?,?,?,?,?,6C8C6452,?,?,00000001), ref: 6C8C650F
                                                                                          • PyObject_CallMethod.PYTHON27(?,keys,00000000,?,?,?,?,?,6C8C6452,?,?,00000001), ref: 6C8C6566
                                                                                          • PyObject_GetIter.PYTHON27(00000000), ref: 6C8C6579
                                                                                          • PyIter_Next.PYTHON27(00000000), ref: 6C8C65A1
                                                                                          • PyDict_GetItem.PYTHON27(?,00000000), ref: 6C8C65BE
                                                                                          • PyObject_GetItem.PYTHON27(?,00000000), ref: 6C8C65DF
                                                                                          • PyDict_SetItem.PYTHON27(?,00000000,00000000), ref: 6C8C65F3
                                                                                          • PyIter_Next.PYTHON27(?), ref: 6C8C662B
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\dictobject.c,0000066D,?,?,?,?,?,6C8C6452,?,?,00000001), ref: 6C8C66C3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Item$Dict_Object_$Iter_Next$CallErr_FormatIterMethod
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\dictobject.c$keys
                                                                                          • API String ID: 3758137212-1154662420
                                                                                          • Opcode ID: c8d94f15d10867dbea2425f69fbdb905b23995a054e00f20db2903c9454755d6
                                                                                          • Instruction ID: bb4c5e584f591a46211bcaf58cd913d65caed876c3d0a3c67b20fe0eda21d44d
                                                                                          • Opcode Fuzzy Hash: c8d94f15d10867dbea2425f69fbdb905b23995a054e00f20db2903c9454755d6
                                                                                          • Instruction Fuzzy Hash: 0E71B7757006019BD720CF69DE80AA673A4AF84338F248B78ED2987B81D735EC56C7D2
                                                                                          Function 6C828780 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 231COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_ParseTuple.PYTHON27(?,nO:nlargest,?,?), ref: 6C82879F
                                                                                          • PyObject_GetIter.PYTHON27(?), ref: 6C8287B4
                                                                                            • Part of subcall function 6C8AFF00: PySequence_Check.PYTHON27(?), ref: 6C8AFF18
                                                                                            • Part of subcall function 6C8AFF00: PySeqIter_New.PYTHON27(?), ref: 6C8AFF25
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C828801
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C961440
                                                                                            • Part of subcall function 6C961420: fprintf.MSVCR90 ref: 6C961446
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C96144C
                                                                                            • Part of subcall function 6C961420: fflush.MSVCR90 ref: 6C961452
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(Fatal Python error: ), ref: 6C961499
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32 ref: 6C96149C
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(6CA33AD4), ref: 6C9614A3
                                                                                            • Part of subcall function 6C961420: abort.MSVCR90 ref: 6C9614A5
                                                                                          • PyIter_Next.PYTHON27(?), ref: 6C82883D
                                                                                          • PyList_Append.PYTHON27(00000000,00000000), ref: 6C828851
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000014), ref: 6C8288F8
                                                                                          • PyList_Sort.PYTHON27(00000000), ref: 6C8289AB
                                                                                          • PyList_Reverse.PYTHON27(00000000), ref: 6C8289B9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: DebugList_OutputString$Iter_Object___iob_func$AppendArg_CheckErrorFatalIterMallocNextParseReverseSequence_SortTupleabortfflushfprintf
                                                                                          • String ID: GC object already tracked$nO:nlargest
                                                                                          • API String ID: 3411264338-810278830
                                                                                          • Opcode ID: 70b3a87932e3043e519c902ff4b7ab3c8c06454ade1370b880702731dee4eedd
                                                                                          • Instruction ID: e826691e24d85e95987601caf403a63cda6fcb12bb8978fcf50d8d3512cd33df
                                                                                          • Opcode Fuzzy Hash: 70b3a87932e3043e519c902ff4b7ab3c8c06454ade1370b880702731dee4eedd
                                                                                          • Instruction Fuzzy Hash: 3E81BB72A006018FCB24CF69D98495673B0EF46338B244B2AD57987BD1D738EC96D7D2
                                                                                          Function 6C906510 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 227COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\unicodeobject.c,000001A4,?,?,?,?,?,6C90B823,?,?,?,00000000), ref: 6C906538
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\unicodeobject.c
                                                                                          • API String ID: 376477240-2140310296
                                                                                          • Opcode ID: 37548d716d28e96ff6327dab6420b118446bf2f63b79424441bb60b4203c460c
                                                                                          • Instruction ID: e981f33fb8fbc65ddf615701376d79680be1f7e211a2091b3335a79bca3343b4
                                                                                          • Opcode Fuzzy Hash: 37548d716d28e96ff6327dab6420b118446bf2f63b79424441bb60b4203c460c
                                                                                          • Instruction Fuzzy Hash: AC61D3727047128FD7248F69D840A5AB3A8EF56728B14876DED68CBF40E731E885CBD1
                                                                                          Function 6C945FA0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 185stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • -J is reserved for Jython, xrefs: 6C9460BB
                                                                                          • 3bBc:dEhiJm:OQ:RsStuUvVW:xX?, xrefs: 6C9460F3
                                                                                          • Argument expected for the -%c option, xrefs: 6C94616E
                                                                                          • --help, xrefs: 6C946018
                                                                                          • -X is reserved for implementation-specific arguments, xrefs: 6C9460EB
                                                                                          • --version, xrefs: 6C946058
                                                                                          • Unknown option: -%c, xrefs: 6C94610E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: __iob_funcfprintf$strchr
                                                                                          • String ID: --help$--version$-J is reserved for Jython$-X is reserved for implementation-specific arguments$3bBc:dEhiJm:OQ:RsStuUvVW:xX?$Argument expected for the -%c option$Unknown option: -%c
                                                                                          • API String ID: 404167010-1173465839
                                                                                          • Opcode ID: 04222d6a379349ab88a7c7742811d0e6abb8ba2d318a5c29398e1c5d81a5237f
                                                                                          • Instruction ID: 238674ae7eaca6386524d3df92ccca43a43483c4eac11496db14a60402e9df1e
                                                                                          • Opcode Fuzzy Hash: 04222d6a379349ab88a7c7742811d0e6abb8ba2d318a5c29398e1c5d81a5237f
                                                                                          • Instruction Fuzzy Hash: D2515AF270A251CADB198B3BA8107A57B79AB0732EF1CC366D489C7A82D723D445C790
                                                                                          Function 6C8D57C0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 123COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_Malloc.PYTHON27(0000002C), ref: 6C8D57D0
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\tupleobject.c,00000072), ref: 6C8D5834
                                                                                          • PyErr_SetString.PYTHON27(6CA65B38,tuple index out of range), ref: 6C8D5855
                                                                                          • PyString_FromString.PYTHON27(__name__), ref: 6C8D588E
                                                                                          • PyString_InternInPlace.PYTHON27(?), ref: 6C8D58A7
                                                                                          • PyDict_GetItem.PYTHON27(?,?), ref: 6C8D58D8
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8D58F7
                                                                                          Strings
                                                                                          • tuple index out of range, xrefs: 6C8D584F
                                                                                          • __name__, xrefs: 6C8D5889
                                                                                          • GC object already tracked, xrefs: 6C8D58F2
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8D582E
                                                                                          • ..\Objects\tupleobject.c, xrefs: 6C8D5829
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_StringString_$Dict_ErrorFatalFormatFromInternItemMallocObject_Place
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\tupleobject.c$GC object already tracked$__name__$tuple index out of range
                                                                                          • API String ID: 4258960316-3836147382
                                                                                          • Opcode ID: f03ea49cd6c80bc1cc733044a0a14b8aef9ae18fa09e9246c12c7fe538c1e4ea
                                                                                          • Instruction ID: 10706500e05826fb2b114132cef11b6247b13a513156cc76d19c92fbcce4f86c
                                                                                          • Opcode Fuzzy Hash: f03ea49cd6c80bc1cc733044a0a14b8aef9ae18fa09e9246c12c7fe538c1e4ea
                                                                                          • Instruction Fuzzy Hash: C741DFF1A003119FD320DF5AC980866B7F0FB49328B118E7EE96A87B51D330E486CB91
                                                                                          Function 6C82A480 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 104fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_ParseTuple.PYTHON27(?,s:logreader,?), ref: 6C82A495
                                                                                          • PyObject_Malloc.PYTHON27(00000018), ref: 6C82A4AC
                                                                                          • PyErr_NoMemory.PYTHON27 ref: 6C82A4B8
                                                                                            • Part of subcall function 6C940380: PyErr_GivenExceptionMatches.PYTHON27(00000000,6CA667A8,?,6C8F7E82,00000000,6C8AB1D5,?,?,?,6C8AF66F,00000000,?,00000000,6C8AF785,00000000), ref: 6C940396
                                                                                            • Part of subcall function 6C940380: PyErr_SetObject.PYTHON27(6CA667A8,?), ref: 6C9403B3
                                                                                          • fopen.MSVCR90 ref: 6C82A4F4
                                                                                          • PyErr_SetFromErrnoWithFilename.PYTHON27(6CA64EC0,6CA8C1E0), ref: 6C82A50F
                                                                                          • PyDict_New.PYTHON27 ref: 6C82A516
                                                                                            • Part of subcall function 6C8C4510: PyString_FromString.PYTHON27(<dummy key>,00000000,00000000,00000000,?,?,6C8E50C0,?,00000014,?,6C94DEB4), ref: 6C8C4529
                                                                                          • fgetc.MSVCR90 ref: 6C82A52C
                                                                                          • ungetc.MSVCR90 ref: 6C82A560
                                                                                            • Part of subcall function 6C829140: PyDict_GetItem.PYTHON27(?,?), ref: 6C829180
                                                                                            • Part of subcall function 6C829140: PyList_New.PYTHON27(00000000), ref: 6C829193
                                                                                            • Part of subcall function 6C829140: PyDict_SetItem.PYTHON27(?,?,00000000), ref: 6C8291A7
                                                                                          • fgetc.MSVCR90 ref: 6C82A548
                                                                                          • PyErr_SetString.PYTHON27(6CA65248,unexpected error), ref: 6C82A58A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$Dict_$FromItemStringfgetc$Arg_ErrnoExceptionFilenameGivenList_MallocMatchesMemoryObjectObject_ParseString_TupleWithfopenungetc
                                                                                          • String ID: s:logreader$unexpected error
                                                                                          • API String ID: 982695279-3143292250
                                                                                          • Opcode ID: dda135ef04c89ac9fbc6629b6baf7080cb9eb4af0a3416771e859569eeaf64da
                                                                                          • Instruction ID: 6ee5b44d47403ebce000adbf32f112fffcd94693c2a1a9709937ebae31c0b71d
                                                                                          • Opcode Fuzzy Hash: dda135ef04c89ac9fbc6629b6baf7080cb9eb4af0a3416771e859569eeaf64da
                                                                                          • Instruction Fuzzy Hash: 6131FCB5A04105A7D7109BBADF489AB7378AF8532CF148B15E824C7F80F739E89587D1
                                                                                          Function 6C8247A0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 100COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Py_ReprEnter.PYTHON27(?), ref: 6C8247A9
                                                                                            • Part of subcall function 6C8E7E70: PyDict_New.PYTHON27 ref: 6C8E7E8E
                                                                                            • Part of subcall function 6C8E7E70: PyErr_Clear.PYTHON27 ref: 6C8E7EA0
                                                                                            • Part of subcall function 6C8E7E70: PyString_FromString.PYTHON27(Py_Repr), ref: 6C8E7EBB
                                                                                            • Part of subcall function 6C8E7E70: PyDict_GetItem.PYTHON27(?,00000000), ref: 6C8E7ECB
                                                                                            • Part of subcall function 6C8E7E70: Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8E7F4F
                                                                                            • Part of subcall function 6C8E7E70: PyDict_SetItemString.PYTHON27(?,Py_Repr,00000000), ref: 6C8E7F81
                                                                                            • Part of subcall function 6C8E7E70: PyList_Append.PYTHON27(-000000FF,000000FE), ref: 6C8E7FBE
                                                                                          • PyString_FromString.PYTHON27([...]), ref: 6C8247C3
                                                                                          • PySequence_List.PYTHON27(?), ref: 6C8247D2
                                                                                          • Py_ReprLeave.PYTHON27(?), ref: 6C8247E1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Dict_String$FromItemReprString_$AppendClearEnterErr_ErrorFatalLeaveListList_Sequence_
                                                                                          • String ID: [...]$deque(%%r, maxlen=%zd)$deque(%r)
                                                                                          • API String ID: 2876697196-1340182754
                                                                                          • Opcode ID: da71cc8625a7e71317d6c2b94bb9ca0d82e478dea7e0adc0158349dbeb2e5f86
                                                                                          • Instruction ID: 158344bb18e469c06f16bf58e4af6031c06dfe8f01be1600202285766338669d
                                                                                          • Opcode Fuzzy Hash: da71cc8625a7e71317d6c2b94bb9ca0d82e478dea7e0adc0158349dbeb2e5f86
                                                                                          • Instruction Fuzzy Hash: 202120F3D0411517D3209A6DBD8189B7358DBC613CB140B75EC2D82F42FB2AE96585E3
                                                                                          Function 6C8E75A0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 95COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_GetAttrString.PYTHON27(?,__dict__,6CA69E88,?,?,?,6C8E774A), ref: 6C8E75B3
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8E75C1
                                                                                          • PyDict_New.PYTHON27 ref: 6C8E75C6
                                                                                            • Part of subcall function 6C8C4510: PyString_FromString.PYTHON27(<dummy key>,00000000,00000000,00000000,?,?,6C8E50C0,?,00000014,?,6C94DEB4), ref: 6C8C4529
                                                                                            • Part of subcall function 6C8E71D0: PyObject_GetAttrString.PYTHON27(?,__dict__,00000000,00000000), ref: 6C8E71E2
                                                                                            • Part of subcall function 6C8E71D0: PyErr_Clear.PYTHON27(00000000), ref: 6C8E71F0
                                                                                            • Part of subcall function 6C8E71D0: PyObject_GetAttrString.PYTHON27(?,__bases__,?,?,?,00000000), ref: 6C8E7227
                                                                                            • Part of subcall function 6C8E71D0: PyErr_Clear.PYTHON27(?,?,?,?,?,00000000), ref: 6C8E7235
                                                                                          • PyDict_New.PYTHON27 ref: 6C8E75E9
                                                                                          • PyObject_GetAttrString.PYTHON27(?,__class__), ref: 6C8E7642
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8E7650
                                                                                          • PyDict_Keys.PYTHON27(00000000), ref: 6C8E7666
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$AttrClearErr_Object_$Dict_$FromKeysString_
                                                                                          • String ID: __class__$__dict__$__members__$__methods__
                                                                                          • API String ID: 3704403498-420438904
                                                                                          • Opcode ID: bca918d9f41fabc98d38c22ddeebf406a9412883f3e1c8b509832db5be539d81
                                                                                          • Instruction ID: 95204edc694e2531ea9a2e1fdf6272528b139885a4e861ccd2b6e0c4a40ab9c3
                                                                                          • Opcode Fuzzy Hash: bca918d9f41fabc98d38c22ddeebf406a9412883f3e1c8b509832db5be539d81
                                                                                          • Instruction Fuzzy Hash: DF21E6B1E052115BE7305AADAE41A9B32A45F5B32CF140F38D8154AF93F725DD4582E3
                                                                                          Function 6C828CB0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 226COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_ParseTuple.PYTHON27(?,nO:nsmallest,?,?), ref: 6C828CCF
                                                                                          • PyObject_GetIter.PYTHON27(?), ref: 6C828CE4
                                                                                            • Part of subcall function 6C8AFF00: PySequence_Check.PYTHON27(?), ref: 6C8AFF18
                                                                                            • Part of subcall function 6C8AFF00: PySeqIter_New.PYTHON27(?), ref: 6C8AFF25
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C828D31
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C961440
                                                                                            • Part of subcall function 6C961420: fprintf.MSVCR90 ref: 6C961446
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C96144C
                                                                                            • Part of subcall function 6C961420: fflush.MSVCR90 ref: 6C961452
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(Fatal Python error: ), ref: 6C961499
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32 ref: 6C96149C
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(6CA33AD4), ref: 6C9614A3
                                                                                            • Part of subcall function 6C961420: abort.MSVCR90 ref: 6C9614A5
                                                                                          • PyIter_Next.PYTHON27(?), ref: 6C828D6B
                                                                                          • PyList_Append.PYTHON27(00000000,00000000), ref: 6C828D7F
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000014), ref: 6C828E29
                                                                                          • PyList_Sort.PYTHON27(00000000), ref: 6C828EDA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: DebugOutputString$Iter_List_Object___iob_func$AppendArg_CheckErrorFatalIterMallocNextParseSequence_SortTupleabortfflushfprintf
                                                                                          • String ID: GC object already tracked$nO:nsmallest
                                                                                          • API String ID: 2828585347-243241408
                                                                                          • Opcode ID: 12bd87d8eb20867b254e08eaffcbe4670d68ec64bd8b3edd111e23165c67861e
                                                                                          • Instruction ID: b4083fb067ac795d9162ff295037f7f53c7019ef0c41b867f98304751b2c4f7e
                                                                                          • Opcode Fuzzy Hash: 12bd87d8eb20867b254e08eaffcbe4670d68ec64bd8b3edd111e23165c67861e
                                                                                          • Instruction Fuzzy Hash: 4381EA726006028FCB24CF68DA8495673E1AF55328B208F29E52587B91D738EC8ACBD1
                                                                                          Function 6C8D5120 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 225COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyDict_GetItem.PYTHON27(?,?), ref: 6C8D5156
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8D5178
                                                                                          • PyModule_GetDict.PYTHON27(00000000), ref: 6C8D5190
                                                                                          • PyDict_New.PYTHON27 ref: 6C8D51A1
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,None,?), ref: 6C8D51B8
                                                                                          • _PyObject_GC_NewVar.PYTHON27(?,?), ref: 6C8D5216
                                                                                            • Part of subcall function 6C85BAA0: _PyObject_GC_Malloc.PYTHON27(?), ref: 6C85BABC
                                                                                          • _PyObject_GC_Resize.PYTHON27(?,?), ref: 6C8D5257
                                                                                          • PyDict_New.PYTHON27 ref: 6C8D52F5
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8D5352
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Dict_$Object_$Item$DictErrorFatalMallocModule_ResizeStringSubtypeType_
                                                                                          • String ID: GC object already tracked$None
                                                                                          • API String ID: 4274310026-998395538
                                                                                          • Opcode ID: e15133aceb0bafcd83aca1a6636c124fc8866095317628a5f1eaffa675046fee
                                                                                          • Instruction ID: b6b4f978acf3bc0573a20b23b4764d06b589159beff72197512dc755a205feed
                                                                                          • Opcode Fuzzy Hash: e15133aceb0bafcd83aca1a6636c124fc8866095317628a5f1eaffa675046fee
                                                                                          • Instruction Fuzzy Hash: BC81A3B1A017058FCB24CF59DA8059AB7F0FF85324B158A6EDC5A97B40E330F956CB90
                                                                                          Function 6C836600 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 221COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyDict_Size.PYTHON27(?), ref: 6C836625
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%s() takes at most %d positional arguments (%zd given),findall,00000003,?), ref: 6C836651
                                                                                          • _PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(7FFFFFFF,?,|OnnO:findall,6CA80E04,?,?,7FFFFFFF,?), ref: 6C83667D
                                                                                          • PyList_New.PYTHON27(00000000), ref: 6C8366CE
                                                                                          • PyTuple_New.PYTHON27(7FFFFFFF,?), ref: 6C836751
                                                                                          • PyList_Append.PYTHON27(?,00000000,?,?,?), ref: 6C8367F7
                                                                                            • Part of subcall function 6C835F50: PySequence_GetSlice.PYTHON27(6CA5FB7C,?,?), ref: 6C835F93
                                                                                          • PySequence_GetSlice.PYTHON27(?,?,?,?), ref: 6C8367E4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: List_Sequence_SizeSlice$AppendArg_Dict_Err_FormatKeywords_ParseTupleTuple_
                                                                                          • String ID: %s() takes at most %d positional arguments (%zd given)$findall$source$|OnnO:findall
                                                                                          • API String ID: 41004728-684798393
                                                                                          • Opcode ID: 95f280a15226c4412751aa939057383eb41e06aef4f8713b1909b3841fbed33f
                                                                                          • Instruction ID: b1132e09b10d078b0b40bc03798615b8d2a46fd673a268bd1d9aeb3d8c29bfdc
                                                                                          • Opcode Fuzzy Hash: 95f280a15226c4412751aa939057383eb41e06aef4f8713b1909b3841fbed33f
                                                                                          • Instruction Fuzzy Hash: 4C716471D00225ABCB24DFDCDD8099A73B8BB49318F14AAA8D92CE7640D731EE55CBD0
                                                                                          Function 6C8AE7C0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 168COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AE7E4
                                                                                          • PyList_AsTuple.PYTHON27(?), ref: 6C8AE80E
                                                                                            • Part of subcall function 6C8DC3D0: PyTuple_New.PYTHON27(?), ref: 6C8DC3F1
                                                                                          • PyObject_GetIter.PYTHON27(?), ref: 6C8AE81D
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AE7DE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_IterList_Object_StringTupleTuple_
                                                                                          • String ID: null argument to internal routine
                                                                                          • API String ID: 2917739512-2212441169
                                                                                          • Opcode ID: e01647775198c67379564a67494bc45e89f589d22fab4e75a619ba77f3733d36
                                                                                          • Instruction ID: eec44d1ade48ef63f563c29cdb9f62841cfbb91d8c9edca5fdd078d1bee46d07
                                                                                          • Opcode Fuzzy Hash: e01647775198c67379564a67494bc45e89f589d22fab4e75a619ba77f3733d36
                                                                                          • Instruction Fuzzy Hash: 7351F772E006159BC720CEE8EE4089A73B8EB55338B284F65EC1887B40E735E967C7D1
                                                                                          Function 6C8AF990 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 158COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(__class__,?,?,?,?,6C8AFC7B,?), ref: 6C8AF9A7
                                                                                          • PyString_InternInPlace.PYTHON27(?), ref: 6C8AF9BA
                                                                                          • PyClass_IsSubclass.PYTHON27(?,?,?,?,?,?,?,6C8AFC7B,?), ref: 6C8AF9F7
                                                                                          • PyType_IsSubtype.PYTHON27(?,?,?,?,?,?,?,6C8AFC7B,?), ref: 6C8AFA1A
                                                                                          • PyObject_GetAttr.PYTHON27(?,?), ref: 6C8AFA2A
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8AFA38
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8AFA6A
                                                                                          • PyObject_GetAttr.PYTHON27(?,?), ref: 6C8AFAB1
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8AFABF
                                                                                          Strings
                                                                                          • __class__, xrefs: 6C8AF9A2
                                                                                          • isinstance() arg 2 must be a class, type, or tuple of classes and types, xrefs: 6C8AFA8E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttrClearErr_Object_String_SubtypeType_$Class_FromInternPlaceStringSubclass
                                                                                          • String ID: __class__$isinstance() arg 2 must be a class, type, or tuple of classes and types
                                                                                          • API String ID: 4175812343-2868327839
                                                                                          • Opcode ID: b0c1920bdece417d88719a0e2eee980608acd526d774278cf3eaa950df45f70a
                                                                                          • Instruction ID: 9fcff879a8ac3e4f9edc4ffad73c86c82f6ce2bd68f3956603e675eff3cd7730
                                                                                          • Opcode Fuzzy Hash: b0c1920bdece417d88719a0e2eee980608acd526d774278cf3eaa950df45f70a
                                                                                          • Instruction Fuzzy Hash: F5412877B00115578720DAAEBE406EAB3A8DB9527DB180775ED1CC7F40E621EC1783E1
                                                                                          Function 6C8DE150 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 150COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\longobject.c,000003B2), ref: 6C8DE178
                                                                                          • PyInt_AsLong.PYTHON27(?), ref: 6C8DE1A7
                                                                                          Strings
                                                                                          • ..\Objects\longobject.c, xrefs: 6C8DE16D
                                                                                          • integer conversion failed, xrefs: 6C8DE253
                                                                                          • an integer is required, xrefs: 6C8DE273
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8DE172
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FormatInt_Long
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\longobject.c$an integer is required$integer conversion failed
                                                                                          • API String ID: 651860925-798106294
                                                                                          • Opcode ID: 548cacfa8b647b44c55a3d5fbcee0aae10aff2ac177a0c7f3764d2bcf9bc78ee
                                                                                          • Instruction ID: 782d0c9fde9bf22ceb62268fcea7f294ac9823e89ecae093d002c4e0719a183c
                                                                                          • Opcode Fuzzy Hash: 548cacfa8b647b44c55a3d5fbcee0aae10aff2ac177a0c7f3764d2bcf9bc78ee
                                                                                          • Instruction Fuzzy Hash: EE412C72B0120517E620D96DAD81E96F395EB84239F254B7DFD2CC7BC0E726E81683E1
                                                                                          Function 6C945D90 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 136COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DB2
                                                                                          • PyErr_SetObject.PYTHON27(6CA665C8,00000000,PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DBB
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%s expected %s%zd arguments, got %zd,00000002,6C96AF8E,6C96AF8E,?), ref: 6C945E0F
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,unpacked tuple should have %s%zd elements, but has %zd,6C96AF8E,6C96AF8E,?), ref: 6C945E38
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%s expected %s%zd arguments, got %zd,00000002,6C96AF8E,6C96AF8E,?), ref: 6C945E74
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,unpacked tuple should have %s%zd elements, but has %zd,6C96AF8E,6C96AF8E,?), ref: 6C945EA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$Format$FromObjectStringString_
                                                                                          • String ID: %s expected %s%zd arguments, got %zd$PyArg_UnpackTuple() argument list is not a tuple$at least $at most $unpacked tuple should have %s%zd elements, but has %zd
                                                                                          • API String ID: 542344229-3688193887
                                                                                          • Opcode ID: a2ce5674bc4bee7e04bad25f7f7a0a6ee4fbf7a2bf078892ba900243214fa79e
                                                                                          • Instruction ID: 88edc0715d1e0cdd6c2b51f4ad00682b8038374886d991e65ce68cb1c005a298
                                                                                          • Opcode Fuzzy Hash: a2ce5674bc4bee7e04bad25f7f7a0a6ee4fbf7a2bf078892ba900243214fa79e
                                                                                          • Instruction Fuzzy Hash: 9F411672B151252BD710DE68EC41DAB33BCEFA5228B14C6A9FC18D7B01EA21EC55C7E1
                                                                                          Function 6C8B9450 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 127COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • PyCapsule_Import could not import module "%s", xrefs: 6C8B9570
                                                                                          • PyCapsule_Import "%s" is not valid, xrefs: 6C8B958A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: PyCapsule_Import "%s" is not valid$PyCapsule_Import could not import module "%s"
                                                                                          • API String ID: 0-4167395026
                                                                                          • Opcode ID: 0fc4cdd01e77ce3a85fd706db3f60afb3a81f3e10fd7f419edd661b1a63636a1
                                                                                          • Instruction ID: 30ccc69d4300c365df03449b7e112ca800a9b6cc6a0016a5bda5efa4b997dd0f
                                                                                          • Opcode Fuzzy Hash: 0fc4cdd01e77ce3a85fd706db3f60afb3a81f3e10fd7f419edd661b1a63636a1
                                                                                          • Instruction Fuzzy Hash: FD418EB6A416105BC7208F79DB8089F77B4DFA5328B158A28EC28A7B41EB31DD45C7D0
                                                                                          Function 6C943940 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 124COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyOS_snprintf.PYTHON27(?,00000200,%.200s() ,?,?,?), ref: 6C943993
                                                                                          • PyOS_snprintf.PYTHON27(?,?,argument %d,?,?,?), ref: 6C9439C1
                                                                                          • PyOS_snprintf.PYTHON27(?,?,, item %d,?,?,?,?,?), ref: 6C943A08
                                                                                          • PyOS_snprintf.PYTHON27(?,?,argument,?,?), ref: 6C943A35
                                                                                          • PyOS_snprintf.PYTHON27(?,?, %.256s,?,?,?,?), ref: 6C943A60
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,6C9459A9,?,?), ref: 6C943A75
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: S_snprintf$Err_String
                                                                                          • String ID: %.256s$%.200s() $, item %d$argument$argument %d
                                                                                          • API String ID: 2015450010-3294918661
                                                                                          • Opcode ID: 01c3655e378664b05f83c7ec421f88029af51f6bbad366344668f737762a8021
                                                                                          • Instruction ID: 0b7bf6cfde4fa5ae0e2bb453289f729a954938427dff6de0c875ff1fab4e8275
                                                                                          • Opcode Fuzzy Hash: 01c3655e378664b05f83c7ec421f88029af51f6bbad366344668f737762a8021
                                                                                          • Instruction Fuzzy Hash: F5414532A00125AFD711DE3CCD58EDA77B9EF56308F15C694E85897A06EB30DA08C7D0
                                                                                          Function 6C8AB130 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 118COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_Size.PYTHON27(?), ref: 6C8AB13C
                                                                                            • Part of subcall function 6C8AB0D0: PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AB0F0
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA648B0), ref: 6C8AB160
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA655C0), ref: 6C8AB17D
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8AB192
                                                                                          • PyObject_CallFunctionObjArgs.PYTHON27(00000000,00000000), ref: 6C8AB1D0
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA648B0), ref: 6C8AB200
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA655C0), ref: 6C8AB21D
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8AB22D
                                                                                          • PyNumber_Check.PYTHON27(00000000), ref: 6C8AB23C
                                                                                          • PyInt_AsSsize_t.PYTHON27(00000000), ref: 6C8AB249
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$ExceptionGivenMatches$ClearObject_$ArgsCallCheckFunctionInt_Number_SizeSsize_tString
                                                                                          • String ID: __length_hint__
                                                                                          • API String ID: 722120710-752084073
                                                                                          • Opcode ID: 68710db441b313af8ec7bece384595287bd300da1513fac719d35eb0e19159f6
                                                                                          • Instruction ID: 37b1d1a64c34178f28a12b550fcbc32a54623ec55228cb4291212037dae2f170
                                                                                          • Opcode Fuzzy Hash: 68710db441b313af8ec7bece384595287bd300da1513fac719d35eb0e19159f6
                                                                                          • Instruction Fuzzy Hash: AE314CB6B0020647C7248AE9ED419BA73789B59279B048779ED2C87B81FB30EC13C3D1
                                                                                          Function 6C9207B0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 110stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: strchrstrncpy$FileModuleName$_stat64i32getenv
                                                                                          • String ID: PATH
                                                                                          • API String ID: 2662838222-1036084923
                                                                                          • Opcode ID: 95476674169db338e005f8bc96fde7dfadadd44272ffe4a664f9f48a4ae85e59
                                                                                          • Instruction ID: 0e25feb263b88951f65cbd5c99b02e3e6aeca6005489a6fc363d0fbc603a42c3
                                                                                          • Opcode Fuzzy Hash: 95476674169db338e005f8bc96fde7dfadadd44272ffe4a664f9f48a4ae85e59
                                                                                          • Instruction Fuzzy Hash: 67318931B09391AFE71056AA5C10F673B7CDB4139DF150569FDD893A80EB2AE40486F2
                                                                                          Function 6C8246C0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_GetAttrString.PYTHON27(?,__dict__), ref: 6C8246CF
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8246DD
                                                                                          • PySequence_List.PYTHON27(?), ref: 6C8246E3
                                                                                          • Py_BuildValue.PYTHON27(O(O),?,00000000), ref: 6C824723
                                                                                          • Py_BuildValue.PYTHON27(O(On),?,00000000,?), ref: 6C82473A
                                                                                          • Py_BuildValue.PYTHON27(O(On)O,?,00000000,?,00000000), ref: 6C824768
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: BuildValue$AttrClearErr_ListObject_Sequence_String
                                                                                          • String ID: O(O)$O(OO)O$O(On)$O(On)O$__dict__
                                                                                          • API String ID: 2089117489-2102791102
                                                                                          • Opcode ID: f96068607876c7d717fb40fa654ef5384c5a28b40dd5b5a768a70dbd5e1ac108
                                                                                          • Instruction ID: 5eb04bae3f78225145943e57dd20c4e07f32a487b61fdbdf55cfe0e6c165fb2f
                                                                                          • Opcode Fuzzy Hash: f96068607876c7d717fb40fa654ef5384c5a28b40dd5b5a768a70dbd5e1ac108
                                                                                          • Instruction Fuzzy Hash: 5B214BB65001156FA31085699D80C6773BCEAD33787144F28F97987F80E728EC518BF2
                                                                                          Function 6C8257B0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Py_InitModule4.PYTHON27(_collections,00000000,High performance data structures.- deque: ordered collection accessible from endpoints only- defaultdict: dict subclass with a default value factory,00000000,000003F5), ref: 6C8257C4
                                                                                          • PyType_Ready.PYTHON27(6CA8FF60), ref: 6C8257D7
                                                                                          • PyModule_AddObject.PYTHON27(00000000,deque,6CA8FF60), ref: 6C8257F4
                                                                                            • Part of subcall function 6C94EC70: PyType_IsSubtype.PYTHON27(?,?,?,?,6C8257F9,00000000,deque,6CA8FF60), ref: 6C94EC87
                                                                                            • Part of subcall function 6C94EC70: PyErr_SetString.PYTHON27(6CA648B0,PyModule_AddObject() needs module as first arg,deque,6CA8FF60), ref: 6C94EC9E
                                                                                          • PyType_Ready.PYTHON27(6CA904E8,00000000,deque,6CA8FF60), ref: 6C825808
                                                                                          • PyModule_AddObject.PYTHON27(00000000,defaultdict,6CA904E8), ref: 6C825825
                                                                                            • Part of subcall function 6C94EC70: PyErr_SetString.PYTHON27(6CA648B0,PyModule_AddObject() needs non-NULL value,00000000,?,?,6C8257F9,00000000,deque,6CA8FF60), ref: 6C94ECCB
                                                                                          • PyType_Ready.PYTHON27(6CA90080,00000000,defaultdict,6CA904E8), ref: 6C82582F
                                                                                          • PyType_Ready.PYTHON27(6CA90148), ref: 6C825840
                                                                                          Strings
                                                                                          • defaultdict, xrefs: 6C82581F
                                                                                          • _collections, xrefs: 6C8257BF
                                                                                          • deque, xrefs: 6C8257EE
                                                                                          • High performance data structures.- deque: ordered collection accessible from endpoints only- defaultdict: dict subclass with a default value factory, xrefs: 6C8257B8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Type_$Ready$Err_Module_ObjectString$InitModule4Subtype
                                                                                          • String ID: High performance data structures.- deque: ordered collection accessible from endpoints only- defaultdict: dict subclass with a default value factory$_collections$defaultdict$deque
                                                                                          • API String ID: 1447583621-1048529482
                                                                                          • Opcode ID: 97f8ecc71f6b670d357c537ae62ffdc4470f48f79135d3963fa7e7fa7f36b30c
                                                                                          • Instruction ID: c2b8186fae84f8749a750e876e5d770dfaabb359b17092ed394ffac97dadf907
                                                                                          • Opcode Fuzzy Hash: 97f8ecc71f6b670d357c537ae62ffdc4470f48f79135d3963fa7e7fa7f36b30c
                                                                                          • Instruction Fuzzy Hash: ADF0C23299139226E76025AD6E03BAB3090AB7509DF104C35FD28A0F4AFB14D1C682FE
                                                                                          Function 6C8AC680 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 339COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8AC6E0
                                                                                          • PyNumber_CoerceEx.PYTHON27(00000000,?), ref: 6C8AC805
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,number coercion failed), ref: 6C8AC85F
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,unsupported operand type(s) for ** or pow(): '%.100s' and '%.100s',?,?), ref: 6C8AC895
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,unsupported operand type(s) for pow(): '%.100s', '%.100s', '%.100s',?,?,?), ref: 6C8AC9E9
                                                                                          Strings
                                                                                          • unsupported operand type(s) for pow(): '%.100s', '%.100s', '%.100s', xrefs: 6C8AC9E3
                                                                                          • number coercion failed, xrefs: 6C8AC859
                                                                                          • unsupported operand type(s) for ** or pow(): '%.100s' and '%.100s', xrefs: 6C8AC88F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$Format$CoerceNumber_StringSubtypeType_
                                                                                          • String ID: number coercion failed$unsupported operand type(s) for ** or pow(): '%.100s' and '%.100s'$unsupported operand type(s) for pow(): '%.100s', '%.100s', '%.100s'
                                                                                          • API String ID: 3280144513-1853844853
                                                                                          • Opcode ID: a3e2945003c9f6fea27e51550eaf3c72d96e8e140a8612d623737f403b550e23
                                                                                          • Instruction ID: 9acb57bd1d596b112b0febe5b3181a3d579c17044edd2478edf34c8f5aff2159
                                                                                          • Opcode Fuzzy Hash: a3e2945003c9f6fea27e51550eaf3c72d96e8e140a8612d623737f403b550e23
                                                                                          • Instruction Fuzzy Hash: 25C1D475A002059FCB14DF94CA80E9A77B5FF49324F258A68EC199BB42D736FD42CB90
                                                                                          Function 6C826E80 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 186COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PySequence_Check.PYTHON27(?), ref: 6C826E95
                                                                                            • Part of subcall function 6C8ADF00: PyObject_GetAttrString.PYTHON27(?,__getitem__), ref: 6C8ADF1A
                                                                                          • PyErr_Format.PYTHON27(00000000,sequence expected), ref: 6C826EAD
                                                                                          • PySequence_Size.PYTHON27(?), ref: 6C826EBD
                                                                                          • PySequence_GetItem.PYTHON27(?,?), ref: 6C826EF0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Sequence_$AttrCheckErr_FormatItemObject_SizeString
                                                                                          • String ID: (s#)$sequence expected
                                                                                          • API String ID: 2976514168-4025708905
                                                                                          • Opcode ID: bc6f6bf4b9204821fca351be7bdb6ea80e1b5bcec7d1a8641f8b8f822e0c2cf3
                                                                                          • Instruction ID: 4df980b38bd4c0f1558ab2916c28afb7b0f03decbb39b057bbdebb1b68e655cd
                                                                                          • Opcode Fuzzy Hash: bc6f6bf4b9204821fca351be7bdb6ea80e1b5bcec7d1a8641f8b8f822e0c2cf3
                                                                                          • Instruction Fuzzy Hash: 6551D5B2D012059FCB30CE79CA84A9EB3B4AF44368F244A69D814D7B40E739EE85C7D1
                                                                                          Function 6C8E7E70 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 131COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyDict_New.PYTHON27 ref: 6C8E7E8E
                                                                                            • Part of subcall function 6C8C4510: PyString_FromString.PYTHON27(<dummy key>,00000000,00000000,00000000,?,?,6C8E50C0,?,00000014,?,6C94DEB4), ref: 6C8C4529
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8E7EA0
                                                                                          • PyString_FromString.PYTHON27(Py_Repr), ref: 6C8E7EBB
                                                                                          • PyDict_GetItem.PYTHON27(?,00000000), ref: 6C8E7ECB
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000014), ref: 6C8E7F15
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8E7F4F
                                                                                          • PyDict_SetItemString.PYTHON27(?,Py_Repr,00000000), ref: 6C8E7F81
                                                                                          • PyList_Append.PYTHON27(-000000FF,000000FE), ref: 6C8E7FBE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Dict_String$FromItemString_$AppendClearErr_ErrorFatalList_MallocObject_
                                                                                          • String ID: GC object already tracked$Py_Repr
                                                                                          • API String ID: 2081235056-2690712102
                                                                                          • Opcode ID: 7f04dd97cfe96dcae459f08a09d7ad96f8c5ee3c9aaa67ee9ed847652089ac61
                                                                                          • Instruction ID: dd206c68c66046359dad3d99cbb8107917569f03c0d7a1c15422eb8c454b00de
                                                                                          • Opcode Fuzzy Hash: 7f04dd97cfe96dcae459f08a09d7ad96f8c5ee3c9aaa67ee9ed847652089ac61
                                                                                          • Instruction Fuzzy Hash: 60410B716016028BC734CF5DE940966B7E4FB8B3287248B68E52987B85E731E856C7D1
                                                                                          Function 6C8E71D0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 125COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_GetAttrString.PYTHON27(?,__dict__,00000000,00000000), ref: 6C8E71E2
                                                                                          • PyErr_Clear.PYTHON27(00000000), ref: 6C8E71F0
                                                                                          • PyDict_Merge.PYTHON27(?,00000000,00000001,00000000), ref: 6C8E71FE
                                                                                          • PyObject_GetAttrString.PYTHON27(?,__bases__,?,?,?,00000000), ref: 6C8E7227
                                                                                          • PyErr_Clear.PYTHON27(?,?,?,?,?,00000000), ref: 6C8E7235
                                                                                          • PySequence_Size.PYTHON27(00000000,?,?,?,?,?,00000000), ref: 6C8E7244
                                                                                            • Part of subcall function 6C8ADF70: PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8ADF90
                                                                                          • PyErr_Clear.PYTHON27(?,?,?,?,?,?,00000000), ref: 6C8E7253
                                                                                          • PySequence_GetItem.PYTHON27(00000000,00000000,?,?,?,?,?,?,00000000), ref: 6C8E727A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$ClearString$AttrObject_Sequence_$Dict_ItemMergeSize
                                                                                          • String ID: __bases__$__dict__
                                                                                          • API String ID: 3363665311-2230943850
                                                                                          • Opcode ID: 8021490ad8e6018d736fb2fa68a1e767bd934e1fa022e747b9409d065b1c2703
                                                                                          • Instruction ID: 7aafb19463bcc1f398c1e546841fc10c5373c938c658045c73ece07399d37d87
                                                                                          • Opcode Fuzzy Hash: 8021490ad8e6018d736fb2fa68a1e767bd934e1fa022e747b9409d065b1c2703
                                                                                          • Instruction Fuzzy Hash: A8315B7690010557C7209AA9AD808CB7364AF9A339B144B3DFD2987B81EB35DC56C3E2
                                                                                          Function 6C82FD10 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_ParseTuple.PYTHON27(?,s:strxfrm,?), ref: 6C82FD21
                                                                                          • malloc.MSVCR90 ref: 6C82FD59
                                                                                          • PyErr_NoMemory.PYTHON27 ref: 6C82FD68
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_Err_MemoryParseTuplemalloc
                                                                                          • String ID: s:strxfrm
                                                                                          • API String ID: 4029166403-969976757
                                                                                          • Opcode ID: 3fd63c3b260c24360ee4b3e7083e0c450f0367ca7f9781630dd02de34641146e
                                                                                          • Instruction ID: ed64ffc443652c26e8f7a596442f92d3decf5ad9c3a8e61581db090ea64f4f55
                                                                                          • Opcode Fuzzy Hash: 3fd63c3b260c24360ee4b3e7083e0c450f0367ca7f9781630dd02de34641146e
                                                                                          • Instruction Fuzzy Hash: 1B113D32A4402567972097AA6D48CEE77ACCF9736EB140675FD08D3B00EB269E4983E1
                                                                                          Function 6C94EC70 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_IsSubtype.PYTHON27(?,?,?,?,6C8257F9,00000000,deque,6CA8FF60), ref: 6C94EC87
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,PyModule_AddObject() needs module as first arg,deque,6CA8FF60), ref: 6C94EC9E
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,PyModule_AddObject() needs non-NULL value,00000000,?,?,6C8257F9,00000000,deque,6CA8FF60), ref: 6C94ECCB
                                                                                          • PyModule_GetDict.PYTHON27(?,00000000,?,?,6C8257F9,00000000,deque,6CA8FF60), ref: 6C94ECDB
                                                                                          • PyModule_GetName.PYTHON27(?,6CA8FF60), ref: 6C94ECE8
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,module '%s' has no __dict__,00000000,?,6CA8FF60), ref: 6C94ECF9
                                                                                          Strings
                                                                                          • PyModule_AddObject() needs non-NULL value, xrefs: 6C94ECC5
                                                                                          • module '%s' has no __dict__, xrefs: 6C94ECF3
                                                                                          • PyModule_AddObject() needs module as first arg, xrefs: 6C94EC98
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$Module_String$DictFormatNameSubtypeType_
                                                                                          • String ID: PyModule_AddObject() needs module as first arg$PyModule_AddObject() needs non-NULL value$module '%s' has no __dict__
                                                                                          • API String ID: 1633787680-2614671564
                                                                                          • Opcode ID: 9f71c696d02a6f3b30dfcb23f0b532d39eef10717c459cb4fd6a8e4ecd7691e9
                                                                                          • Instruction ID: b38f7b8621f3a3a5c784d28d9d85ae167cf9e9a53e2000c087e546e653029465
                                                                                          • Opcode Fuzzy Hash: 9f71c696d02a6f3b30dfcb23f0b532d39eef10717c459cb4fd6a8e4ecd7691e9
                                                                                          • Instruction Fuzzy Hash: 0D11E176A002156B8701DA6DBD40D9A736C9B9637D718CB39FC2CC7F80E731E89682E0
                                                                                          Function 6C961420 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: DebugOutputString$__iob_func$abortfflushfprintf
                                                                                          • String ID: Fatal Python error: $Fatal Python error: %s
                                                                                          • API String ID: 3980557677-2081719472
                                                                                          • Opcode ID: d55a7d230aa59b962549ccc7d2265d4217cc61cdb49dc0057df29b4aca24366e
                                                                                          • Instruction ID: 0b545f124409b82c1ff68687646f44f2e9d2ccb232fd24879fa91152a0a316b9
                                                                                          • Opcode Fuzzy Hash: d55a7d230aa59b962549ccc7d2265d4217cc61cdb49dc0057df29b4aca24366e
                                                                                          • Instruction Fuzzy Hash: 66010C31A1412DAF9B109B6ACC548AF7BBCEF063943144459E846D7640DF21D90587E0
                                                                                          Function 6C8C0880 Relevance: 16.6, APIs: 11, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: _finite$_errno$_isnan$_hypot
                                                                                          • String ID:
                                                                                          • API String ID: 2539433571-0
                                                                                          • Opcode ID: baa96cd2fc2e9e385d9c88372d8422de5662ace318ce97dbb686db268830cd66
                                                                                          • Instruction ID: 88f45ae402c9971781a50e226169f3dd1fcce7701e9e705f7cb592067f8751af
                                                                                          • Opcode Fuzzy Hash: baa96cd2fc2e9e385d9c88372d8422de5662ace318ce97dbb686db268830cd66
                                                                                          • Instruction Fuzzy Hash: C2316B71A08659C7EB003F2AFD092AEBFB4EF45256F4109A9ECC481164EF32957CC796
                                                                                          Function 6C8DD640 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 167COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\longobject.c,000000F4), ref: 6C8DD67A
                                                                                          • PyInt_AsLong.PYTHON27(6C8D71C0), ref: 6C8DD69A
                                                                                          Strings
                                                                                          • ..\Objects\longobject.c, xrefs: 6C8DD66F
                                                                                          • nb_int should return int object, xrefs: 6C8DD70D
                                                                                          • an integer is required, xrefs: 6C8DD72B
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8DD674
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FormatInt_Long
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\longobject.c$an integer is required$nb_int should return int object
                                                                                          • API String ID: 651860925-140860544
                                                                                          • Opcode ID: c990dcc5cc69ae89300b8b61df45ed0099b0a190b5ae953c81f115ce195848c5
                                                                                          • Instruction ID: 88a6765d959e716fe93ab5a0a863bfe5553d5a801a41e74bb2963ed31bf162e9
                                                                                          • Opcode Fuzzy Hash: c990dcc5cc69ae89300b8b61df45ed0099b0a190b5ae953c81f115ce195848c5
                                                                                          • Instruction Fuzzy Hash: 1351D8316046058BD724DE29D940656B3A4EB8233CF264BABED7887BC0E731F845CBA1
                                                                                          Function 6C827EC0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 164COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_ParseTuple.PYTHON27(?,OOOO,?,?,?,?), ref: 6C827EF9
                                                                                          • PyCallable_Check.PYTHON27(?), ref: 6C827F0E
                                                                                            • Part of subcall function 6C8E7170: PyObject_GetAttrString.PYTHON27(6C8AF42C,__call__,?,6C8AF42C,00000000), ref: 6C8E718B
                                                                                            • Part of subcall function 6C8E7170: PyErr_Clear.PYTHON27(6C8AF42C,00000000), ref: 6C8E7197
                                                                                          • PySequence_Tuple.PYTHON27(?), ref: 6C827F54
                                                                                          • PyDict_New.PYTHON27 ref: 6C827F7A
                                                                                          • PyDict_Copy.PYTHON27(?), ref: 6C827F8F
                                                                                            • Part of subcall function 6C8C66F0: PyDict_New.PYTHON27 ref: 6C8C670B
                                                                                            • Part of subcall function 6C8C66F0: PyDict_Merge.PYTHON27(00000000,?,00000001), ref: 6C8C671A
                                                                                          • PyString_FromString.PYTHON27(invalid partial state), ref: 6C828079
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,invalid partial state), ref: 6C828082
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Dict_$Err_StringTuple$Arg_AttrCallable_CheckClearCopyFromMergeObjectObject_ParseSequence_String_
                                                                                          • String ID: OOOO$invalid partial state
                                                                                          • API String ID: 632166634-1248142259
                                                                                          • Opcode ID: 3f2cf598130fcc3b5e642cc9b128fd202761234fea29ac7724a2ebb4436091f0
                                                                                          • Instruction ID: 599d254b30216097d78f3060a11dcfbc9242d8e3bce53dfdc6b039151c4c708c
                                                                                          • Opcode Fuzzy Hash: 3f2cf598130fcc3b5e642cc9b128fd202761234fea29ac7724a2ebb4436091f0
                                                                                          • Instruction Fuzzy Hash: 17519E729043019FD720CF59D944A5AB3F4BB85324F148E6DE8698BB91D738E886CBD2
                                                                                          Function 6C82BE19 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 164COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: "$"$Invalid \escape$Invalid \uXXXX escape$\$\
                                                                                          • API String ID: 0-2658592163
                                                                                          • Opcode ID: e32a5560eb45cbb9043e091690a4f3314d716a83c4076cecaea639acbef1dd59
                                                                                          • Instruction ID: 619b093d81ce54623445f95f67b4ae51d78ca144dbee50fb10aaf1a6786497ef
                                                                                          • Opcode Fuzzy Hash: e32a5560eb45cbb9043e091690a4f3314d716a83c4076cecaea639acbef1dd59
                                                                                          • Instruction Fuzzy Hash: E1512975A066058BC7308E28D9486B673A1EF81738F154F29EDA747B91D738E8C2CBD1
                                                                                          Function 6C8F9140 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 153COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyTuple_New.PYTHON27(00000000,00000000,00000000,?), ref: 6C8F919A
                                                                                          • _PyObject_GC_Resize.PYTHON27(00000000,00000000,00000000,00000000,?), ref: 6C8F920E
                                                                                          • PyObject_GC_Del.PYTHON27(00000000,00000000,?), ref: 6C8F9222
                                                                                          • memset.MSVCR90 ref: 6C8F9250
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked,00000000,?), ref: 6C8F926B
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\tupleobject.c,0000034E,00000000,00000000,?), ref: 6C8F92D0
                                                                                          Strings
                                                                                          • GC object already tracked, xrefs: 6C8F9266
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8F92CA
                                                                                          • ..\Objects\tupleobject.c, xrefs: 6C8F92C5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object_$Err_ErrorFatalFormatResizeTuple_memset
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\tupleobject.c$GC object already tracked
                                                                                          • API String ID: 3323702923-2731488381
                                                                                          • Opcode ID: 3b311de3c210cfbea63c3afe71f8f949d23827cca6a783f2e7a5b96fe45c4706
                                                                                          • Instruction ID: 365db50187fec28b2b73e248e07f1e328144508dc16380731077d7d381422acd
                                                                                          • Opcode Fuzzy Hash: 3b311de3c210cfbea63c3afe71f8f949d23827cca6a783f2e7a5b96fe45c4706
                                                                                          • Instruction Fuzzy Hash: 5851D2B1A012028BD720CF69D9405AAB3E4EF45378F244B3DD87987B80E375E987CB91
                                                                                          Function 6C8AF520 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_GetAttrString.PYTHON27(?,?), ref: 6C8AF544
                                                                                          • PyCallable_Check.PYTHON27(00000000), ref: 6C8AF557
                                                                                            • Part of subcall function 6C8E7170: PyObject_GetAttrString.PYTHON27(6C8AF42C,__call__,?,6C8AF42C,00000000), ref: 6C8E718B
                                                                                            • Part of subcall function 6C8E7170: PyErr_Clear.PYTHON27(6C8AF42C,00000000), ref: 6C8E7197
                                                                                          • _Py_VaBuildValue_SizeT.PYTHON27(?,?), ref: 6C8AF585
                                                                                            • Part of subcall function 6C8AAFD0: PyErr_Format.PYTHON27(6CA648B0,00000000,?,?,6C8AB31B,sequence index must be integer, not '%.200s',?,00000000,?,?,6C8AEF3A), ref: 6C8AAFE5
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AF635
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AF62F
                                                                                          • attribute of type '%.200s' is not callable, xrefs: 6C8AF563
                                                                                          • GC object already tracked, xrefs: 6C8AF5C8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$AttrObject_$BuildCallable_CheckClearFormatSizeValue_
                                                                                          • String ID: GC object already tracked$attribute of type '%.200s' is not callable$null argument to internal routine
                                                                                          • API String ID: 3997184170-539247347
                                                                                          • Opcode ID: 85614f86bbbb482b4e1903814ab89e038e087be478075dcfa6cb034bc177a978
                                                                                          • Instruction ID: 513394fce511e2f8638d8db92f7f09520ae25855e1b897b2aa2c1ae02e116ad8
                                                                                          • Opcode Fuzzy Hash: 85614f86bbbb482b4e1903814ab89e038e087be478075dcfa6cb034bc177a978
                                                                                          • Instruction Fuzzy Hash: 38312FB17003055BD724CFE99E41AA633A4FB66315B204B78EC1587B51E730DC57C7A1
                                                                                          Function 6C831D00 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_ParseTuple.PYTHON27(?,i:getrandbits,?), ref: 6C831D13
                                                                                          • PyErr_SetString.PYTHON27(6CA65D10,number of bits must be greater than zero), ref: 6C831D32
                                                                                          • malloc.MSVCR90 ref: 6C831D6A
                                                                                          • PyErr_NoMemory.PYTHON27 ref: 6C831D79
                                                                                          • _PyLong_FromByteArray.PYTHON27(00000000,?,00000001,00000000), ref: 6C831DD9
                                                                                          • free.MSVCR90 ref: 6C831DE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$Arg_ArrayByteFromLong_MemoryParseStringTuplefreemalloc
                                                                                          • String ID: $i:getrandbits$number of bits must be greater than zero
                                                                                          • API String ID: 161777060-1220404624
                                                                                          • Opcode ID: f74a79f69abaa308109e79e5f2975c28ff1844b305cebd4fd36ba72c725547e5
                                                                                          • Instruction ID: 6e02730ae58ad2e8cad2d1fd68120c5f699499d4af588a8290ceda6ef6bc2527
                                                                                          • Opcode Fuzzy Hash: f74a79f69abaa308109e79e5f2975c28ff1844b305cebd4fd36ba72c725547e5
                                                                                          • Instruction Fuzzy Hash: 2E217E73B002045BDB20CAF99D8069E776ADBD1659F145A68ED0CD7741EB31EA45C3E0
                                                                                          Function 6C825510 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(None), ref: 6C825539
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: FromStringString_
                                                                                          • String ID: ...$None$defaultdict(%s, %s)
                                                                                          • API String ID: 3295083243-2392874948
                                                                                          • Opcode ID: b7084caa38cc89b40ea47b0891d39b4ab9c55fa289e2e586ac83a74911d0411f
                                                                                          • Instruction ID: bd5823bd6b3def722e512236aeb26f0dc6cbdaf0725249aace00c2f1c5390acb
                                                                                          • Opcode Fuzzy Hash: b7084caa38cc89b40ea47b0891d39b4ab9c55fa289e2e586ac83a74911d0411f
                                                                                          • Instruction Fuzzy Hash: 1A215C739402019BD3209AE8FF4088773B5AB852387140B31E82987B45E739E956C7D1
                                                                                          Function 6C8DD9C0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA663F8,can't convert negative value to unsigned long), ref: 6C8DD9F5
                                                                                          • PyInt_AsLong.PYTHON27(?), ref: 6C8DDA59
                                                                                          • PyErr_SetString.PYTHON27(6CA663F8,can't convert negative value to unsigned long), ref: 6C8DDA70
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\longobject.c,000001AA), ref: 6C8DDA97
                                                                                          Strings
                                                                                          • ..\Objects\longobject.c, xrefs: 6C8DDA8C
                                                                                          • can't convert negative value to unsigned long, xrefs: 6C8DD9EF, 6C8DDA6A
                                                                                          • long int too large to convert, xrefs: 6C8DDA3A
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8DDA91
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$String$FormatInt_Long
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\longobject.c$can't convert negative value to unsigned long$long int too large to convert
                                                                                          • API String ID: 851377888-2248287418
                                                                                          • Opcode ID: dc4f672b28ceabc89b7970641ff77ccfbb8a002db4bcb74e9fd884bc7645df03
                                                                                          • Instruction ID: f7d5112dc7ef54d259ef4a783ec4b2657df27ccf1be451bfec0779ea39f2b64f
                                                                                          • Opcode Fuzzy Hash: dc4f672b28ceabc89b7970641ff77ccfbb8a002db4bcb74e9fd884bc7645df03
                                                                                          • Instruction Fuzzy Hash: AD213732B19100078720892EBD04E65B35CEBD1738B059BF6FC28C7BC1EB21D4A587E0
                                                                                          Function 6C8CFFE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8D0006
                                                                                          • PyObject_GetAttrString.PYTHON27(?,softspace), ref: 6C8D001D
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8D002B
                                                                                          • PyInt_AsLong.PYTHON27(00000000), ref: 6C8D003F
                                                                                          • PyInt_FromLong.PYTHON27(?), ref: 6C8D005E
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8D006C
                                                                                          • PyObject_SetAttrString.PYTHON27(?,softspace,00000000), ref: 6C8D007F
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8D008B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClearErr_$AttrInt_LongObject_String$FromSubtypeType_
                                                                                          • String ID: softspace
                                                                                          • API String ID: 3854672287-2976471430
                                                                                          • Opcode ID: e321c6f8d05ccef20644c7e52072102f8915f6d6a4b808168dc379ad9299d07b
                                                                                          • Instruction ID: 64646fe12459f24c7b11cf243f0777a3316917f1e89876be0b22a17330fb0395
                                                                                          • Opcode Fuzzy Hash: e321c6f8d05ccef20644c7e52072102f8915f6d6a4b808168dc379ad9299d07b
                                                                                          • Instruction Fuzzy Hash: F1215B766045512BC3308A99AE809DAB3A8EF6137CB154B38E85C87F40D325FC4AC3E1
                                                                                          Function 6C8E51D0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8E51E7
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,bad argument type for built-in operation), ref: 6C8E51FE
                                                                                          • PyString_FromString.PYTHON27(__name__), ref: 6C8E5218
                                                                                          • PyDict_GetItem.PYTHON27(?,00000000), ref: 6C8E5228
                                                                                          • PyString_AsString.PYTHON27(00000000), ref: 6C8E5254
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,nameless module), ref: 6C8E526C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$Err_String_$Dict_FromItemSubtypeType_
                                                                                          • String ID: __name__$bad argument type for built-in operation$nameless module
                                                                                          • API String ID: 3592122911-3885832345
                                                                                          • Opcode ID: c41f765651fc08255b76e85aa9627585363e1bde0f057e5a927ce6e85813eb82
                                                                                          • Instruction ID: 2fbce8c472601e8587c2a647a0adb405d599d8698cecb956ae9a6d3b439f8e5d
                                                                                          • Opcode Fuzzy Hash: c41f765651fc08255b76e85aa9627585363e1bde0f057e5a927ce6e85813eb82
                                                                                          • Instruction Fuzzy Hash: 7B118C76A0171057C73096A8BE00A9B73689B9677DB284D3CEC3C87F00E731E49582E1
                                                                                          Function 6C82E1E0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 65COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(null,?,?,6C82E6AF,-00000010,00000000,?,?,?,6C82E1B8,000000FE,00000000,?,?), ref: 6C82E1F9
                                                                                          • PyString_InternInPlace.PYTHON27(?,?), ref: 6C82E20C
                                                                                          • PyString_InternFromString.PYTHON27(true,?,?,6C82E6AF,-00000010,00000000,?,?,?,6C82E1B8,000000FE,00000000,?,?), ref: 6C82E23B
                                                                                          • PyString_InternFromString.PYTHON27(false,?,?,6C82E6AF,-00000010,00000000,?,?,?,6C82E1B8,000000FE,00000000,?,?), ref: 6C82E267
                                                                                          • PyErr_SetString.PYTHON27(6CA65D10,not a const,?,?,6C82E6AF,-00000010,00000000,?,?,?,6C82E1B8,000000FE,00000000,?,?), ref: 6C82E28A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: StringString_$FromIntern$Err_Place
                                                                                          • String ID: false$not a const$null$true
                                                                                          • API String ID: 2245657807-1042296947
                                                                                          • Opcode ID: 477cf6a30f6b7cad56ac0525ea401cf7a035f170d2eb21015748c5ee2176914a
                                                                                          • Instruction ID: ca8abfbd49366d6016fe69e3e10ef76133ad1d1a189840055e9a41cafa63a1a7
                                                                                          • Opcode Fuzzy Hash: 477cf6a30f6b7cad56ac0525ea401cf7a035f170d2eb21015748c5ee2176914a
                                                                                          • Instruction Fuzzy Hash: D01108B0B052075BAF24CEB6AA884993378D74524A7144F7DEC1EC6F02F735D56093D2
                                                                                          Function 6C968570 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyOS_snprintf.PYTHON27(6CAA2580,0000004C,%s%s%s, %.20s, %.9s,v2.7.18,6CA13E4C,8d21aa21f2,Apr 20 2020,13:19:08,6C82A724,[MSC v.1500 32 bit (Intel)]), ref: 6C9685DE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: S_snprintf
                                                                                          • String ID: %s%s%s, %.20s, %.9s$13:19:08$8d21aa21f2$Apr 20 2020$default$tags/v2.7.18^0$undefined$v2.7.18
                                                                                          • API String ID: 2260853251-2313236023
                                                                                          • Opcode ID: 275d14a3e0240baf9d592b7e0392c87a0c36efc0de7a68fa7b235a631cba716f
                                                                                          • Instruction ID: 09f5ff9cc06421cc31cafcd6aec2faf99d1977b66b46e7fdb9d8b5b5886351a3
                                                                                          • Opcode Fuzzy Hash: 275d14a3e0240baf9d592b7e0392c87a0c36efc0de7a68fa7b235a631cba716f
                                                                                          • Instruction Fuzzy Hash: 50F03640E0C1592EF7155A7A1CB2B622EAA171731CF891AD6F95CEFEC2E207C4C9436C
                                                                                          Function 6C82F090 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_Ready.PYTHON27(6CA8B7F8), ref: 6C82F095
                                                                                          • PyType_Ready.PYTHON27(6CA8B8E8), ref: 6C82F0A6
                                                                                          • Py_InitModule4.PYTHON27(_json,6CA8B9AC,json speedups,00000000,000003F5), ref: 6C82F0C9
                                                                                          • PyModule_AddObject.PYTHON27(00000000,make_scanner,6CA8B7F8), ref: 6C82F0E8
                                                                                            • Part of subcall function 6C94EC70: PyType_IsSubtype.PYTHON27(?,?,?,?,6C8257F9,00000000,deque,6CA8FF60), ref: 6C94EC87
                                                                                            • Part of subcall function 6C94EC70: PyErr_SetString.PYTHON27(6CA648B0,PyModule_AddObject() needs module as first arg,deque,6CA8FF60), ref: 6C94EC9E
                                                                                          • PyModule_AddObject.PYTHON27(00000000,make_encoder,6CA8B8E8,00000000,make_scanner,6CA8B7F8), ref: 6C82F0FE
                                                                                            • Part of subcall function 6C94EC70: PyErr_SetString.PYTHON27(6CA648B0,PyModule_AddObject() needs non-NULL value,00000000,?,?,6C8257F9,00000000,deque,6CA8FF60), ref: 6C94ECCB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Type_$Err_Module_ObjectReadyString$InitModule4Subtype
                                                                                          • String ID: _json$json speedups$make_encoder$make_scanner
                                                                                          • API String ID: 2050293671-368859247
                                                                                          • Opcode ID: 08515ce5696cbd608004dfb31ca3a13a05155d6bf1174384b967ce0b348b1d04
                                                                                          • Instruction ID: 8526d3fd9f03932fa0ef85848d218576ec699ae6fcc5f3d2a7d2e8472df7eabc
                                                                                          • Opcode Fuzzy Hash: 08515ce5696cbd608004dfb31ca3a13a05155d6bf1174384b967ce0b348b1d04
                                                                                          • Instruction Fuzzy Hash: 25F0A0329432222BFB11369ABD05FAB24A4BF71088FC01E61FC0465F43E704C1CA81FA
                                                                                          Function 6C8DA130 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • can only assign an iterable, xrefs: 6C8DA1B9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: memmove$Err_Memoryfreemallocmemcpy
                                                                                          • String ID: can only assign an iterable
                                                                                          • API String ID: 2548301024-3323104
                                                                                          • Opcode ID: f1c338b905280b64d16c7dd173f876c3d6ad1be903daff817a940b5af88d012a
                                                                                          • Instruction ID: 916a8e6cbc9479edcef6db445253a457348f545bc67892c721a0411250f4f1d2
                                                                                          • Opcode Fuzzy Hash: f1c338b905280b64d16c7dd173f876c3d6ad1be903daff817a940b5af88d012a
                                                                                          • Instruction Fuzzy Hash: CB91D5716042058FCB14CF6AC98099AB3E5FFC4328F2A8A6DE8598B741E735F945CB91
                                                                                          Function 6C82CE60 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 203COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000014), ref: 6C82CEA7
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C82CEE5
                                                                                          Strings
                                                                                          • ..\Objects\listobject.c, xrefs: 6C82D071
                                                                                          • Expecting ',' delimiter, xrefs: 6C82D0B4
                                                                                          • Expecting object, xrefs: 6C82CF4A
                                                                                          • GC object already tracked, xrefs: 6C82CEE0
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C82D076
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFatalMallocObject_
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\listobject.c$Expecting ',' delimiter$Expecting object$GC object already tracked
                                                                                          • API String ID: 2067638752-3793139508
                                                                                          • Opcode ID: be7a839867a41ef6496ea877c67e8d8082c0fdb71e5f12c7b79edb7659f2a760
                                                                                          • Instruction ID: f3aba2bdec80b682da746158b19320415f7425ea75b1bae9f1e8017ad7c846a6
                                                                                          • Opcode Fuzzy Hash: be7a839867a41ef6496ea877c67e8d8082c0fdb71e5f12c7b79edb7659f2a760
                                                                                          • Instruction Fuzzy Hash: 6761E4715012028BD730AF1DC6489BAF7A1EF85318B608F6AE96447B96D739D8C7C7C2
                                                                                          Function 6C82CC00 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 200COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000014), ref: 6C82CC40
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C82CC7E
                                                                                          Strings
                                                                                          • ..\Objects\listobject.c, xrefs: 6C82CDDE
                                                                                          • Expecting object, xrefs: 6C82CCD2
                                                                                          • Expecting , delimiter, xrefs: 6C82CE1E
                                                                                          • GC object already tracked, xrefs: 6C82CC79
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C82CDE3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFatalMallocObject_
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\listobject.c$Expecting , delimiter$Expecting object$GC object already tracked
                                                                                          • API String ID: 2067638752-4064892806
                                                                                          • Opcode ID: 514d51a316937b4d6ac12e6d7ff66f6e04542945c91753fa30205e625de65192
                                                                                          • Instruction ID: 123ee2e6eedf92735ed266bbd5b4b34be142383733451be20996d97b1ee40c45
                                                                                          • Opcode Fuzzy Hash: 514d51a316937b4d6ac12e6d7ff66f6e04542945c91753fa30205e625de65192
                                                                                          • Instruction Fuzzy Hash: 3B6138715056154FE730AE0CDA886B5B7A1FB46318B214F1AD8B447B82D339D9C7CBC2
                                                                                          Function 6C8E6C20 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 193COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyUnicodeUCS2_AsEncodedString.PYTHON27(?,00000000,00000000), ref: 6C8E6C55
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,attribute name must be string, not '%.200s',?), ref: 6C8E6C7B
                                                                                          • PyType_Ready.PYTHON27(?), ref: 6C8E6C9C
                                                                                          • _PyType_Lookup.PYTHON27(?,?), ref: 6C8E6CAE
                                                                                          • PyDict_GetItem.PYTHON27(?,?), ref: 6C8E6D52
                                                                                          Strings
                                                                                          • '%.50s' object has no attribute '%.400s', xrefs: 6C8E6DE0
                                                                                          • attribute name must be string, not '%.200s', xrefs: 6C8E6C75
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Type_$Dict_EncodedErr_FormatItemLookupReadyStringUnicode
                                                                                          • String ID: '%.50s' object has no attribute '%.400s'$attribute name must be string, not '%.200s'
                                                                                          • API String ID: 2490400702-3798209010
                                                                                          • Opcode ID: 78663548537a02f3c40a6574ee79f33527c1df9a04e4cf9b1d30ead93f885e87
                                                                                          • Instruction ID: 8a73ec56c540b0456fa738882026413a67ea5dc8f41d31f240dffda5a54aac1f
                                                                                          • Opcode Fuzzy Hash: 78663548537a02f3c40a6574ee79f33527c1df9a04e4cf9b1d30ead93f885e87
                                                                                          • Instruction Fuzzy Hash: EA610571B005099BD724CF14CA41BAAB3B4EF8A325F258628ED28CB780D735ED42CBD0
                                                                                          Function 6C8265D0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 191COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 6C8264F0: Py_FatalError.PYTHON27(GC object already tracked), ref: 6C826560
                                                                                          • PyString_AsStringAndSize.PYTHON27(00000000,?,?), ref: 6C82662A
                                                                                          • PyString_AsStringAndSize.PYTHON27(00000000,?,?), ref: 6C826656
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA64978), ref: 6C8266F7
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C826703
                                                                                          • PyErr_SetString.PYTHON27(00000000,unexpected end of data), ref: 6C82673D
                                                                                          • PyErr_Format.PYTHON27(00000000,line contains NUL), ref: 6C826790
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$String$SizeString_$ClearErrorExceptionFatalFormatGivenMatches
                                                                                          • String ID: line contains NUL$unexpected end of data
                                                                                          • API String ID: 2960452433-1196342961
                                                                                          • Opcode ID: 265f9343bbb07786613ecb546147cc004aacb147fe73afc36772ffb373053ff7
                                                                                          • Instruction ID: eb66618e576224cfa2739a58b7d3e76e976d826396c5b6448a72b5b8293cd6c0
                                                                                          • Opcode Fuzzy Hash: 265f9343bbb07786613ecb546147cc004aacb147fe73afc36772ffb373053ff7
                                                                                          • Instruction Fuzzy Hash: 0651E5766002018FD720CE59EA44A5673E4EB85338F144B69ED58CBB81D738ED99CBD2
                                                                                          Function 6C8E4E20 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 161COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_WarnEx.PYTHON27(6CA66B30,__methods__ not supported in 3.x,00000001), ref: 6C8E4E85
                                                                                          • PyString_FromString.PYTHON27(?), ref: 6C8E4EE7
                                                                                          • PyString_FromString.PYTHON27(?), ref: 6C8E4F55
                                                                                          • PyErr_SetObject.PYTHON27(6CA655C0,00000000), ref: 6C8E4F61
                                                                                          • PyCFunction_NewEx.PYTHON27(?,?,00000000), ref: 6C8E4F8E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromStringString_$Function_ObjectWarn
                                                                                          • String ID: __doc__$__methods__$__methods__ not supported in 3.x
                                                                                          • API String ID: 2564561678-680540298
                                                                                          • Opcode ID: 48890bd3340ea9161b25c2353e81db6ea230d3b9a853457ee4b0592f784c3481
                                                                                          • Instruction ID: 0eef602c2c5415645f9b59e8d8446b8a27329ec733d4fb2ae9884dd29fb50c7f
                                                                                          • Opcode Fuzzy Hash: 48890bd3340ea9161b25c2353e81db6ea230d3b9a853457ee4b0592f784c3481
                                                                                          • Instruction Fuzzy Hash: 9541316270814107C7318EB95E916A27BA69ECB67CB5C4FA5DC5CCBB82E713D40AC391
                                                                                          Function 6C823FB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 144COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_RichCompare.PYTHON27(?,?,00000002), ref: 6C823FEF
                                                                                          • PyString_FromString.PYTHON27(deque.remove(x): x not in deque), ref: 6C824071
                                                                                          • PyErr_SetObject.PYTHON27(6CA65D10,00000000,deque.remove(x): x not in deque), ref: 6C82407A
                                                                                          • PyString_FromString.PYTHON27(deque mutated during remove().), ref: 6C8240AB
                                                                                          • PyErr_SetObject.PYTHON27(6CA65B38,00000000,deque mutated during remove().), ref: 6C8240B4
                                                                                            • Part of subcall function 6C823590: PyString_FromString.PYTHON27(pop from an empty deque), ref: 6C8235AF
                                                                                            • Part of subcall function 6C823590: PyErr_SetObject.PYTHON27(6CA65B38,00000000,pop from an empty deque), ref: 6C8235B8
                                                                                            • Part of subcall function 6C823B50: memcpy.MSVCR90(?,?,00000000), ref: 6C823C06
                                                                                            • Part of subcall function 6C823B50: free.MSVCR90 ref: 6C823C43
                                                                                          Strings
                                                                                          • deque mutated during remove()., xrefs: 6C8240A6
                                                                                          • deque.remove(x): x not in deque, xrefs: 6C82406C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromObjectStringString_$CompareObject_Richfreememcpy
                                                                                          • String ID: deque mutated during remove().$deque.remove(x): x not in deque
                                                                                          • API String ID: 1611417228-1522195534
                                                                                          • Opcode ID: 02eff7e3455077ab60bb86df1a95e3eb0989e98e5ebf9534e39f2702962db690
                                                                                          • Instruction ID: 749710068ce7cbf24217bb9171574e72b77ed75518c36a5741f60a96491d8350
                                                                                          • Opcode Fuzzy Hash: 02eff7e3455077ab60bb86df1a95e3eb0989e98e5ebf9534e39f2702962db690
                                                                                          • Instruction Fuzzy Hash: D0410C72A046018BC320DE79AE44556B7E4EFC5338B140F39E92987B81E779EDC6C6E1
                                                                                          Function 6C835CF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,buffer has negative size), ref: 6C835D7C
                                                                                          Strings
                                                                                          • expected string or buffer, xrefs: 6C835DEA
                                                                                          • buffer size mismatch, xrefs: 6C835DB5
                                                                                          • buffer has negative size, xrefs: 6C835D76
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String
                                                                                          • String ID: buffer has negative size$buffer size mismatch$expected string or buffer
                                                                                          • API String ID: 1450464846-3209885078
                                                                                          • Opcode ID: 4ea611a9c305e5cbb8e4e2b3f8bc21fe0b444f6a58b03dda9df9382a2661b147
                                                                                          • Instruction ID: 53e46bdcd82f01b22203f7fc9a58aa72ea9e0828d541af75ec6ad63816cce0c0
                                                                                          • Opcode Fuzzy Hash: 4ea611a9c305e5cbb8e4e2b3f8bc21fe0b444f6a58b03dda9df9382a2661b147
                                                                                          • Instruction Fuzzy Hash: 8A31D2327017115FD721DE68ED44B9A73E4EB85229F209A7AEC2CCBB40E731E9118BD1
                                                                                          Function 6C8E76A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 115COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_GetAttrString.PYTHON27(?,__dir__,?,?,?,6C8E77F7), ref: 6C8E76B9
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA655C0), ref: 6C8E76DB
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8E76E7
                                                                                            • Part of subcall function 6C8E74E0: PyDict_New.PYTHON27(?,6CA69E88,?,6C8E7758,?), ref: 6C8E74E7
                                                                                            • Part of subcall function 6C8E74E0: PyDict_Keys.PYTHON27(00000000), ref: 6C8E7504
                                                                                          • PyType_IsSubtype.PYTHON27(6CA69E88,?,?,?,?,?,?,?,?,?,6C8E77F7), ref: 6C8E7728
                                                                                          • PyObject_CallFunctionObjArgs.PYTHON27(00000000,00000000,?,?,?,?,?,?,?,?,6C8E77F7), ref: 6C8E7773
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,__dir__() must return a list, not %.200s,?), ref: 6C8E77B1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$Dict_Object_$ArgsAttrCallClearExceptionFormatFunctionGivenKeysMatchesStringSubtypeType_
                                                                                          • String ID: __dir__$__dir__() must return a list, not %.200s
                                                                                          • API String ID: 875330717-2214674259
                                                                                          • Opcode ID: 71f973152921e32993ebb567a51acbc96e4ba876e0844f7ca1041571fd28ffde
                                                                                          • Instruction ID: b2689b6cce75df7b17157290bdf78a13cb85d2a5f7da10b04e41a2f0a5fb5672
                                                                                          • Opcode Fuzzy Hash: 71f973152921e32993ebb567a51acbc96e4ba876e0844f7ca1041571fd28ffde
                                                                                          • Instruction Fuzzy Hash: 38317873A001120BC7209A6EAF01A9A7365DB8B27DF194B79DC2887F41EB20DC56C3D1
                                                                                          Function 6C8ABC70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyBuffer_IsContiguous.PYTHON27(?,?), ref: 6C8ABC87
                                                                                          • memcpy.MSVCR90(00000000,?,?), ref: 6C8ABC9E
                                                                                          • malloc.MSVCR90 ref: 6C8ABCC4
                                                                                          • PyErr_NoMemory.PYTHON27 ref: 6C8ABCD3
                                                                                          • PyBuffer_GetPointer.PYTHON27(?,00000000,?,?,?,?), ref: 6C8ABD2D
                                                                                          • memcpy.MSVCR90(00000000), ref: 6C8ABD36
                                                                                          • free.MSVCR90 ref: 6C8ABD54
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Buffer_memcpy$ContiguousErr_MemoryPointerfreemalloc
                                                                                          • String ID: F
                                                                                          • API String ID: 574524102-1304234792
                                                                                          • Opcode ID: d63ac7376d73f43af491ac2afa94af841b7fc4c53c16fb9204484e2eebd6dd02
                                                                                          • Instruction ID: 7e64cbf6f1926ee428f6badf4fcc6d75a36b68989751fb628fc82fc0970ec9ae
                                                                                          • Opcode Fuzzy Hash: d63ac7376d73f43af491ac2afa94af841b7fc4c53c16fb9204484e2eebd6dd02
                                                                                          • Instruction Fuzzy Hash: 463191B160020DAFDB208FA9ED40AA773E8EF41329F144D29FC15C6B40E775E955CBA1
                                                                                          Function 6C9329C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_NewVar.PYTHON27(?,00000000,00000001,00000000,?,6C880E50,?,00000000,00000000), ref: 6C9329E8
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked,00000000,00000000), ref: 6C932A12
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,argument list must be a tuple), ref: 6C932A56
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,keyword list must be a dictionary), ref: 6C932A87
                                                                                          • PyObject_Call.PYTHON27(00000000,?,6C880E50), ref: 6C932AAE
                                                                                            • Part of subcall function 6C8AF070: _Py_CheckRecursiveCall.PYTHON27( while calling a Python object,00000001,?,?,6C932AB3,00000000,?,6C880E50), ref: 6C8AF0A5
                                                                                            • Part of subcall function 6C8AF070: PyErr_SetString.PYTHON27(6CA665C8,NULL result without error in PyObject_Call,?,00000000,00000000), ref: 6C8AF0E4
                                                                                          Strings
                                                                                          • argument list must be a tuple, xrefs: 6C932A50
                                                                                          • GC object already tracked, xrefs: 6C932A0D
                                                                                          • keyword list must be a dictionary, xrefs: 6C932A81
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$CallObject_$CheckErrorFatalRecursive
                                                                                          • String ID: GC object already tracked$argument list must be a tuple$keyword list must be a dictionary
                                                                                          • API String ID: 1239886332-4171008509
                                                                                          • Opcode ID: 694b66673ebe96d219492e7dbefe45404b67484ef26cb9973e0e9c03592918ef
                                                                                          • Instruction ID: 537f46627cd16fa8c3b43a8d6b806c17223ebc5cdd123674381ccfd7a8166dd5
                                                                                          • Opcode Fuzzy Hash: 694b66673ebe96d219492e7dbefe45404b67484ef26cb9973e0e9c03592918ef
                                                                                          • Instruction Fuzzy Hash: 84312572601A118FD724CF28EC05AA673B8FF56329B258769DC29C7782D730E816C7D1
                                                                                          Function 6C8EDCA0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 93COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\stringobject.c,00000330,00000002,?,?,6C8EDC88,?,?,?), ref: 6C8EDCC4
                                                                                          • PyUnicodeUCS2_AsEncodedString.PYTHON27(?,?,?,00000002,?,?,6C8EDC88,?,?,?), ref: 6C8EDCF6
                                                                                          Strings
                                                                                          • expected string without null bytes, xrefs: 6C8EDD65
                                                                                          • expected string or Unicode object, %.200s found, xrefs: 6C8EDD1E
                                                                                          • ..\Objects\stringobject.c, xrefs: 6C8EDCB9
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8EDCBE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: EncodedErr_FormatStringUnicode
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\stringobject.c$expected string or Unicode object, %.200s found$expected string without null bytes
                                                                                          • API String ID: 954898053-3818547146
                                                                                          • Opcode ID: 94a3376afb85b22251be1cfe5329f97d2e228593a7d15542b9cb64b196ccc55a
                                                                                          • Instruction ID: 2ecfa5ce22c60b72be185f42341d475554608770bad8043782cff2e4668087ad
                                                                                          • Opcode Fuzzy Hash: 94a3376afb85b22251be1cfe5329f97d2e228593a7d15542b9cb64b196ccc55a
                                                                                          • Instruction Fuzzy Hash: 4821DB367156055BD720CE3DED409A673A8DBD6339B144B6EEC68C7B90EB21E40986D0
                                                                                          Function 6C828130 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(__lt__), ref: 6C828144
                                                                                          • PyObject_GetAttr.PYTHON27(?,?), ref: 6C82815D
                                                                                          • PyObject_RichCompare.PYTHON27(?,?,00000000), ref: 6C82817E
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8281A2
                                                                                          • PyObject_RichCompare.PYTHON27(?,?,00000001), ref: 6C8281AB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object_$CompareRich$AttrClearErr_FromStringString_
                                                                                          • String ID: __lt__
                                                                                          • API String ID: 4101424129-312919634
                                                                                          • Opcode ID: 16e738f963336473e94ee53df502f3e033187fe22805977e58ad6873e5c4a4c7
                                                                                          • Instruction ID: 5cf04191e5ce7615651f87dbf6bf494c63d5e582f8213a6761cf91a935926f32
                                                                                          • Opcode Fuzzy Hash: 16e738f963336473e94ee53df502f3e033187fe22805977e58ad6873e5c4a4c7
                                                                                          • Instruction Fuzzy Hash: 1D2147B7A0061107DB30693DAE0568B32A45F8633CB194F35E82987FC0E72CDD8782D2
                                                                                          Function 6C8E7420 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 78COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyFrame_FastToLocals.PYTHON27(00000000), ref: 6C8E743E
                                                                                            • Part of subcall function 6C8D5510: PyDict_New.PYTHON27 ref: 6C8D552F
                                                                                            • Part of subcall function 6C8D5510: PyErr_Clear.PYTHON27 ref: 6C8D553E
                                                                                          • PyString_FromString.PYTHON27(frame does not exist), ref: 6C8E7458
                                                                                          • PyErr_SetObject.PYTHON27(6CA665C8,00000000,frame does not exist), ref: 6C8E7461
                                                                                          • PyObject_CallMethod.PYTHON27(?,keys,00000000), ref: 6C8E748E
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,dir(): expected keys() of locals to be a list, not '%.200s',?), ref: 6C8E74B7
                                                                                          Strings
                                                                                          • frame does not exist, xrefs: 6C8E7453
                                                                                          • keys, xrefs: 6C8E7488
                                                                                          • dir(): expected keys() of locals to be a list, not '%.200s', xrefs: 6C8E74B1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$CallClearDict_FastFormatFrame_FromLocalsMethodObjectObject_StringString_
                                                                                          • String ID: dir(): expected keys() of locals to be a list, not '%.200s'$frame does not exist$keys
                                                                                          • API String ID: 29291870-2405348499
                                                                                          • Opcode ID: 338522fc3dd271dccd4e0dd53b618c33d0c1b5462c645505bf2250d1bc2686d6
                                                                                          • Instruction ID: ab1dbe1feef14d9bd83c561fe5c03b64cc5c566723e3fadcaefcdb8e7272e5d5
                                                                                          • Opcode Fuzzy Hash: 338522fc3dd271dccd4e0dd53b618c33d0c1b5462c645505bf2250d1bc2686d6
                                                                                          • Instruction Fuzzy Hash: 32113A73E02A211BC2309A9CAE04D9B77A8DF4A73CF154B64EC5897B41E725EC1687D2
                                                                                          Function 6C82B460 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(json.decoder), ref: 6C82B473
                                                                                          • PyImport_Import.PYTHON27(00000000), ref: 6C82B486
                                                                                          • PyObject_GetAttrString.PYTHON27(00000000,errmsg), ref: 6C82B4AB
                                                                                          • PyObject_CallFunction.PYTHON27(?,(zOO&),?,?,Function_0000ADF0,?), ref: 6C82B4E9
                                                                                          • PyErr_SetObject.PYTHON27(6CA65D10,00000000), ref: 6C82B4FF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object_String$AttrCallErr_FromFunctionImportImport_ObjectString_
                                                                                          • String ID: (zOO&)$errmsg$json.decoder
                                                                                          • API String ID: 3680976038-3043390446
                                                                                          • Opcode ID: 422ac6aa13936788384a16651f4aeac2567c7d26e85e1f81afa7a573be7b0bdf
                                                                                          • Instruction ID: b0b4c4c60abf5a246d793c3dbef702d8ee83b83d98ca78d555e973562303594d
                                                                                          • Opcode Fuzzy Hash: 422ac6aa13936788384a16651f4aeac2567c7d26e85e1f81afa7a573be7b0bdf
                                                                                          • Instruction Fuzzy Hash: F6113AB290161317D3248E59DE48CAB33B4AF51328B154B24FD294BB81E72CFD9687D1
                                                                                          Function 6C8CC6E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71threadstringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyEval_SaveThread.PYTHON27(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C8CCDE2), ref: 6C8CC6F8
                                                                                            • Part of subcall function 6C92E4E0: Py_FatalError.PYTHON27(PyEval_SaveThread: NULL tstate,00000000,6C9467DA,00000000,00000000,?,?,6C94A352,__builtin__,00000000,00000000,00000000,00000000), ref: 6C92E4FA
                                                                                            • Part of subcall function 6C92E4E0: InterlockedDecrement.KERNEL32(?), ref: 6C92E516
                                                                                            • Part of subcall function 6C92E4E0: SetEvent.KERNEL32(?,?,?,6C94A352,__builtin__,00000000,00000000,00000000,00000000), ref: 6C92E524
                                                                                          • _fileno.MSVCR90 ref: 6C8CC703
                                                                                          • _fstat64i32.MSVCR90(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C8CCDE2), ref: 6C8CC712
                                                                                          • PyEval_RestoreThread.PYTHON27(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C8CCDE2), ref: 6C8CC71B
                                                                                            • Part of subcall function 6C92E540: Py_FatalError.PYTHON27(PyEval_RestoreThread: NULL tstate,?,?,6C9467F6,00000000,00000000,00000000,?,?,6C94A352,__builtin__,00000000,00000000,00000000,00000000), ref: 6C92E550
                                                                                            • Part of subcall function 6C92E540: _errno.MSVCR90 ref: 6C92E569
                                                                                            • Part of subcall function 6C92E540: _errno.MSVCR90 ref: 6C92E585
                                                                                          • strerror.MSVCR90 ref: 6C8CC73B
                                                                                          • _PyObject_CallFunction_SizeT.PYTHON27(6CA64EC0,(isO),00000015,00000000,?), ref: 6C8CC757
                                                                                            • Part of subcall function 6C8AF2F0: PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AF317
                                                                                          • PyErr_SetObject.PYTHON27(6CA64EC0,00000000), ref: 6C8CC768
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_ErrorEval_FatalThread_errno$CallDecrementEventFunction_InterlockedObjectObject_RestoreSaveSizeString_fileno_fstat64i32strerror
                                                                                          • String ID: (isO)
                                                                                          • API String ID: 3937096073-307836670
                                                                                          • Opcode ID: 0cf5026a61143f80121427703d8eef0b488da2bef9a26ef64ea2a5b0cc583c4d
                                                                                          • Instruction ID: 0cbaba3d7e09d0fb53d7ac8861996db8d3a704b442b805d75c3ac67b9ab0e5ca
                                                                                          • Opcode Fuzzy Hash: 0cf5026a61143f80121427703d8eef0b488da2bef9a26ef64ea2a5b0cc583c4d
                                                                                          • Instruction Fuzzy Hash: FD115971B002000BD720ABBADC48A9773A8DB8122DF144B38EE1983A81EB35E81582D2
                                                                                          Function 6C950F50 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 39threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(6CAEF1C3,?,?,6C8E595C,00000000,?,-00000040,00000000,00000000), ref: 6C950F5B
                                                                                          • TlsGetValue.KERNEL32(?,?,6C8E595C,00000000,?,-00000040,00000000,00000000), ref: 6C950F64
                                                                                          • SetLastError.KERNEL32(00000000,?,6C8E595C,00000000,?,-00000040,00000000,00000000), ref: 6C950F6D
                                                                                          • Py_FatalError.PYTHON27(auto-releasing thread-state, but no thread-state for this thread,?,6C8E595C,00000000,?,-00000040,00000000,00000000), ref: 6C950F7C
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C961440
                                                                                            • Part of subcall function 6C961420: fprintf.MSVCR90 ref: 6C961446
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C96144C
                                                                                            • Part of subcall function 6C961420: fflush.MSVCR90 ref: 6C961452
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(Fatal Python error: ), ref: 6C961499
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32 ref: 6C96149C
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(6CA33AD4), ref: 6C9614A3
                                                                                            • Part of subcall function 6C961420: abort.MSVCR90 ref: 6C9614A5
                                                                                          • Py_FatalError.PYTHON27(This thread state must be current when releasing,?,6C8E595C,00000000,?,-00000040,00000000,00000000), ref: 6C950F91
                                                                                          • PyThreadState_Clear.PYTHON27(00000000,?,?,?,?,?,?,?,?,?,6C8E595C,00000000,?,-00000040,00000000,00000000), ref: 6C950FA0
                                                                                          Strings
                                                                                          • auto-releasing thread-state, but no thread-state for this thread, xrefs: 6C950F77
                                                                                          • This thread state must be current when releasing, xrefs: 6C950F8C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Error$DebugOutputString$FatalLast__iob_func$ClearState_ThreadValueabortfflushfprintf
                                                                                          • String ID: This thread state must be current when releasing$auto-releasing thread-state, but no thread-state for this thread
                                                                                          • API String ID: 635605043-2749262977
                                                                                          • Opcode ID: 3d969b92ec1fd5b75ccd6deaa6d71aa60397ed9c9cd37fd473f65b9c41c8cc4b
                                                                                          • Instruction ID: dfed60485fb580ce3f5d2f9d4800eae7ff4f8de46aaa62ddc6e35ddacc1135c1
                                                                                          • Opcode Fuzzy Hash: 3d969b92ec1fd5b75ccd6deaa6d71aa60397ed9c9cd37fd473f65b9c41c8cc4b
                                                                                          • Instruction Fuzzy Hash: 45F02B73A082305B9B105AAE7D094AE377C5F5337D709022AEE0597E409726E4B586E2
                                                                                          Function 6C943CD0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 38stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyOS_snprintf.PYTHON27(?,00000000,%.100s,(impossible<bad format char>),6C94531E,?,?,?), ref: 6C943CDD
                                                                                          • strncpy.MSVCR90 ref: 6C943CE5
                                                                                          • PyOS_snprintf.PYTHON27(?,00000000,must be %.50s, not %.50s,(impossible<bad format char>),None,6C94531E,?,?,?), ref: 6C943D0B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: S_snprintf$strncpy
                                                                                          • String ID: %.100s$(impossible<bad format char>)$None$must be %.50s, not %.50s
                                                                                          • API String ID: 3205757138-3587708185
                                                                                          • Opcode ID: b927d1c4c95558bedd44234e317e79ecbaf857cc6061b76ecb0ed72cde0e486b
                                                                                          • Instruction ID: 500dc6201bafa10d0cd7275714738231c479e8b9170f991c7fe78d66cb7cbdc8
                                                                                          • Opcode Fuzzy Hash: b927d1c4c95558bedd44234e317e79ecbaf857cc6061b76ecb0ed72cde0e486b
                                                                                          • Instruction Fuzzy Hash: 5CF0A090A094A07FE751A22D6C89D6B7A6CDFA268CF0A8488F4449BE03D718CD95C2B5
                                                                                          Function 6C8CC8E0 Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 135stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: strchr$strncmp
                                                                                          • String ID: +TD$btcnSR$ccs$rwa
                                                                                          • API String ID: 2197385779-2548749225
                                                                                          • Opcode ID: bda6ce2c84660cdc2ec18c039de16433f47b469701bb3551f27c3935575f41e5
                                                                                          • Instruction ID: 21ba23fc4c593ecd2dac094117651f95f322e60c6e4d7f2227a0186b201079f3
                                                                                          • Opcode Fuzzy Hash: bda6ce2c84660cdc2ec18c039de16433f47b469701bb3551f27c3935575f41e5
                                                                                          • Instruction Fuzzy Hash: 10419C71B043655AE7306F794E09769BBE49B82388F2C0E6DCCC6D2D43E620D5C58393
                                                                                          Function 6C836490 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 139COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PySequence_GetSlice.PYTHON27(?,00000000,00000000), ref: 6C83649F
                                                                                            • Part of subcall function 6C8AE3E0: PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AE401
                                                                                          • PyObject_GetAttrString.PYTHON27(00000000,join), ref: 6C8364D6
                                                                                          • _PyObject_GC_NewVar.PYTHON27(?,00000001), ref: 6C836526
                                                                                            • Part of subcall function 6C85BAA0: _PyObject_GC_Malloc.PYTHON27(?), ref: 6C85BABC
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C83654A
                                                                                          • PyEval_CallObjectWithKeywords.PYTHON27(00000000,00000000,00000000), ref: 6C836582
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object_$String$AttrCallErr_ErrorEval_FatalKeywordsMallocObjectSequence_SliceWith
                                                                                          • String ID: GC object already tracked$join
                                                                                          • API String ID: 1422419863-3426826676
                                                                                          • Opcode ID: c0dbc4bc61d5ca12a26b5f1cf4ebe2ef95da27a5df48df7b9f78d5a0faca222a
                                                                                          • Instruction ID: 4f295ab1fefe5ee5914d6259d1e4cbbea19d1c95b4f68324025ac8341b9aa63d
                                                                                          • Opcode Fuzzy Hash: c0dbc4bc61d5ca12a26b5f1cf4ebe2ef95da27a5df48df7b9f78d5a0faca222a
                                                                                          • Instruction Fuzzy Hash: C641C1B1A002119BD7248FA8D981A9673A4FB51334F149B78D92D8B7C1D735E846CBD1
                                                                                          Function 6C8D7410 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyLong_AsUnsignedLongLongMask.PYTHON27(?), ref: 6C8D7447
                                                                                          • PyString_FromString.PYTHON27(an integer is required), ref: 6C8D7524
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,an integer is required), ref: 6C8D752D
                                                                                          Strings
                                                                                          • __int__ method should return an integer, xrefs: 6C8D74DD
                                                                                          • an integer is required, xrefs: 6C8D751F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Long$Err_FromLong_MaskObjectStringString_Unsigned
                                                                                          • String ID: __int__ method should return an integer$an integer is required
                                                                                          • API String ID: 4252816533-4209363968
                                                                                          • Opcode ID: 3ca65aef0f5e81a70863eb98d33273abd88e66f6ede94896bf14169c49f6dd5b
                                                                                          • Instruction ID: 8b315689d9cf4cc76ccc09413e066d458a69b240c0714b43cae8d439e774f56f
                                                                                          • Opcode Fuzzy Hash: 3ca65aef0f5e81a70863eb98d33273abd88e66f6ede94896bf14169c49f6dd5b
                                                                                          • Instruction Fuzzy Hash: 8F312872B015014BD224CA6DAC40A96B3A5EB85239B254B78ED3CC7BD4E722EC52C7D2
                                                                                          Function 6C827C00 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_Call.PYTHON27(00000000,00000000,00000000), ref: 6C827C4C
                                                                                          • PySequence_Concat.PYTHON27(?,?), ref: 6C827C94
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\dictobject.c,000006DD), ref: 6C827CC3
                                                                                          • PyDict_Copy.PYTHON27(?), ref: 6C827CCF
                                                                                            • Part of subcall function 6C8C66F0: PyDict_New.PYTHON27 ref: 6C8C670B
                                                                                            • Part of subcall function 6C8C66F0: PyDict_Merge.PYTHON27(00000000,?,00000001), ref: 6C8C671A
                                                                                          • PyDict_Merge.PYTHON27(00000000,?,00000001), ref: 6C827D06
                                                                                          Strings
                                                                                          • ..\Objects\dictobject.c, xrefs: 6C827CB8
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C827CBD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Dict_$Merge$CallConcatCopyErr_FormatObject_Sequence_
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\dictobject.c
                                                                                          • API String ID: 1080960429-1541589624
                                                                                          • Opcode ID: 9bb52c7dc0796e9aed3e9208cc1cd390faaf6e153b292eaa524a4b71872fca78
                                                                                          • Instruction ID: 7018483f6347649aca0bb90b84849c99ebbb6acb7a7ff7a320b0d6b85ed34f42
                                                                                          • Opcode Fuzzy Hash: 9bb52c7dc0796e9aed3e9208cc1cd390faaf6e153b292eaa524a4b71872fca78
                                                                                          • Instruction Fuzzy Hash: 0D41D9726005015BD324CE7ADD84A9773A4FB84338B264B68ED2887B81E739DC92C7D1
                                                                                          Function 6C823E30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_RichCompare.PYTHON27(?,?,00000002), ref: 6C823E82
                                                                                          • PyObject_IsTrue.PYTHON27(00000000), ref: 6C823EAB
                                                                                          • PyInt_FromLong.PYTHON27(00000000), ref: 6C823F27
                                                                                          • PyString_FromString.PYTHON27(deque mutated during iteration), ref: 6C823F41
                                                                                          • PyErr_SetObject.PYTHON27(6CA65248,00000000,deque mutated during iteration), ref: 6C823F4A
                                                                                          • _PyLong_FromByteArray.PYTHON27(?,00000004,00000001,00000001), ref: 6C823F7F
                                                                                          Strings
                                                                                          • deque mutated during iteration, xrefs: 6C823F3C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: From$Object_$ArrayByteCompareErr_Int_LongLong_ObjectRichStringString_True
                                                                                          • String ID: deque mutated during iteration
                                                                                          • API String ID: 157478544-601426129
                                                                                          • Opcode ID: b6b623d727c83c7cc3587f7c2de655b6f6047b683f8a1369343f300a98327486
                                                                                          • Instruction ID: 25971192b2b49fd1b6301612dfefaf743f8fc8474cd721070aec000b2d688b81
                                                                                          • Opcode Fuzzy Hash: b6b623d727c83c7cc3587f7c2de655b6f6047b683f8a1369343f300a98327486
                                                                                          • Instruction Fuzzy Hash: 7541EB756043019BC320DE19D984A5BB3F9EFC4328F248E69ED6887B40D735DD868BD2
                                                                                          Function 6C82A920 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_ParseTuple.PYTHON27 ref: 6C82A954
                                                                                          • PyObject_Malloc.PYTHON27(00002838,?,?), ref: 6C82A96A
                                                                                          • PyErr_NoMemory.PYTHON27(?,?,?), ref: 6C82A976
                                                                                            • Part of subcall function 6C940380: PyErr_GivenExceptionMatches.PYTHON27(00000000,6CA667A8,?,6C8F7E82,00000000,6C8AB1D5,?,?,?,6C8AF66F,00000000,?,00000000,6C8AF785,00000000), ref: 6C940396
                                                                                            • Part of subcall function 6C940380: PyErr_SetObject.PYTHON27(6CA667A8,?), ref: 6C9403B3
                                                                                          • PyDict_New.PYTHON27 ref: 6C82A9E1
                                                                                          • fopen.MSVCR90 ref: 6C82AA11
                                                                                          • PyErr_SetFromErrnoWithFilename.PYTHON27(6CA64EC0,?,?,?,?,?,?), ref: 6C82AA41
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$Arg_Dict_ErrnoExceptionFilenameFromGivenMallocMatchesMemoryObjectObject_ParseTupleWithfopen
                                                                                          • String ID: s|ii:profiler
                                                                                          • API String ID: 159822933-225131833
                                                                                          • Opcode ID: 66fd8a7837d1e941337f92cf1818fbfc68b25a49279a76a0d70e9915edecd5fb
                                                                                          • Instruction ID: d835ab5ce2f2a7fdfc66b2c5d227fe9f40176e308d76b7d7ffcc1f0a21bfc948
                                                                                          • Opcode Fuzzy Hash: 66fd8a7837d1e941337f92cf1818fbfc68b25a49279a76a0d70e9915edecd5fb
                                                                                          • Instruction Fuzzy Hash: 254155B19056018FC320DF69D9445D6B3E8EF94328F148F2ED4A987640E775E585CBD2
                                                                                          Function 6C8D7140 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 115COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyLong_AsLong.PYTHON27(00000000), ref: 6C8D7187
                                                                                          • PyString_FromString.PYTHON27(an integer is required,?,00000000,?,6C8D72FD,00000000,?,6C8AD745,00000000,?,00000000), ref: 6C8D722C
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,?,00000000), ref: 6C8D7238
                                                                                          Strings
                                                                                          • __int__ method should return an integer, xrefs: 6C8D71F1
                                                                                          • an integer is required, xrefs: 6C8D7227
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromLongLong_ObjectStringString_
                                                                                          • String ID: __int__ method should return an integer$an integer is required
                                                                                          • API String ID: 3725047433-4209363968
                                                                                          • Opcode ID: b26a2d54a3a9bd6d28af2e0b1d3c45be39891382c04b3c9f51262da24ce7f811
                                                                                          • Instruction ID: a589eec092143ce3212877ae5cb3341032cd0693f72cba79a37c1c3d6b33ff30
                                                                                          • Opcode Fuzzy Hash: b26a2d54a3a9bd6d28af2e0b1d3c45be39891382c04b3c9f51262da24ce7f811
                                                                                          • Instruction Fuzzy Hash: 9E312672B015110BD624996DAD0199A33A4EB81238B154B7DED3A8BBC4EB21F846C7D2
                                                                                          Function 6C825670 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyCallable_Check.PYTHON27(?), ref: 6C8256A4
                                                                                            • Part of subcall function 6C8E7170: PyObject_GetAttrString.PYTHON27(6C8AF42C,__call__,?,6C8AF42C,00000000), ref: 6C8E718B
                                                                                            • Part of subcall function 6C8E7170: PyErr_Clear.PYTHON27(6C8AF42C,00000000), ref: 6C8E7197
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,first argument must be callable or None), ref: 6C8256C3
                                                                                          • PySequence_GetSlice.PYTHON27(?,00000001,?), ref: 6C8256D9
                                                                                          • _PyObject_GC_NewVar.PYTHON27(?,00000000), ref: 6C8256FB
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C825725
                                                                                          Strings
                                                                                          • first argument must be callable or None, xrefs: 6C8256BD
                                                                                          • GC object already tracked, xrefs: 6C825720
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Object_String$AttrCallable_CheckClearErrorFatalSequence_Slice
                                                                                          • String ID: GC object already tracked$first argument must be callable or None
                                                                                          • API String ID: 381339369-1374251831
                                                                                          • Opcode ID: b6c03b78796a4b189333a3bdca184862adfdab47bee0ed745b6c6f171bb4dffb
                                                                                          • Instruction ID: be9498f167685a480043a340e9c01827f8637ef6fbe8cf148d4de0786748966a
                                                                                          • Opcode Fuzzy Hash: b6c03b78796a4b189333a3bdca184862adfdab47bee0ed745b6c6f171bb4dffb
                                                                                          • Instruction Fuzzy Hash: 733107716413029FC720CF19D944A5673B4FF56329B208B28EC6987B85D734EC56CBD0
                                                                                          Function 6C836190 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 108COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyDict_Size.PYTHON27(?), ref: 6C8361B5
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%s() takes at most %d positional arguments (%zd given),match,00000003,?), ref: 6C8361E1
                                                                                          • _PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(7FFFFFFF,?,|OnnO:match,6CA808BC,?,?,7FFFFFFF,?), ref: 6C83620D
                                                                                            • Part of subcall function 6C834680: PyErr_CheckSignals.PYTHON27 ref: 6C83473E
                                                                                            • Part of subcall function 6C835F00: free.MSVCR90 ref: 6C835F2A
                                                                                            • Part of subcall function 6C838420: PyObject_Malloc.PYTHON27(0000002F,00000000,?,?,?,?,?,6C8362A8,?), ref: 6C838453
                                                                                            • Part of subcall function 6C838420: PyErr_NoMemory.PYTHON27(?,?,?,?,?,6C8362A8,?), ref: 6C83845F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$Size$Arg_CheckDict_FormatKeywords_MallocMemoryObject_ParseSignalsTuplefree
                                                                                          • String ID: %s() takes at most %d positional arguments (%zd given)$match$pattern$|OnnO:match
                                                                                          • API String ID: 395870227-446452760
                                                                                          • Opcode ID: 3846aff6390e4b45f075684899799d0b6f2626a42dd5b01ed87639f20b9fa95e
                                                                                          • Instruction ID: 519e14c45511d0f01e78eb0d546e93142f51b2d4d7cae4c61763bc29d3778c27
                                                                                          • Opcode Fuzzy Hash: 3846aff6390e4b45f075684899799d0b6f2626a42dd5b01ed87639f20b9fa95e
                                                                                          • Instruction Fuzzy Hash: BB31C772E00128ABCB20DED9DD409EEB7B8BB45218F1469ADD81DE3700DA319E448BD1
                                                                                          Function 6C8AB6D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,expected a single-segment buffer object), ref: 6C8AB729
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,expected a readable buffer object), ref: 6C8AB76D
                                                                                          • PyString_FromString.PYTHON27(null argument to internal routine), ref: 6C8AB796
                                                                                          • PyErr_SetObject.PYTHON27(6CA665C8,00000000,null argument to internal routine), ref: 6C8AB79F
                                                                                          Strings
                                                                                          • expected a single-segment buffer object, xrefs: 6C8AB723
                                                                                          • null argument to internal routine, xrefs: 6C8AB791
                                                                                          • expected a readable buffer object, xrefs: 6C8AB767
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$FromObjectString_
                                                                                          • String ID: expected a readable buffer object$expected a single-segment buffer object$null argument to internal routine
                                                                                          • API String ID: 354487993-198770205
                                                                                          • Opcode ID: 65bd9d7cfc01d86aa73c8b4031de02484751a38d3654241426a1a93c5cb388b9
                                                                                          • Instruction ID: 695a40a827e1c28900a17fd75731bbccf0d8ba2760acfafe0837e7bc532da0d4
                                                                                          • Opcode Fuzzy Hash: 65bd9d7cfc01d86aa73c8b4031de02484751a38d3654241426a1a93c5cb388b9
                                                                                          • Instruction Fuzzy Hash: 3E21F936A012055BC721CEA5ED80B7673A4EF86238F208B69EC3C87B90D771D842C7D1
                                                                                          Function 6C8AB7D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,expected a single-segment buffer object), ref: 6C8AB82A
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,expected a writeable buffer object), ref: 6C8AB86F
                                                                                          • PyString_FromString.PYTHON27(null argument to internal routine), ref: 6C8AB898
                                                                                          • PyErr_SetObject.PYTHON27(6CA665C8,00000000,null argument to internal routine), ref: 6C8AB8A1
                                                                                          Strings
                                                                                          • expected a single-segment buffer object, xrefs: 6C8AB824
                                                                                          • expected a writeable buffer object, xrefs: 6C8AB869
                                                                                          • null argument to internal routine, xrefs: 6C8AB893
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$FromObjectString_
                                                                                          • String ID: expected a single-segment buffer object$expected a writeable buffer object$null argument to internal routine
                                                                                          • API String ID: 354487993-377861076
                                                                                          • Opcode ID: 3493e67dbaac6d121ef087ac330cc2919d05f6dfba588d723064a48bc81efb22
                                                                                          • Instruction ID: 8b9b15180d7ecbe3b2c3c381db63f10b39c58eb93b2637a96cc3a8b1bc833515
                                                                                          • Opcode Fuzzy Hash: 3493e67dbaac6d121ef087ac330cc2919d05f6dfba588d723064a48bc81efb22
                                                                                          • Instruction Fuzzy Hash: C5210832A013195BD725CAA9AC80B6A73A4EB85779F148B69EC3C87B80D731D842C7D1
                                                                                          Function 6C8AD7D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(__int__), ref: 6C8AD7E2
                                                                                          • PyString_InternInPlace.PYTHON27(?), ref: 6C8AD7F5
                                                                                          • PyObject_GetAttr.PYTHON27(?,?), ref: 6C8AD82E
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8AD83C
                                                                                          • PyEval_CallObjectWithKeywords.PYTHON27(00000000,00000000,00000000), ref: 6C8AD859
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,?,?), ref: 6C8AD8A7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String_$AttrCallClearEval_FormatFromInternKeywordsObjectObject_PlaceStringWith
                                                                                          • String ID: __int__
                                                                                          • API String ID: 2531902524-1878893692
                                                                                          • Opcode ID: 379136815e88cc802d8cecab688a67e161f3bc0ef96594ab796b8f1c1b196e29
                                                                                          • Instruction ID: 0078966fff2d03063dd54f74b00ae1cac28a8db21e910dfb55be122a403e20c2
                                                                                          • Opcode Fuzzy Hash: 379136815e88cc802d8cecab688a67e161f3bc0ef96594ab796b8f1c1b196e29
                                                                                          • Instruction Fuzzy Hash: 7331D571E006259BD728CA99DE40A9A73B8EB41728F244F69ED18C7B40E735E90787D1
                                                                                          Function 6C8DA940 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_NewVar.PYTHON27(?,00000002,?,?,?,6C8DAC07,?,?,00000000,?,?,?,6C8DC01A,?,?,?), ref: 6C8DA971
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8DA996
                                                                                          • PyObject_Call.PYTHON27(?,00000000,00000000), ref: 6C8DA9D6
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,comparison function must return int, not %.200s,?), ref: 6C8DAA11
                                                                                          • PyInt_AsLong.PYTHON27(00000000), ref: 6C8DAA34
                                                                                          Strings
                                                                                          • comparison function must return int, not %.200s, xrefs: 6C8DAA0B
                                                                                          • GC object already tracked, xrefs: 6C8DA991
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object_$CallErr_ErrorFatalFormatInt_Long
                                                                                          • String ID: GC object already tracked$comparison function must return int, not %.200s
                                                                                          • API String ID: 2801527718-2912598312
                                                                                          • Opcode ID: 03c101455419aab90cf228995ce45694ea8631f215a6037284f6cdfec002f58f
                                                                                          • Instruction ID: 98b26992129cb61a9114fd78a491caf4e8310de1ff1e85ae21c303af6eea2d25
                                                                                          • Opcode Fuzzy Hash: 03c101455419aab90cf228995ce45694ea8631f215a6037284f6cdfec002f58f
                                                                                          • Instruction Fuzzy Hash: 2631B2B19116029FC7209F28DA41AA6B3F4FF55334B258B69D86987B80E734E857CBC1
                                                                                          Function 6C8F7D80 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\tupleobject.c,00000036,00000000,6C8AB1D5,?,?,?,6C8AF66F,00000000,?,00000000,6C8AF785,00000000), ref: 6C8F7DA3
                                                                                          Strings
                                                                                          • GC object already tracked, xrefs: 6C8F7E44
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8F7D9D
                                                                                          • ..\Objects\tupleobject.c, xrefs: 6C8F7D98
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\tupleobject.c$GC object already tracked
                                                                                          • API String ID: 376477240-2731488381
                                                                                          • Opcode ID: 25f2395dfc03a0f4273182e212fbf5fd0cafc8216375ec48da28ac8241680238
                                                                                          • Instruction ID: 34ba2435f41c751bdb45a5f2adc6c1aa8306c5e23edd5a56d071efc8fa450624
                                                                                          • Opcode Fuzzy Hash: 25f2395dfc03a0f4273182e212fbf5fd0cafc8216375ec48da28ac8241680238
                                                                                          • Instruction Fuzzy Hash: A63158727012014FEB309E5DE9815A5B3F4F7527A6B904B7ADD29C3B44E731982786E0
                                                                                          Function 6C8AC140 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • %.100s.__format__ must return string or unicode, not %.100s, xrefs: 6C8AC390
                                                                                          • format expects arg 2 to be string or unicode, not %.100s, xrefs: 6C8AC3BC
                                                                                          • __format__, xrefs: 6C8AC2D5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: %.100s.__format__ must return string or unicode, not %.100s$__format__$format expects arg 2 to be string or unicode, not %.100s
                                                                                          • API String ID: 0-3990589480
                                                                                          • Opcode ID: 3b796716477db3662221a50cd43fa467933243b6b3266d9f54dfc6ece061c0f7
                                                                                          • Instruction ID: 60faf59315622fd2543e838082cd00933c730e34d7762ed334a26dae631a111d
                                                                                          • Opcode Fuzzy Hash: 3b796716477db3662221a50cd43fa467933243b6b3266d9f54dfc6ece061c0f7
                                                                                          • Instruction Fuzzy Hash: B831B875A012049BD721EFD9CA40B9EB3B4FF54328F148A58E82497B81D376DD42CBD1
                                                                                          Function 6C8AB460 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 93COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyNumber_AsSsize_t.PYTHON27(?,6CA65B38), ref: 6C8AB4C5
                                                                                          • PySequence_DelItem.PYTHON27(?,00000000), ref: 6C8AB4E0
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AB53F
                                                                                          Strings
                                                                                          • '%.200s' object does not support item deletion, xrefs: 6C8AB512
                                                                                          • null argument to internal routine, xrefs: 6C8AB539
                                                                                          • sequence index must be integer, not '%.200s', xrefs: 6C8AB4F3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_ItemNumber_Sequence_Ssize_tString
                                                                                          • String ID: '%.200s' object does not support item deletion$null argument to internal routine$sequence index must be integer, not '%.200s'
                                                                                          • API String ID: 3718473444-2233375764
                                                                                          • Opcode ID: cefa3c3fc5ef86ace38e37f1e49a036584e97548d0a943ea185c36d6c336c7b9
                                                                                          • Instruction ID: 1736fc61f704c0144ae5499bb6964c84bc640db053550efc1e19e7a7a21d9341
                                                                                          • Opcode Fuzzy Hash: cefa3c3fc5ef86ace38e37f1e49a036584e97548d0a943ea185c36d6c336c7b9
                                                                                          • Instruction Fuzzy Hash: 8F21FE757022059FE7188A95FD80FB67368AF4433DF244F69E82D47E81D731E496C650
                                                                                          Function 6C838070 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_NewVar.PYTHON27(?,00000002), ref: 6C8380A4
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8380CA
                                                                                          • PyInt_FromLong.PYTHON27 ref: 6C838102
                                                                                          • _PyLong_FromByteArray.PYTHON27(?,00000004,00000001,00000001), ref: 6C83811B
                                                                                            • Part of subcall function 6C8DDBF0: PyLong_FromLong.PYTHON27(?,00000001,?,6C8AE114), ref: 6C8DDC05
                                                                                          • PyInt_FromLong.PYTHON27(000000FE), ref: 6C838139
                                                                                          • _PyLong_FromByteArray.PYTHON27(?,00000004,00000001,00000001), ref: 6C838152
                                                                                            • Part of subcall function 6C8DDBF0: PyErr_SetString.PYTHON27(6CA663F8,byte array too long to convert to int,?,?), ref: 6C8DDC8C
                                                                                          Strings
                                                                                          • GC object already tracked, xrefs: 6C8380C5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: From$LongLong_$ArrayByteInt_$Err_ErrorFatalObject_String
                                                                                          • String ID: GC object already tracked
                                                                                          • API String ID: 194711319-3349536495
                                                                                          • Opcode ID: d3fdfc6d5ee5fa6c055b37acf642bd5dde76c1a04bd2e4b2c9bc879f5cd41fe1
                                                                                          • Instruction ID: 91420842cc924606b167d7193da3e76eb3ad792f2b4b5be4791da60a340aee0f
                                                                                          • Opcode Fuzzy Hash: d3fdfc6d5ee5fa6c055b37acf642bd5dde76c1a04bd2e4b2c9bc879f5cd41fe1
                                                                                          • Instruction Fuzzy Hash: 0731F8B19003018BD730DF68DD01696B3A4FB51328F105F2BD97997BC0E775A54A8BD1
                                                                                          Function 6C8E3660 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_NoMemory.PYTHON27(?,?,6C8E38F0,00000014,?), ref: 6C8E366E
                                                                                            • Part of subcall function 6C940380: PyErr_GivenExceptionMatches.PYTHON27(00000000,6CA667A8,?,6C8F7E82,00000000,6C8AB1D5,?,?,?,6C8AF66F,00000000,?,00000000,6C8AF785,00000000), ref: 6C940396
                                                                                            • Part of subcall function 6C940380: PyErr_SetObject.PYTHON27(6CA667A8,?), ref: 6C9403B3
                                                                                          • malloc.MSVCR90 ref: 6C8E3690
                                                                                          • PyErr_NoMemory.PYTHON27(00000000,?,?,6C8E38F0,00000014,?), ref: 6C8E369F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$Memory$ExceptionGivenMatchesObjectmalloc
                                                                                          • String ID: F
                                                                                          • API String ID: 3549491605-1304234792
                                                                                          • Opcode ID: 73dc56df269b568fc1c2aff7aa0254ed50bb14f049bc426af9b522a608eadd9a
                                                                                          • Instruction ID: a65193dc65648397af570562ff5d256f21a367aac7250ec85a0af7d1d94e8ffa
                                                                                          • Opcode Fuzzy Hash: 73dc56df269b568fc1c2aff7aa0254ed50bb14f049bc426af9b522a608eadd9a
                                                                                          • Instruction Fuzzy Hash: 5A21E5716042045BD7309E75DA8166B77F8DF46338F204B68FC1AC7BA0E635ED058A61
                                                                                          Function 6C90C010 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyInt_FromLong.PYTHON27(00000001,?,?,?,6C90C173,6CA5FB7C,00000000,6CA5FB7C,6CA5FB7C,?,6C90C7E7,6CA5FB7C), ref: 6C90C01C
                                                                                          • PyObject_GetItem.PYTHON27(?,00000000,6CA5FB7C), ref: 6C90C033
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA65A68,?,?,6CA5FB7C), ref: 6C90C063
                                                                                          • PyErr_Clear.PYTHON27(?,?,?,?,6CA5FB7C), ref: 6C90C06F
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,character mapping must return integer, None or str,?,?,6CA5FB7C), ref: 6C90C0C5
                                                                                          Strings
                                                                                          • character mapping must return integer, None or str, xrefs: 6C90C0B9
                                                                                          • character mapping must be in range(256), xrefs: 6C90C0AB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$ClearExceptionFromGivenInt_ItemLongMatchesObject_String
                                                                                          • String ID: character mapping must be in range(256)$character mapping must return integer, None or str
                                                                                          • API String ID: 2078585664-499293463
                                                                                          • Opcode ID: d21421bc9f708d50b4411193dbe7f4f5a1e289e4f69e05e5eca6e8e465327322
                                                                                          • Instruction ID: c6840952888c666afb823b42efe354388165b837c9e179404b3e49f720a1fd52
                                                                                          • Opcode Fuzzy Hash: d21421bc9f708d50b4411193dbe7f4f5a1e289e4f69e05e5eca6e8e465327322
                                                                                          • Instruction Fuzzy Hash: F521CC76B016019BCB20AA69EC009A773BCDB95329F14836DEC6887B80D735DC56C7E2
                                                                                          Function 6C8BECA0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyCapsule_GetName.PYTHON27(?), ref: 6C8BECBA
                                                                                            • Part of subcall function 6C8B9220: PyErr_SetString.PYTHON27(6CA65D10,PyCapsule_GetName called with invalid PyCapsule object), ref: 6C8B9244
                                                                                          • PyCapsule_GetPointer.PYTHON27(?,00000000,?), ref: 6C8BECC1
                                                                                            • Part of subcall function 6C8B91C0: PyErr_SetString.PYTHON27(6CA65D10,PyCapsule_GetPointer called with invalid PyCapsule object), ref: 6C8B91E6
                                                                                          • PyString_FromString.PYTHON27(PyCObject_AsVoidPtr called with null pointer), ref: 6C8BED09
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,PyCObject_AsVoidPtr called with null pointer), ref: 6C8BED12
                                                                                          Strings
                                                                                          • PyCObject_AsVoidPtr with non-C-object, xrefs: 6C8BECE4
                                                                                          • PyCObject_AsVoidPtr called with null pointer, xrefs: 6C8BED04
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$Capsule_$FromNameObjectPointerString_
                                                                                          • String ID: PyCObject_AsVoidPtr called with null pointer$PyCObject_AsVoidPtr with non-C-object
                                                                                          • API String ID: 4117292631-4195522665
                                                                                          • Opcode ID: c436891f47c11a0d4587d4f80f71302f0f1cc01c31c59a98afc1d46ea0955e43
                                                                                          • Instruction ID: 776185300f35a17cd20b5ff2907d9e9b5c3d9512eab9a5518248232fdabe5fff
                                                                                          • Opcode Fuzzy Hash: c436891f47c11a0d4587d4f80f71302f0f1cc01c31c59a98afc1d46ea0955e43
                                                                                          • Instruction Fuzzy Hash: FF010872D115255B8621AA5DBD0089E33A8DB5623CB044BA9EC2CA7F40D731EC5693D1
                                                                                          Function 6C8360E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,Argument given by name ('%s') and position (1)), ref: 6C836107
                                                                                          • sprintf.MSVCR90 ref: 6C836128
                                                                                          • PyErr_WarnEx.PYTHON27(6CA66B30,?,00000001), ref: 6C83613A
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,Required argument 'string' (pos 1) not found), ref: 6C83616C
                                                                                          Strings
                                                                                          • The '%s' keyword parameter name is deprecated. Use 'string' instead., xrefs: 6C836122
                                                                                          • Argument given by name ('%s') and position (1), xrefs: 6C836101
                                                                                          • Required argument 'string' (pos 1) not found, xrefs: 6C836166
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$FormatStringWarnsprintf
                                                                                          • String ID: Argument given by name ('%s') and position (1)$Required argument 'string' (pos 1) not found$The '%s' keyword parameter name is deprecated. Use 'string' instead.
                                                                                          • API String ID: 3032582101-1497271356
                                                                                          • Opcode ID: 0a8c904f7e77c5b71916b9dea1919045feccecc84e13da93fcaccf2e2dc24846
                                                                                          • Instruction ID: d5e0f001571155c5917eeb4d3a48f5c688784e1833935462dd15bd79976f5202
                                                                                          • Opcode Fuzzy Hash: 0a8c904f7e77c5b71916b9dea1919045feccecc84e13da93fcaccf2e2dc24846
                                                                                          • Instruction Fuzzy Hash: DD1140317102085F9F08DBB89D12AAE73B4DB59248B40455DEC0EE7B41EF35D50487C0
                                                                                          Function 6C94F0A0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • isspace.MSVCR90 ref: 6C94F0B9
                                                                                          • PyOS_strtoul.PYTHON27(?,?,?,?,?,?,6C8D7604,?,?,?), ref: 6C94F0E1
                                                                                          • _errno.MSVCR90 ref: 6C94F10B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: S_strtoul_errnoisspace
                                                                                          • String ID: +$-$-$-
                                                                                          • API String ID: 607549006-1581796996
                                                                                          • Opcode ID: 2e12038253c92e2b9863b5029f5ccf753fba7b665834ac049e42d31adebc7901
                                                                                          • Instruction ID: a615e8eb929a14d70e4dc05daf0933ae628046bae8cf878eabd3a65bbb32aa2f
                                                                                          • Opcode Fuzzy Hash: 2e12038253c92e2b9863b5029f5ccf753fba7b665834ac049e42d31adebc7901
                                                                                          • Instruction Fuzzy Hash: 2501477258915A9FFB204959E810BF673ADDB8637CF388643ECA4C3A81C626D84143A0
                                                                                          Function 6C8DFDB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyLong_Frexp.PYTHON27(?,?), ref: 6C8DFDD2
                                                                                          • PyErr_SetString.PYTHON27(6CA663F8,long int too large to convert to float), ref: 6C8DFE0D
                                                                                          • ldexp.MSVCR90 ref: 6C8DFE26
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\longobject.c,00000920), ref: 6C8DFE49
                                                                                          Strings
                                                                                          • ..\Objects\longobject.c, xrefs: 6C8DFE3E
                                                                                          • long int too large to convert to float, xrefs: 6C8DFE07
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8DFE43
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$FormatFrexpLong_Stringldexp
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\longobject.c$long int too large to convert to float
                                                                                          • API String ID: 1971418049-180189209
                                                                                          • Opcode ID: 8965ddc6ea9971c1278de351fe0c795ffa2c5c3b428e8e1a88dd0dd6424c6a17
                                                                                          • Instruction ID: 39a17725758830ba1f211a949947fc011c68006735dfa18c3e531e95f29b80d7
                                                                                          • Opcode Fuzzy Hash: 8965ddc6ea9971c1278de351fe0c795ffa2c5c3b428e8e1a88dd0dd6424c6a17
                                                                                          • Instruction Fuzzy Hash: 990148706042059BDB14EF14DE49F293778EB4130DF118A88F94C87681DB36D46997D1
                                                                                          Function 6C8D8D20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PySequence_Check.PYTHON27(6C8AFF2A,?,?,?,6C8AFF2A,?), ref: 6C8D8D2C
                                                                                            • Part of subcall function 6C8ADF00: PyObject_GetAttrString.PYTHON27(?,__getitem__), ref: 6C8ADF1A
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\iterobject.c,00000011,?), ref: 6C8D8D4A
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000010,?), ref: 6C8D8D61
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked,?,?), ref: 6C8D8D96
                                                                                          Strings
                                                                                          • GC object already tracked, xrefs: 6C8D8D91
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8D8D44
                                                                                          • ..\Objects\iterobject.c, xrefs: 6C8D8D3F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object_$AttrCheckErr_ErrorFatalFormatMallocSequence_String
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\iterobject.c$GC object already tracked
                                                                                          • API String ID: 2777691447-818080213
                                                                                          • Opcode ID: db623b29f49ff9e0f7ac7d6310e58e0d5316780f1246f7b6f97432520328264e
                                                                                          • Instruction ID: a21ecde1a1abf6b8b34d2e41885928db94859ccd513a00374f9da926a23ea8af
                                                                                          • Opcode Fuzzy Hash: db623b29f49ff9e0f7ac7d6310e58e0d5316780f1246f7b6f97432520328264e
                                                                                          • Instruction Fuzzy Hash: 551129B16013019BC7208F59DA015A6F7E4FB66328F108B7AD868C3B91E374E056CBD0
                                                                                          Function 6C950EC0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(6CAEF1C3,?,?,6C8E5944), ref: 6C950ECB
                                                                                          • TlsGetValue.KERNEL32(?,?,6C8E5944), ref: 6C950ED4
                                                                                          • SetLastError.KERNEL32(00000000,?,6C8E5944), ref: 6C950EDD
                                                                                          • Py_FatalError.PYTHON27(Couldn't create thread-state for new thread), ref: 6C950F06
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C961440
                                                                                            • Part of subcall function 6C961420: fprintf.MSVCR90 ref: 6C961446
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C96144C
                                                                                            • Part of subcall function 6C961420: fflush.MSVCR90 ref: 6C961452
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(Fatal Python error: ), ref: 6C961499
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32 ref: 6C96149C
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(6CA33AD4), ref: 6C9614A3
                                                                                            • Part of subcall function 6C961420: abort.MSVCR90 ref: 6C9614A5
                                                                                          • PyEval_RestoreThread.PYTHON27(00000000,?,6C8E5944), ref: 6C950F25
                                                                                          • PyEval_InitThreads.PYTHON27(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C8E5944), ref: 6C950F34
                                                                                            • Part of subcall function 6C950600: malloc.MSVCR90 ref: 6C950607
                                                                                            • Part of subcall function 6C950600: GetCurrentThreadId.KERNEL32 ref: 6C95065C
                                                                                            • Part of subcall function 6C950600: _PyThreadState_Init.PYTHON27(00000000), ref: 6C950692
                                                                                            • Part of subcall function 6C950600: InterlockedDecrement.KERNEL32(?), ref: 6C9506C9
                                                                                            • Part of subcall function 6C950600: SetEvent.KERNEL32(?), ref: 6C9506D7
                                                                                          Strings
                                                                                          • Couldn't create thread-state for new thread, xrefs: 6C950F01
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: DebugErrorOutputStringThread$Eval_InitLast__iob_func$CurrentDecrementEventFatalInterlockedRestoreState_ThreadsValueabortfflushfprintfmalloc
                                                                                          • String ID: Couldn't create thread-state for new thread
                                                                                          • API String ID: 4077047371-820119880
                                                                                          • Opcode ID: 7052a5d68d24025f23486cd668169f800c739adfabbab89ea1ea32f16f895551
                                                                                          • Instruction ID: e1b0b588fa3c8bac33b53cef6d082372cc4d1d7caf38be886449a73744bd2b0d
                                                                                          • Opcode Fuzzy Hash: 7052a5d68d24025f23486cd668169f800c739adfabbab89ea1ea32f16f895551
                                                                                          • Instruction Fuzzy Hash: 690170739042230B9B019EBA5D8489B3278AFD515C35A0129DD4583A00EB35D8754390
                                                                                          Function 6C8DB050 Relevance: 12.3, APIs: 8, Instructions: 278COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_RichCompare.PYTHON27(00000000,?,00000000,?,?,?,?,00000000), ref: 6C8DB087
                                                                                          • PyObject_RichCompare.PYTHON27(00000000,?,00000000,?,?,00000000), ref: 6C8DB11B
                                                                                          • PyObject_IsTrue.PYTHON27(00000000,?,?,?,?,?,00000000), ref: 6C8DB147
                                                                                            • Part of subcall function 6C8DA940: Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8DA996
                                                                                            • Part of subcall function 6C8DA940: PyObject_Call.PYTHON27(?,00000000,00000000), ref: 6C8DA9D6
                                                                                            • Part of subcall function 6C8DA940: PyErr_Format.PYTHON27(6CA648B0,comparison function must return int, not %.200s,?), ref: 6C8DAA11
                                                                                          • PyObject_RichCompare.PYTHON27(00000000,?,00000000,?,?,00000000), ref: 6C8DB1F1
                                                                                          • PyObject_RichCompare.PYTHON27(00000000,?,00000000,?,?,00000000), ref: 6C8DB2B1
                                                                                          • PyObject_IsTrue.PYTHON27(00000000,?,?,?,?,?,00000000), ref: 6C8DB2E0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object_$CompareRich$True$CallErr_ErrorFatalFormat
                                                                                          • String ID:
                                                                                          • API String ID: 3578634454-0
                                                                                          • Opcode ID: 53fefece599bbf1171a7b40dac87a5dfd9f0936a554fea6b7c33c9bd223f2646
                                                                                          • Instruction ID: 4efb236d74b0e0030c7711bdd7998ca6a8d03c60fbc3f3df03c778a056abaf11
                                                                                          • Opcode Fuzzy Hash: 53fefece599bbf1171a7b40dac87a5dfd9f0936a554fea6b7c33c9bd223f2646
                                                                                          • Instruction Fuzzy Hash: CB91D772A00109DBCF20CEADDA80A9E77F4AF04368F168A74E815DBB55E774FD418B91
                                                                                          Function 6C828F50 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Py_InitModule4.PYTHON27(_heapq,6CA8C8E8,Heap queue algorithm (a.k.a. priority queue).Heaps are arrays for which a[k] <= a[2*k+1] and a[k] <= a[2*k+2] forall k, counting elements from 0. For the sake of comparison,non-existing elements are considered to be infinite. The interestingproperty of ,00000000,000003F5), ref: 6C828F67
                                                                                          • PyString_FromString.PYTHON27(Heap queues[explanation by Franois Pinard]Heaps are arrays for which a[k] <= a[2*k+1] and a[k] <= a[2*k+2] forall k, counting elements from 0. For the sake of comparison,non-existing elements are considered to be infinite. The interestingproperty of ), ref: 6C828F7A
                                                                                          • PyModule_AddObject.PYTHON27(00000000,__about__,00000000,Heap queues[explanation by Franois Pinard]Heaps are arrays for which a[k] <= a[2*k+1] and a[k] <= a[2*k+2] forall k, counting elements from 0. For the sake of comparison,non-existing elements are considered to be infinite. The interestingproperty of ), ref: 6C828F86
                                                                                            • Part of subcall function 6C94EC70: PyType_IsSubtype.PYTHON27(?,?,?,?,6C8257F9,00000000,deque,6CA8FF60), ref: 6C94EC87
                                                                                            • Part of subcall function 6C94EC70: PyErr_SetString.PYTHON27(6CA648B0,PyModule_AddObject() needs module as first arg,deque,6CA8FF60), ref: 6C94EC9E
                                                                                          Strings
                                                                                          • _heapq, xrefs: 6C828F62
                                                                                          • Heap queue algorithm (a.k.a. priority queue).Heaps are arrays for which a[k] <= a[2*k+1] and a[k] <= a[2*k+2] forall k, counting elements from 0. For the sake of comparison,non-existing elements are considered to be infinite. The interestingproperty of , xrefs: 6C828F58
                                                                                          • __about__, xrefs: 6C828F80
                                                                                          • Heap queues[explanation by Franois Pinard]Heaps are arrays for which a[k] <= a[2*k+1] and a[k] <= a[2*k+2] forall k, counting elements from 0. For the sake of comparison,non-existing elements are considered to be infinite. The interestingproperty of , xrefs: 6C828F75
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$Err_FromInitModule4Module_ObjectString_SubtypeType_
                                                                                          • String ID: Heap queue algorithm (a.k.a. priority queue).Heaps are arrays for which a[k] <= a[2*k+1] and a[k] <= a[2*k+2] forall k, counting elements from 0. For the sake of comparison,non-existing elements are considered to be infinite. The interestingproperty of $Heap queues[explanation by Franois Pinard]Heaps are arrays for which a[k] <= a[2*k+1] and a[k] <= a[2*k+2] forall k, counting elements from 0. For the sake of comparison,non-existing elements are considered to be infinite. The interestingproperty of $__about__$_heapq
                                                                                          • API String ID: 2338541038-978301229
                                                                                          • Opcode ID: 477a2745787bb092e2a28df443f86792d7a24739ef549dde937e77904d5d08ac
                                                                                          • Instruction ID: 0a9717e5e263ac48fabe854e4fa13459ed44014f83d9fb9e1c4fd7a6d85050b5
                                                                                          • Opcode Fuzzy Hash: 477a2745787bb092e2a28df443f86792d7a24739ef549dde937e77904d5d08ac
                                                                                          • Instruction Fuzzy Hash: 07D0A752CC352137E33030981D05FFA14099BB195CF450EE0F81076FC2F604C58024FA
                                                                                          Function 6C8E9C30 Relevance: 12.2, APIs: 8, Instructions: 163COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_IsSubtype.PYTHON27(850C2444,?,?,6CA5F440,?,?,?,?,?,?,6C8BF060,00000000), ref: 6C8E9C5B
                                                                                          • PyType_IsSubtype.PYTHON27(850C2444,?,?,6CA5F440,?,?,?,?,?,?,6C8BF060,00000000), ref: 6C8E9C71
                                                                                          • PyDict_Size.PYTHON27(6C8BF060,?,?,?,6CA5F440,?,?,?,?,?,?,6C8BF060,00000000), ref: 6C8E9C91
                                                                                          • _PyDict_Next.PYTHON27(6C8BF060,?,?,?,?,?,?,?,?,6CA5F440), ref: 6C8E9CE0
                                                                                          • _PyDict_Next.PYTHON27(6C8BF060,?,?,?,?,?,?,?,?,?,?,?,?,?,6CA5F440), ref: 6C8E9D20
                                                                                            • Part of subcall function 6C8E8F50: PyErr_NoMemory.PYTHON27(6C8BF060,00000000,?,?,?,?,?,?,?,?,?,?,?,6C8E978E,00000000,850C2444), ref: 6C8E8F70
                                                                                          • PyObject_GetIter.PYTHON27(6C8BF060,?,?,?,6CA5F440,?,?,?,?,?,?,6C8BF060,00000000), ref: 6C8E9D34
                                                                                          • PyIter_Next.PYTHON27(00000000,?,?,?,?,6CA5F440,?,?,?,?,?,?,6C8BF060,00000000), ref: 6C8E9D47
                                                                                          • PyIter_Next.PYTHON27(00000000,?,?,?,?,?,6CA5F440,?,?,?,?,?,?,6C8BF060,00000000), ref: 6C8E9D75
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Next$Dict_$Iter_SubtypeType_$Err_IterMemoryObject_Size
                                                                                          • String ID:
                                                                                          • API String ID: 1672250434-0
                                                                                          • Opcode ID: 5197fcdfc811fea091c0ab6b3b559da8871e3ad8b3603d5aa24801d1238d21e0
                                                                                          • Instruction ID: d55992506bb96817075a7afe95ee796662a281409898bb0de487c8cfee78b762
                                                                                          • Opcode Fuzzy Hash: 5197fcdfc811fea091c0ab6b3b559da8871e3ad8b3603d5aa24801d1238d21e0
                                                                                          • Instruction Fuzzy Hash: 08412A72B0011157C720CA6CDE818EE73B89F4A239B154B79DC2997B81E774E92A87D1
                                                                                          Function 6C829C60 Relevance: 12.1, APIs: 8, Instructions: 140COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyDict_GetItem.PYTHON27(?,?), ref: 6C829C6F
                                                                                          • PyDict_New.PYTHON27 ref: 6C829C7F
                                                                                            • Part of subcall function 6C8C4510: PyString_FromString.PYTHON27(<dummy key>,00000000,00000000,00000000,?,?,6C8E50C0,?,00000014,?,6C94DEB4), ref: 6C8C4529
                                                                                          • Py_BuildValue.PYTHON27(6C96BAA8,?,00000000), ref: 6C829C9B
                                                                                          • PyDict_SetItem.PYTHON27(?,?,00000000), ref: 6C829CB2
                                                                                          • PyInt_FromLong.PYTHON27(?), ref: 6C829D22
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C829D30
                                                                                          • PyDict_GetItem.PYTHON27(?,00000000), ref: 6C829D42
                                                                                          • PyDict_SetItem.PYTHON27(?,00000000,?), ref: 6C829D91
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Dict_$Item$From$BuildClearErr_Int_LongStringString_Value
                                                                                          • String ID:
                                                                                          • API String ID: 232765214-0
                                                                                          • Opcode ID: 71e0e4bd65edaccf582b90780502baacd5b7ed8a5c5da3562cafce091b539c24
                                                                                          • Instruction ID: 945c4b0d88a40c30ec33a22aee40c63eef3dcfd61c06010817e867e93c213fb1
                                                                                          • Opcode Fuzzy Hash: 71e0e4bd65edaccf582b90780502baacd5b7ed8a5c5da3562cafce091b539c24
                                                                                          • Instruction Fuzzy Hash: 5A41E2B1A012009BC720DB68DD449EA73F8EF84338B144BA8EC2987781E735ED91D7D1
                                                                                          Function 6C8C05B0 Relevance: 12.1, APIs: 8, Instructions: 118COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Iatan2IcosIexpIlogIpowIsin_errno_hypot
                                                                                          • String ID:
                                                                                          • API String ID: 482299394-0
                                                                                          • Opcode ID: 8cd9cb582a6093367f1a31e06f91c1872a96452d7f0e78dbb2aa76b702aa502c
                                                                                          • Instruction ID: d6076afc01c97ff6f709fc74c29a7cfa1dd19900d52ebd72ef9a896e58ab5c59
                                                                                          • Opcode Fuzzy Hash: 8cd9cb582a6093367f1a31e06f91c1872a96452d7f0e78dbb2aa76b702aa502c
                                                                                          • Instruction Fuzzy Hash: 3231A7B1B0460AE2CB027F15EA457C97FA4EF863A0F114AC4E9D5716E4EB32C93487C6
                                                                                          Function 6C831000 Relevance: 12.1, APIs: 8, Instructions: 112COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: _errno_isnan
                                                                                          • String ID:
                                                                                          • API String ID: 68835812-0
                                                                                          • Opcode ID: 6812f8261f781cf4ef87d5cad296570df44ed343434c752c0257e5949aebf01b
                                                                                          • Instruction ID: 60fcca17230d908ba6e7f508eeb40b5fe7e1d97d8b77496fc2e648f14c234ab6
                                                                                          • Opcode Fuzzy Hash: 6812f8261f781cf4ef87d5cad296570df44ed343434c752c0257e5949aebf01b
                                                                                          • Instruction Fuzzy Hash: 03310C62F0051862DF023FA5EE052D43BB4EB066D1F215BD9DC89A16E4FF2388795BC6
                                                                                          Function 6C831120 Relevance: 12.1, APIs: 8, Instructions: 93COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Ilog_isnan$Isqrt_copysign_finite
                                                                                          • String ID:
                                                                                          • API String ID: 3182319696-0
                                                                                          • Opcode ID: faeb707a0900a47086d597faf322b2fd8eba89723726ea678e336b39a74f4f36
                                                                                          • Instruction ID: 419f7f30c809a237ee5af3d96bd4071de75077a3a585a428c832b75627f33903
                                                                                          • Opcode Fuzzy Hash: faeb707a0900a47086d597faf322b2fd8eba89723726ea678e336b39a74f4f36
                                                                                          • Instruction Fuzzy Hash: B6210461A04A2D93DB003FA5FA191DC7F74EF47386F116A98E8C990594FF32847987CA
                                                                                          Function 6C8D3DD0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 227COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • frexp.MSVCR90 ref: 6C8D3E1D
                                                                                          • ldexp.MSVCR90 ref: 6C8D3E6E
                                                                                          • PyErr_SetString.PYTHON27(6CA663F8,float too large to pack with d format), ref: 6C8D3FA7
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,frexp() result out of range), ref: 6C8D3FC8
                                                                                          Strings
                                                                                          • frexp() result out of range, xrefs: 6C8D3FC0
                                                                                          • float too large to pack with d format, xrefs: 6C8D3FA1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$frexpldexp
                                                                                          • String ID: float too large to pack with d format$frexp() result out of range
                                                                                          • API String ID: 210449120-471396154
                                                                                          • Opcode ID: caccfff30a510a3bbb6fa6d7fb4a6bdfc93abf1e30d4d1da05a3eacdd28a5ada
                                                                                          • Instruction ID: 9aea1c7ce922d1079477123eef11cf7a1a470a25ba2a5e598182ee5949812aa5
                                                                                          • Opcode Fuzzy Hash: caccfff30a510a3bbb6fa6d7fb4a6bdfc93abf1e30d4d1da05a3eacdd28a5ada
                                                                                          • Instruction Fuzzy Hash: 66714732A0A34696C7220F29DA8028A7FB0DF92354F154E6DF8C5D37E1E621C855C792
                                                                                          Function 6C8DA610 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 192COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_GetIter.PYTHON27(?,-00000010,00000000), ref: 6C8DA644
                                                                                            • Part of subcall function 6C8AFF00: PySequence_Check.PYTHON27(?), ref: 6C8AFF18
                                                                                            • Part of subcall function 6C8AFF00: PySeqIter_New.PYTHON27(?), ref: 6C8AFF25
                                                                                          • _PyObject_LengthHint.PYTHON27(?,00000008), ref: 6C8DA663
                                                                                            • Part of subcall function 6C8AB130: PyObject_Size.PYTHON27(?), ref: 6C8AB13C
                                                                                            • Part of subcall function 6C8AB130: PyErr_GivenExceptionMatches.PYTHON27(?,6CA648B0), ref: 6C8AB160
                                                                                            • Part of subcall function 6C8AB130: PyErr_GivenExceptionMatches.PYTHON27(?,6CA655C0), ref: 6C8AB17D
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA64978), ref: 6C8DA71D
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8DA729
                                                                                          • PySequence_Fast.PYTHON27(?,argument must be iterable,-00000010,00000000), ref: 6C8DA764
                                                                                          Strings
                                                                                          • argument must be iterable, xrefs: 6C8DA75E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$ExceptionGivenMatchesObject_$Sequence_$CheckClearFastHintIterIter_LengthSize
                                                                                          • String ID: argument must be iterable
                                                                                          • API String ID: 3611713048-1209305317
                                                                                          • Opcode ID: ac9aa7b384ec4cedc0b86ee4d37bf5a9f4bb3462667adcb5f8f5d4715e8b8bfa
                                                                                          • Instruction ID: 025a8362604cfe7c6326cc571ad90638060f8a783453d476da431cb5c387a898
                                                                                          • Opcode Fuzzy Hash: ac9aa7b384ec4cedc0b86ee4d37bf5a9f4bb3462667adcb5f8f5d4715e8b8bfa
                                                                                          • Instruction Fuzzy Hash: C851C775A006028BC724DE68D98089AB3B0BF46338B364B69EC6587B91D734FC56CBD1
                                                                                          Function 6C82F110 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000014), ref: 6C82F14E
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C82F188
                                                                                          • PyList_New.PYTHON27(00000001), ref: 6C82F1CF
                                                                                          • malloc.MSVCR90 ref: 6C82F220
                                                                                          • PyErr_NoMemory.PYTHON27 ref: 6C82F22D
                                                                                            • Part of subcall function 6C940380: PyErr_GivenExceptionMatches.PYTHON27(00000000,6CA667A8,?,6C8F7E82,00000000,6C8AB1D5,?,?,?,6C8AF66F,00000000,?,00000000,6C8AF785,00000000), ref: 6C940396
                                                                                            • Part of subcall function 6C940380: PyErr_SetObject.PYTHON27(6CA667A8,?), ref: 6C9403B3
                                                                                          Strings
                                                                                          • GC object already tracked, xrefs: 6C82F183
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$ErrorExceptionFatalGivenList_MallocMatchesMemoryObjectObject_malloc
                                                                                          • String ID: GC object already tracked
                                                                                          • API String ID: 4141357651-3349536495
                                                                                          • Opcode ID: 2d9eeabda9cc96bed71ba1e52bfca2ac8ac22dbe997421b1b49beba3a17169d4
                                                                                          • Instruction ID: 2337374ee0e3b96d5dffb5d600304482593ac434b73fedef7cb1d57eec818cd7
                                                                                          • Opcode Fuzzy Hash: 2d9eeabda9cc96bed71ba1e52bfca2ac8ac22dbe997421b1b49beba3a17169d4
                                                                                          • Instruction Fuzzy Hash: F05122756003128FD718CF59D948555B7F0EB96318B248A7ED868CBB80E335E887CBC0
                                                                                          Function 6C8308A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 142COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8308FF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFatal
                                                                                          • String ID: ((OllddO))$GC object already tracked
                                                                                          • API String ID: 2938028924-2749141861
                                                                                          • Opcode ID: acd6d09ee396e54d2aed802a3ae0aa0fcb85bda33688a337586ebf680dd1f00f
                                                                                          • Instruction ID: e1579f8295bae667eae4f1d70ffac28a260720ac8b2f04e8b7e450210df6b121
                                                                                          • Opcode Fuzzy Hash: acd6d09ee396e54d2aed802a3ae0aa0fcb85bda33688a337586ebf680dd1f00f
                                                                                          • Instruction Fuzzy Hash: 9D41D0B1A006529FDB209F99D980856B3F4FB493247119A7DD86D87B40D730F855CBD0
                                                                                          Function 6C8E65D0 Relevance: 10.6, APIs: 7, Instructions: 132COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: _finite$DoubleFromLong__isnanmodf
                                                                                          • String ID:
                                                                                          • API String ID: 3759321570-0
                                                                                          • Opcode ID: 339fb115bc57f80829270121433e693a4cdce71d6c698db0ec2ad0b2374bea50
                                                                                          • Instruction ID: 5071f59f5b649492c831bec39b95e294b7cc9ecf2a4a78b935a1810f6c6f37ae
                                                                                          • Opcode Fuzzy Hash: 339fb115bc57f80829270121433e693a4cdce71d6c698db0ec2ad0b2374bea50
                                                                                          • Instruction Fuzzy Hash: EA311071A1441993CB107F2DEE0528D7BB4EF46365F140BB9FD98C16D0EB22892D87C1
                                                                                          Function 6C82DFA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 126COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_ParseTupleAndKeywords.PYTHON27(?,?,OOOOOOOOO:make_encoder,6CA8B8BC,?,?,?,?,?,?,?,?,?), ref: 6C82DFDC
                                                                                          • PyObject_IsTrue.PYTHON27(?), ref: 6C82DFF1
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,make_encoder() argument 1 must be dict or None, not %.200s,?), ref: 6C82E025
                                                                                          Strings
                                                                                          • make_encoder() argument 1 must be dict or None, not %.200s, xrefs: 6C82E01F
                                                                                          • OOOOOOOOO:make_encoder, xrefs: 6C82DFD5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_Err_FormatKeywordsObject_ParseTrueTuple
                                                                                          • String ID: OOOOOOOOO:make_encoder$make_encoder() argument 1 must be dict or None, not %.200s
                                                                                          • API String ID: 1781283350-23895984
                                                                                          • Opcode ID: 563f066ec4b5de48d8cea947018ae9b25942d4b3f1b09869bc4e21a5db3c7a83
                                                                                          • Instruction ID: f7ee632238505ee3f04fdb25fc1dcca67cc4104cbdb4a07a7bd686429406dab6
                                                                                          • Opcode Fuzzy Hash: 563f066ec4b5de48d8cea947018ae9b25942d4b3f1b09869bc4e21a5db3c7a83
                                                                                          • Instruction Fuzzy Hash: 79414E75A006089FC724CF99D980DABF7F4FF48311B008A6AE90A97B11E735E945CB90
                                                                                          Function 6C837DF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 124COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,|O:groupdict,6CA8A20C,?), ref: 6C837E13
                                                                                          • PyDict_New.PYTHON27 ref: 6C837E25
                                                                                          • _PyObject_CallMethod_SizeT.PYTHON27(?,keys,00000000), ref: 6C837E51
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Size$Arg_CallDict_Keywords_Method_Object_ParseTuple
                                                                                          • String ID: keys$|O:groupdict
                                                                                          • API String ID: 2100346386-554732576
                                                                                          • Opcode ID: 33d7a363f5b314a9e00e21a2f4c9b149e6c035303a907aafc2ead767c17a2d12
                                                                                          • Instruction ID: 646f9e010bb562db1021f67f2d0fcba96a290a1bcd48c23eb462974963e819a6
                                                                                          • Opcode Fuzzy Hash: 33d7a363f5b314a9e00e21a2f4c9b149e6c035303a907aafc2ead767c17a2d12
                                                                                          • Instruction Fuzzy Hash: 2441B676A00115DBCB10CE98DE40A9A73B5EF84738B2556A4DC1C9BB81E731ED46C7D1
                                                                                          Function 6C8CC7A0 Relevance: 10.6, APIs: 7, Instructions: 121stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: strchr$FromStringString_
                                                                                          • String ID:
                                                                                          • API String ID: 1648105354-0
                                                                                          • Opcode ID: 21b367d20b9aa7ea9a7cd76d39ea24a5f0c8bdb25a998ee51a11da8c3d2ec941
                                                                                          • Instruction ID: dd7ad14b09bc3c2f9d349e57251163c5ba6a8a8cb9ed5e0b96b67a33fdf55072
                                                                                          • Opcode Fuzzy Hash: 21b367d20b9aa7ea9a7cd76d39ea24a5f0c8bdb25a998ee51a11da8c3d2ec941
                                                                                          • Instruction Fuzzy Hash: A641F370A44B008FD720EF69C980B52B7F4FB49315F108A2DE94ACBA92D779F846CB51
                                                                                          Function 6C827080 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_GetIter.PYTHON27(?), ref: 6C82708E
                                                                                            • Part of subcall function 6C8AFF00: PySequence_Check.PYTHON27(?), ref: 6C8AFF18
                                                                                            • Part of subcall function 6C8AFF00: PySeqIter_New.PYTHON27(?), ref: 6C8AFF25
                                                                                          • PyString_FromString.PYTHON27(writerows() argument must be iterable), ref: 6C8270A7
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,writerows() argument must be iterable), ref: 6C8270B0
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA64978), ref: 6C827134
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C827140
                                                                                          Strings
                                                                                          • writerows() argument must be iterable, xrefs: 6C8270A2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$CheckClearExceptionFromGivenIterIter_MatchesObjectObject_Sequence_StringString_
                                                                                          • String ID: writerows() argument must be iterable
                                                                                          • API String ID: 2549401372-413612228
                                                                                          • Opcode ID: dacf31ba6e9c837f231b9acf319158e9365329683564b41b2ab88d2a67581c20
                                                                                          • Instruction ID: 4b7620112259a3a39fdac4e76e7059e8dafa425bdff4d1aec932d44e836d719e
                                                                                          • Opcode Fuzzy Hash: dacf31ba6e9c837f231b9acf319158e9365329683564b41b2ab88d2a67581c20
                                                                                          • Instruction Fuzzy Hash: 6431F872A002018BC7249EA6ED8589673B4EF95338B148768ED2C8B781E739DC96C7D1
                                                                                          Function 6C821000 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(lo must be non-negative), ref: 6C82101C
                                                                                          • PyErr_SetObject.PYTHON27(6CA65D10,00000000,lo must be non-negative), ref: 6C821025
                                                                                          • PySequence_Size.PYTHON27(?), ref: 6C821056
                                                                                          • PySequence_GetItem.PYTHON27(?,?), ref: 6C82107C
                                                                                          • PyObject_RichCompare.PYTHON27(?,00000000,00000000), ref: 6C821091
                                                                                          Strings
                                                                                          • lo must be non-negative, xrefs: 6C821017
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Sequence_$CompareErr_FromItemObjectObject_RichSizeStringString_
                                                                                          • String ID: lo must be non-negative
                                                                                          • API String ID: 3897809422-626569241
                                                                                          • Opcode ID: e7b5bcdf0305388129e1d9cf9f43f350a1f17a95d70a8503a8e617ace271fc2a
                                                                                          • Instruction ID: 9be0c49e51d117627ce498469fea6a141ee5f7d9e1fbbc0f01e9058ab63e7d60
                                                                                          • Opcode Fuzzy Hash: e7b5bcdf0305388129e1d9cf9f43f350a1f17a95d70a8503a8e617ace271fc2a
                                                                                          • Instruction Fuzzy Hash: 37311875901149ABC720CFA9DA4459EB7B0EF45328F240669EC2897780E339DE81D7D1
                                                                                          Function 6C828470 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(heap argument must be a list), ref: 6C828494
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,heap argument must be a list), ref: 6C82849D
                                                                                          • PyErr_SetString.PYTHON27(6CA65B38,index out of range), ref: 6C8284D5
                                                                                          • PyList_SetSlice.PYTHON27(?,?,?,00000000), ref: 6C8284F7
                                                                                            • Part of subcall function 6C8282E0: PyString_FromString.PYTHON27(index out of range), ref: 6C82830A
                                                                                            • Part of subcall function 6C8282E0: PyErr_SetObject.PYTHON27(6CA65B38,00000000,index out of range), ref: 6C828313
                                                                                          Strings
                                                                                          • index out of range, xrefs: 6C8284CF
                                                                                          • heap argument must be a list, xrefs: 6C82848F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$FromObjectString_$List_Slice
                                                                                          • String ID: heap argument must be a list$index out of range
                                                                                          • API String ID: 1329020071-2373695446
                                                                                          • Opcode ID: 76f420a1f6f8e9311202627e86190c2609c94b5cf246ac82096b7591e8624977
                                                                                          • Instruction ID: 8e2225d020b9eb648e74e5d6007ad235546cbdbfcfe9cdd1d54438434d908fa6
                                                                                          • Opcode Fuzzy Hash: 76f420a1f6f8e9311202627e86190c2609c94b5cf246ac82096b7591e8624977
                                                                                          • Instruction Fuzzy Hash: 7B210773B056004BD720DA69AD849ABB3E8EB8523DB144BA7ED1CC7B40E725EC1686D1
                                                                                          Function 6C826980 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_Malloc.PYTHON27(0000002C), ref: 6C826997
                                                                                            • Part of subcall function 6C8264F0: Py_FatalError.PYTHON27(GC object already tracked), ref: 6C826560
                                                                                          • PyArg_UnpackTuple.PYTHON27(?,6C96AF8E,00000001,00000002,?,?), ref: 6C8269E8
                                                                                            • Part of subcall function 6C945D90: PyString_FromString.PYTHON27(PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DB2
                                                                                            • Part of subcall function 6C945D90: PyErr_SetObject.PYTHON27(6CA665C8,00000000,PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DBB
                                                                                          • PyObject_GetIter.PYTHON27(?), ref: 6C826A12
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,argument 1 must be an iterator), ref: 6C826A2C
                                                                                          • PyObject_GC_Track.PYTHON27(00000000), ref: 6C826A65
                                                                                          Strings
                                                                                          • argument 1 must be an iterator, xrefs: 6C826A26
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object_$Err_String$Arg_ErrorFatalFromIterMallocObjectString_TrackTupleUnpack
                                                                                          • String ID: argument 1 must be an iterator
                                                                                          • API String ID: 2368614604-554921073
                                                                                          • Opcode ID: 93eab257b4bded4df5299895ee29afcca4e09dc09fa607306855fa5941cd1f48
                                                                                          • Instruction ID: ddefa3bc7503b3b67586170868a53bd0bd81d1c755c8417257075ab2df9667c6
                                                                                          • Opcode Fuzzy Hash: 93eab257b4bded4df5299895ee29afcca4e09dc09fa607306855fa5941cd1f48
                                                                                          • Instruction Fuzzy Hash: 4E31E5F2A003109BDB10DF68DCC599677A8AB14328B14CA69EC19CB745E735D855CBD2
                                                                                          Function 6C8BA940 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyClass_IsSubclass.PYTHON27(?,04000000,?,?,?,?,?,6C8AF9FC,?,?,?,?,?,?,?,6C8AFC7B), ref: 6C8BA987
                                                                                          Strings
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8BA9C6
                                                                                          • ..\Objects\tupleobject.c, xrefs: 6C8BA9C1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Class_Subclass
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\tupleobject.c
                                                                                          • API String ID: 388245403-1285866127
                                                                                          • Opcode ID: bc3b8a86e913481b8a4d730c383397f4d2c9fb968e33bae3bddbcc3b24b2f204
                                                                                          • Instruction ID: a2549483c6eb1982d7b56143e160a47d1a628400741b25be950eb2752b5b52bf
                                                                                          • Opcode Fuzzy Hash: bc3b8a86e913481b8a4d730c383397f4d2c9fb968e33bae3bddbcc3b24b2f204
                                                                                          • Instruction Fuzzy Hash: 6E214D32B0420557E7308A5DDAC19D6B358DB8436CB158A75ED6CE7B01E731FC4596E0
                                                                                          Function 6C8AE0B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AE0D1
                                                                                          • PySequence_Check.PYTHON27(?), ref: 6C8AE0FF
                                                                                            • Part of subcall function 6C8ADF00: PyObject_GetAttrString.PYTHON27(?,__getitem__), ref: 6C8ADF1A
                                                                                          • PyInt_FromSsize_t.PYTHON27(?), ref: 6C8AE10F
                                                                                            • Part of subcall function 6C8D70D0: PyInt_FromLong.PYTHON27(6C8AE114,?,6C8AE114,?), ref: 6C8D70E2
                                                                                            • Part of subcall function 6C8AC430: PyType_IsSubtype.PYTHON27(00000000,?,?,?,?,?,?,6C8ACA14,?,?,00000040), ref: 6C8AC48B
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,'%.200s' object can't be repeated,?), ref: 6C8AE16E
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AE0CB
                                                                                          • '%.200s' object can't be repeated, xrefs: 6C8AE168
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromInt_String$AttrCheckFormatLongObject_Sequence_Ssize_tSubtypeType_
                                                                                          • String ID: '%.200s' object can't be repeated$null argument to internal routine
                                                                                          • API String ID: 2764935240-1106208759
                                                                                          • Opcode ID: cb7da582a893e205e5c79317924346e3a861d60f0833493eeaad07245ab71c36
                                                                                          • Instruction ID: b6eb00bb93a29fe3bd7aca9e222823ae88fbac1ac101514634366c3e5259ad93
                                                                                          • Opcode Fuzzy Hash: cb7da582a893e205e5c79317924346e3a861d60f0833493eeaad07245ab71c36
                                                                                          • Instruction Fuzzy Hash: 0C21C8B67012119BD720DEA5EDC0D577368EB842287148E35E91D8BB41E736E867C7E0
                                                                                          Function 6C828610 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_UnpackTuple.PYTHON27(?,heappushpop,00000002,00000002,?,?), ref: 6C82862B
                                                                                            • Part of subcall function 6C945D90: PyString_FromString.PYTHON27(PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DB2
                                                                                            • Part of subcall function 6C945D90: PyErr_SetObject.PYTHON27(6CA665C8,00000000,PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DBB
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,heap argument must be a list), ref: 6C828652
                                                                                            • Part of subcall function 6C828130: PyString_FromString.PYTHON27(__lt__), ref: 6C828144
                                                                                          • PyErr_SetString.PYTHON27(6CA65B38,index out of range), ref: 6C82869D
                                                                                            • Part of subcall function 6C8282E0: PyString_FromString.PYTHON27(index out of range), ref: 6C82830A
                                                                                            • Part of subcall function 6C8282E0: PyErr_SetObject.PYTHON27(6CA65B38,00000000,index out of range), ref: 6C828313
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$Err_$FromString_$Object$Arg_TupleUnpack
                                                                                          • String ID: heap argument must be a list$heappushpop$index out of range
                                                                                          • API String ID: 3571261255-1585693327
                                                                                          • Opcode ID: 1151a210ad470990172d7c247a2cd68a1e2e79fc5b4384c7ec0ebd768f58c0d9
                                                                                          • Instruction ID: 7256a46fad0db5a896c88c19fcad9a19091da3dd91106f0c9ff245d1a17d8cf5
                                                                                          • Opcode Fuzzy Hash: 1151a210ad470990172d7c247a2cd68a1e2e79fc5b4384c7ec0ebd768f58c0d9
                                                                                          • Instruction Fuzzy Hash: 0E218136A002049FDB10CB64D988D99B3F4EB49328F248AD9EC1997B51E735ED55D7C0
                                                                                          Function 6C8AE180 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PySequence_Check.PYTHON27(?), ref: 6C8AE1D0
                                                                                          • PySequence_Check.PYTHON27(?), ref: 6C8AE1DD
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,'%.200s' object can't be concatenated,?), ref: 6C8AE220
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AE245
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AE23F
                                                                                          • '%.200s' object can't be concatenated, xrefs: 6C8AE21A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckErr_Sequence_$FormatString
                                                                                          • String ID: '%.200s' object can't be concatenated$null argument to internal routine
                                                                                          • API String ID: 3037318651-586038359
                                                                                          • Opcode ID: ef0909c857f03098a307321638bfde0a11652925a2415485ab81361289330e4c
                                                                                          • Instruction ID: cf8e740f2a1d5a171c870636a34829397e1616043bfea6a11949108757efef1f
                                                                                          • Opcode Fuzzy Hash: ef0909c857f03098a307321638bfde0a11652925a2415485ab81361289330e4c
                                                                                          • Instruction Fuzzy Hash: 232128767012105BE7149AE5FE00E9A33A89B84369F148D7CED2CCBB80D725E817C7E0
                                                                                          Function 6C8227B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,O|z:unicode_internal_encode,?,?), ref: 6C8227CE
                                                                                          • PyString_FromStringAndSize.PYTHON27(?,?), ref: 6C8227FA
                                                                                          Strings
                                                                                          • O|z:unicode_internal_encode, xrefs: 6C8227C1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Size$Arg_FromParseStringString_Tuple_
                                                                                          • String ID: O|z:unicode_internal_encode
                                                                                          • API String ID: 2714287502-4208230126
                                                                                          • Opcode ID: 597d70a6dc8d3899df4784ae163584dc5c666f90ba42d62c57ddc47eb0e6b0a1
                                                                                          • Instruction ID: 9b094f88f6db2a2e9daece42fa4fcf6ba0de4c33acf8febf2573baa509939054
                                                                                          • Opcode Fuzzy Hash: 597d70a6dc8d3899df4784ae163584dc5c666f90ba42d62c57ddc47eb0e6b0a1
                                                                                          • Instruction Fuzzy Hash: 9521F576E100186BD720DAA8AD04DEB73BCEB85238F0446A9EC1897B00F735EA5987D1
                                                                                          Function 6C8AB5D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 82COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,expected a single-segment buffer object), ref: 6C8AB626
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,expected a string or other character buffer object), ref: 6C8AB665
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AB68D
                                                                                          Strings
                                                                                          • expected a single-segment buffer object, xrefs: 6C8AB620
                                                                                          • expected a string or other character buffer object, xrefs: 6C8AB65F
                                                                                          • null argument to internal routine, xrefs: 6C8AB687
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String
                                                                                          • String ID: expected a single-segment buffer object$expected a string or other character buffer object$null argument to internal routine
                                                                                          • API String ID: 1450464846-3572025370
                                                                                          • Opcode ID: a8e8b9988669e9f684031ef1c8f02cd50a989d62dc3235830c164779a57433b8
                                                                                          • Instruction ID: 0b460d0e88f3f110032b92161024293bc7f9fdd2ed5cbd78c1965b90ea8302eb
                                                                                          • Opcode Fuzzy Hash: a8e8b9988669e9f684031ef1c8f02cd50a989d62dc3235830c164779a57433b8
                                                                                          • Instruction Fuzzy Hash: DF21C9726053099FDB11CE94ED80B6573A8EB4533CF208B69E93C8BB90D735E892C750
                                                                                          Function 6C8AD650 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine,?,?,6C8AD72E,?,?,?,?,6C8AB2E8,6C8AEF3A,6CA65B38), ref: 6C8AD673
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,__index__ returned non-(int,long) (type %.200s),?), ref: 6C8AD6CF
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,'%.200s' object cannot be interpreted as an index,?,?,?,?,6C8AD72E,?,?,?,?,6C8AB2E8,6C8AEF3A,6CA65B38), ref: 6C8AD6FE
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AD66D
                                                                                          • '%.200s' object cannot be interpreted as an index, xrefs: 6C8AD6F8
                                                                                          • __index__ returned non-(int,long) (type %.200s), xrefs: 6C8AD6C9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$Format$String
                                                                                          • String ID: '%.200s' object cannot be interpreted as an index$__index__ returned non-(int,long) (type %.200s)$null argument to internal routine
                                                                                          • API String ID: 1780620971-172259376
                                                                                          • Opcode ID: 92622a9f66aa697859824578f786b9ed8c7774fe04b0e45b11f119c492cbf916
                                                                                          • Instruction ID: 1f8edcb51aba0bfb81b7303a07bfa85442e272bc994f3da7ec3196010c96db8d
                                                                                          • Opcode Fuzzy Hash: 92622a9f66aa697859824578f786b9ed8c7774fe04b0e45b11f119c492cbf916
                                                                                          • Instruction Fuzzy Hash: CB210876B012114FC718CAA4EA40E9AB374AB85768B148A6AED0CC7B11D731EC42C7C0
                                                                                          Function 6C8ADFF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PySequence_Check.PYTHON27(?), ref: 6C8AE024
                                                                                          • PySequence_Check.PYTHON27(?), ref: 6C8AE031
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,'%.200s' object can't be concatenated,?), ref: 6C8AE074
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AE099
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AE093
                                                                                          • '%.200s' object can't be concatenated, xrefs: 6C8AE06E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckErr_Sequence_$FormatString
                                                                                          • String ID: '%.200s' object can't be concatenated$null argument to internal routine
                                                                                          • API String ID: 3037318651-586038359
                                                                                          • Opcode ID: 29cd92267841d7a11e1d30ea66d5cd0673714271bae56f18b05bbcdde5460ffc
                                                                                          • Instruction ID: 7ab15c63a1aeae54a17d53477b7d4f0b9310f7d3fdf06f298ddc1677db20b3a7
                                                                                          • Opcode Fuzzy Hash: 29cd92267841d7a11e1d30ea66d5cd0673714271bae56f18b05bbcdde5460ffc
                                                                                          • Instruction Fuzzy Hash: 95112C727012005BD720DAA6EE40E9B33A8AB95728F158D35ED1CC7B41E735E953C7E1
                                                                                          Function 6C828550 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_UnpackTuple.PYTHON27(?,heapreplace,00000002,00000002,?,?), ref: 6C82856B
                                                                                            • Part of subcall function 6C945D90: PyString_FromString.PYTHON27(PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DB2
                                                                                            • Part of subcall function 6C945D90: PyErr_SetObject.PYTHON27(6CA665C8,00000000,PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DBB
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,heap argument must be a list), ref: 6C828592
                                                                                            • Part of subcall function 6C8282E0: PyString_FromString.PYTHON27(index out of range), ref: 6C82830A
                                                                                            • Part of subcall function 6C8282E0: PyErr_SetObject.PYTHON27(6CA65B38,00000000,index out of range), ref: 6C828313
                                                                                          • PyErr_SetString.PYTHON27(6CA65B38,index out of range), ref: 6C8285B1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$FromObjectString_$Arg_TupleUnpack
                                                                                          • String ID: heap argument must be a list$heapreplace$index out of range
                                                                                          • API String ID: 3032523836-151322179
                                                                                          • Opcode ID: 3b6f93c115b4efa9e8d945656f61e35741f8d71282f1b13cd049617956a60aa7
                                                                                          • Instruction ID: a82f9a54719d50095476fa2ea88e5c90c291bd0d55d3836967dca66a798f9e1d
                                                                                          • Opcode Fuzzy Hash: 3b6f93c115b4efa9e8d945656f61e35741f8d71282f1b13cd049617956a60aa7
                                                                                          • Instruction Fuzzy Hash: 6511C336A002049FDB10DBA4DD89D99B3F8EB59318F1086D9ED0C87B40E731ED4597C0
                                                                                          Function 6C8E7FF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyDict_New.PYTHON27 ref: 6C8E8006
                                                                                            • Part of subcall function 6C8C4510: PyString_FromString.PYTHON27(<dummy key>,00000000,00000000,00000000,?,?,6C8E50C0,?,00000014,?,6C94DEB4), ref: 6C8C4529
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8E8018
                                                                                          • PyString_FromString.PYTHON27(Py_Repr), ref: 6C8E8031
                                                                                          • PyDict_GetItem.PYTHON27(00000000,00000000), ref: 6C8E8041
                                                                                          • PyList_SetSlice.PYTHON27(00000000,?,?,00000000), ref: 6C8E8098
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Dict_FromStringString_$ClearErr_ItemList_Slice
                                                                                          • String ID: Py_Repr
                                                                                          • API String ID: 1400406548-2533070302
                                                                                          • Opcode ID: c1e13747a05c1952d886d8234379fd06e28cdfaa1ad3d192a08f85b6c1cb1576
                                                                                          • Instruction ID: 4bc7a6f161ce7f27280529ea319b84aaad789377702da4dc39f022511a09a238
                                                                                          • Opcode Fuzzy Hash: c1e13747a05c1952d886d8234379fd06e28cdfaa1ad3d192a08f85b6c1cb1576
                                                                                          • Instruction Fuzzy Hash: 821136312002028BD7348F5DDA40BAF7375FFCA62CF148A69E9188BA80E732E456C7D1
                                                                                          Function 6C8E3420 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_GetBuffer.PYTHON27(?,?,0000011C), ref: 6C8E3452
                                                                                          • PyMemoryView_FromBuffer.PYTHON27(?), ref: 6C8E3463
                                                                                            • Part of subcall function 6C8E3390: _PyObject_GC_Malloc.PYTHON27(00000040), ref: 6C8E33A0
                                                                                            • Part of subcall function 6C8E3390: Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8E33DF
                                                                                          • PyBuffer_Release.PYTHON27(?), ref: 6C8E3474
                                                                                          • PyString_FromString.PYTHON27(cannot make memory view because object does not have the buffer interface), ref: 6C8E349A
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,cannot make memory view because object does not have the buffer interface), ref: 6C8E34A3
                                                                                          Strings
                                                                                          • cannot make memory view because object does not have the buffer interface, xrefs: 6C8E3495
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: BufferFromObject_$Buffer_Err_ErrorFatalMallocMemoryObjectReleaseStringString_View_
                                                                                          • String ID: cannot make memory view because object does not have the buffer interface
                                                                                          • API String ID: 795727773-947840849
                                                                                          • Opcode ID: 8d341d553d792a4906377dc02d6a92cf659c8aa1e2a268a9dd70f52af42f58b6
                                                                                          • Instruction ID: 37ee11b49c713b919fa9e3184ccf7eb7542f97c0683d52a2ed55dde9cae17f3e
                                                                                          • Opcode Fuzzy Hash: 8d341d553d792a4906377dc02d6a92cf659c8aa1e2a268a9dd70f52af42f58b6
                                                                                          • Instruction Fuzzy Hash: 2811E6739012145BE321DA68AD01AAB33A89F5A22CF044ABDED2883A61E721DD15C6D2
                                                                                          Function 6C8AFF00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PySequence_Check.PYTHON27(?), ref: 6C8AFF18
                                                                                          • PySeqIter_New.PYTHON27(?), ref: 6C8AFF25
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,'%.200s' object is not iterable,?), ref: 6C8AFF43
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,iter() returned non-iterator of type '%.100s',?), ref: 6C8AFF84
                                                                                          Strings
                                                                                          • iter() returned non-iterator of type '%.100s', xrefs: 6C8AFF7E
                                                                                          • '%.200s' object is not iterable, xrefs: 6C8AFF3D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format$CheckIter_Sequence_
                                                                                          • String ID: '%.200s' object is not iterable$iter() returned non-iterator of type '%.100s'
                                                                                          • API String ID: 1856588606-3403259511
                                                                                          • Opcode ID: b2ea86e187a55686a6b9d20c74419e3bf76754abe08be84208e6df198c985142
                                                                                          • Instruction ID: e7a61a0ba8b50ecc52ac2a111fa51fbcd8ed2d91728214d954177babca49b9de
                                                                                          • Opcode Fuzzy Hash: b2ea86e187a55686a6b9d20c74419e3bf76754abe08be84208e6df198c985142
                                                                                          • Instruction Fuzzy Hash: FD112B71711A115FC330DAA49D40E5673E8AF2A6783048A68EC28C7F91DB25E946C7C1
                                                                                          Function 6C8AF070 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _Py_CheckRecursiveCall.PYTHON27( while calling a Python object,00000001,?,?,6C932AB3,00000000,?,6C880E50), ref: 6C8AF0A5
                                                                                            • Part of subcall function 6C92E7C0: PyOS_CheckStack.PYTHON27(?,?,6C8AF0AA, while calling a Python object,00000001,?,?,6C932AB3,00000000,?,6C880E50), ref: 6C92E7CA
                                                                                            • Part of subcall function 6C92E7C0: PyErr_SetString.PYTHON27(6CA667A8,Stack overflow,?,?,6C8AF0AA, while calling a Python object,00000001,?,?,6C932AB3,00000000,?,6C880E50), ref: 6C92E7E1
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,NULL result without error in PyObject_Call,?,00000000,00000000), ref: 6C8AF0E4
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,'%.200s' object is not callable,?,00000001,?,?,6C932AB3,00000000,?,6C880E50), ref: 6C8AF102
                                                                                          Strings
                                                                                          • NULL result without error in PyObject_Call, xrefs: 6C8AF0DE
                                                                                          • while calling a Python object, xrefs: 6C8AF0A0
                                                                                          • '%.200s' object is not callable, xrefs: 6C8AF0FC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$CheckString$CallFormatRecursiveStack
                                                                                          • String ID: while calling a Python object$'%.200s' object is not callable$NULL result without error in PyObject_Call
                                                                                          • API String ID: 3585756785-4047954617
                                                                                          • Opcode ID: 80b484c83289ddabd7f642543403ea7b22dd961ee68f78476dd4f537e348ac7a
                                                                                          • Instruction ID: 58947498e316a6fda533c3b11542ff3842900b732a4562264a3a2ebdf1226578
                                                                                          • Opcode Fuzzy Hash: 80b484c83289ddabd7f642543403ea7b22dd961ee68f78476dd4f537e348ac7a
                                                                                          • Instruction Fuzzy Hash: 3A117075B043129FCB19DF9AE98085A73B8EB69768705C565ED0CC7B01D732E822CB90
                                                                                          Function 6C837FD0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_UnpackTuple.PYTHON27 ref: 6C837FF5
                                                                                            • Part of subcall function 6C945D90: PyString_FromString.PYTHON27(PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DB2
                                                                                            • Part of subcall function 6C945D90: PyErr_SetObject.PYTHON27(6CA665C8,00000000,PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DBB
                                                                                            • Part of subcall function 6C837BB0: PyObject_GetItem.PYTHON27(?), ref: 6C837BCE
                                                                                            • Part of subcall function 6C837BB0: PyInt_AsSsize_t.PYTHON27(00000000), ref: 6C837BE9
                                                                                          • PyInt_FromSsize_t.PYTHON27(?,?,?,?), ref: 6C83801D
                                                                                            • Part of subcall function 6C8D70D0: PyInt_FromLong.PYTHON27(6C8AE114,?,6C8AE114,?), ref: 6C8D70E2
                                                                                          • PyString_FromString.PYTHON27(no such group,?,?,?), ref: 6C838036
                                                                                          • PyErr_SetObject.PYTHON27(6CA65B38,00000000,no such group,?,?,?), ref: 6C83803F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: From$Int_$Err_ObjectSsize_tStringString_$Arg_ItemLongObject_TupleUnpack
                                                                                          • String ID: end$no such group
                                                                                          • API String ID: 2789669055-2392581925
                                                                                          • Opcode ID: ce42a8764206fd532e615f9baac5f73ca8bf638251c7268e4185657026a0487c
                                                                                          • Instruction ID: 1b6cc6bb263771ea6291cfb077001243448eccc2284e0d9d7d10d00716f98526
                                                                                          • Opcode Fuzzy Hash: ce42a8764206fd532e615f9baac5f73ca8bf638251c7268e4185657026a0487c
                                                                                          • Instruction Fuzzy Hash: 62016F72A046105BD2209A68AD01AAB33E8DB44338F005F6AED2CD7B80E735E805C3E6
                                                                                          Function 6C837F30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_UnpackTuple.PYTHON27 ref: 6C837F55
                                                                                            • Part of subcall function 6C945D90: PyString_FromString.PYTHON27(PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DB2
                                                                                            • Part of subcall function 6C945D90: PyErr_SetObject.PYTHON27(6CA665C8,00000000,PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DBB
                                                                                            • Part of subcall function 6C837BB0: PyObject_GetItem.PYTHON27(?), ref: 6C837BCE
                                                                                            • Part of subcall function 6C837BB0: PyInt_AsSsize_t.PYTHON27(00000000), ref: 6C837BE9
                                                                                          • PyInt_FromSsize_t.PYTHON27(?,?,?,?), ref: 6C837F7D
                                                                                            • Part of subcall function 6C8D70D0: PyInt_FromLong.PYTHON27(6C8AE114,?,6C8AE114,?), ref: 6C8D70E2
                                                                                          • PyString_FromString.PYTHON27(no such group,?,?,?), ref: 6C837F96
                                                                                          • PyErr_SetObject.PYTHON27(6CA65B38,00000000,no such group,?,?,?), ref: 6C837F9F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: From$Int_$Err_ObjectSsize_tStringString_$Arg_ItemLongObject_TupleUnpack
                                                                                          • String ID: no such group$start
                                                                                          • API String ID: 2789669055-2698064628
                                                                                          • Opcode ID: c94b1d253c5cbdc76c78941c762ca142b3c0b66777f5400a6ccf9b8572fa344e
                                                                                          • Instruction ID: c2182108fe14c797df847ad1e55cc2cecb9241fc07bb0d550420d0204cd5e73b
                                                                                          • Opcode Fuzzy Hash: c94b1d253c5cbdc76c78941c762ca142b3c0b66777f5400a6ccf9b8572fa344e
                                                                                          • Instruction Fuzzy Hash: DD016F726016106BD3209A58EE01AAB73E8AB44338F004B69FD2C87B80E730E905C3E6
                                                                                          Function 6C827570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_UnpackTuple.PYTHON27(?,field_size_limit,00000000,00000001,?), ref: 6C827593
                                                                                            • Part of subcall function 6C945D90: PyString_FromString.PYTHON27(PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DB2
                                                                                            • Part of subcall function 6C945D90: PyErr_SetObject.PYTHON27(6CA665C8,00000000,PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DBB
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,limit must be an integer), ref: 6C8275BD
                                                                                          • PyInt_AsLong.PYTHON27(00000000), ref: 6C8275CD
                                                                                          • PyInt_FromLong.PYTHON27(00020000), ref: 6C8275EC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromInt_Long$Arg_FormatObjectStringString_TupleUnpack
                                                                                          • String ID: field_size_limit$limit must be an integer
                                                                                          • API String ID: 967242494-1264440769
                                                                                          • Opcode ID: a9d862156f6c1c90beaa4592b8bb713ffb7fbc7c4aadbf3e510e5f591a2ab213
                                                                                          • Instruction ID: 7ca790a3f6419d38a66b639363493a2bf41c4ece7f6454c9be3f369e9e9db112
                                                                                          • Opcode Fuzzy Hash: a9d862156f6c1c90beaa4592b8bb713ffb7fbc7c4aadbf3e510e5f591a2ab213
                                                                                          • Instruction Fuzzy Hash: 6E0128B1B012059BDB14DAA5EF05F9A73BC9B0532CF108A98FD08C7681E735D95487D1
                                                                                          Function 6C8280B0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Py_InitModule4.PYTHON27(_functools,6CA8E454,Tools that operate on functions.,00000000,000003F5), ref: 6C8280DB
                                                                                          • PyType_Ready.PYTHON27(6CA8E390), ref: 6C8280F1
                                                                                          • strchr.MSVCR90 ref: 6C828103
                                                                                          • PyModule_AddObject.PYTHON27(00000000,00000001,6CA8E391), ref: 6C82810F
                                                                                            • Part of subcall function 6C94EC70: PyType_IsSubtype.PYTHON27(?,?,?,?,6C8257F9,00000000,deque,6CA8FF60), ref: 6C94EC87
                                                                                            • Part of subcall function 6C94EC70: PyErr_SetString.PYTHON27(6CA648B0,PyModule_AddObject() needs module as first arg,deque,6CA8FF60), ref: 6C94EC9E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Type_$Err_InitModule4Module_ObjectReadyStringSubtypestrchr
                                                                                          • String ID: Tools that operate on functions.$_functools
                                                                                          • API String ID: 2866601250-1707497487
                                                                                          • Opcode ID: 955c408cc38d4f416184a7261d7f2640b9de847a506071a0cb1222cbe1ae0ba6
                                                                                          • Instruction ID: 9a9f593524c0d7af0dd042595ccfa9b20d6a021d9c4a684678666b5e02ed4c5c
                                                                                          • Opcode Fuzzy Hash: 955c408cc38d4f416184a7261d7f2640b9de847a506071a0cb1222cbe1ae0ba6
                                                                                          • Instruction Fuzzy Hash: FBF0AC72E012147BDB30599D8D45EBFB6ACDB81214F000822FD4997B01EB20DD8083F2
                                                                                          Function 6C8D9520 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\listobject.c,000000B6), ref: 6C8D954B
                                                                                          Strings
                                                                                          • list index out of range, xrefs: 6C8D9578
                                                                                          • ..\Objects\listobject.c, xrefs: 6C8D9540
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8D9545
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\listobject.c$list index out of range
                                                                                          • API String ID: 376477240-3931849722
                                                                                          • Opcode ID: 3ead88537c9cc35bb5f207f05cb9fd7c37dea310eb5a7f66b36a414e80054656
                                                                                          • Instruction ID: 97c95ef9f27af88a7d8b8fd679bde1fd32aec0d845ddd26368fbc3e524583cab
                                                                                          • Opcode Fuzzy Hash: 3ead88537c9cc35bb5f207f05cb9fd7c37dea310eb5a7f66b36a414e80054656
                                                                                          • Instruction Fuzzy Hash: F301F774B103055BD724DE69DD55A2573F8A706318F088AB4FC1CC7B41EB22E5568791
                                                                                          Function 6C8E7530 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_GetAttrString.PYTHON27(?,__dict__,6CA69E88,?,6C8E7768,?,?,?,?,?,?,?,?,6C8E77F7), ref: 6C8E753A
                                                                                          • PyDict_Keys.PYTHON27(00000000), ref: 6C8E7555
                                                                                          • PyModule_GetName.PYTHON27(?), ref: 6C8E7562
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s.__dict__ is not a dictionary,00000000), ref: 6C8E757B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttrDict_Err_FormatKeysModule_NameObject_String
                                                                                          • String ID: %.200s.__dict__ is not a dictionary$__dict__
                                                                                          • API String ID: 1862186721-2745307267
                                                                                          • Opcode ID: 6d3abe684b8c16e93a138966ca20d33f3da79ae719eacdf02f7b92b72246b1bd
                                                                                          • Instruction ID: f31c8c70a1dc3217bab65f3aab3a7d12f037503c2b324d8049e3f196971ce411
                                                                                          • Opcode Fuzzy Hash: 6d3abe684b8c16e93a138966ca20d33f3da79ae719eacdf02f7b92b72246b1bd
                                                                                          • Instruction Fuzzy Hash: 2FF0BBB1A026115BF73086646E80AAB32585B1B628B140E38EC2586B42E729DD59C6E2
                                                                                          Function 6C945EE0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Python\getargs.c,0000078E,?,6C831E1D,Random(),?), ref: 6C945F14
                                                                                          Strings
                                                                                          • ..\Python\getargs.c, xrefs: 6C945F09
                                                                                          • %s does not take keyword arguments, xrefs: 6C945F39
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C945F0E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s does not take keyword arguments$%s:%d: bad argument to internal function$..\Python\getargs.c
                                                                                          • API String ID: 376477240-2672772090
                                                                                          • Opcode ID: e48f5179cf00810e8b37780e79c9ea8386d87e13fbb00252a864aea0937be2be
                                                                                          • Instruction ID: d25114c3023e459bb6f4446b6e002f5b2e02a340c5b885fd94201d7a67d2c07a
                                                                                          • Opcode Fuzzy Hash: e48f5179cf00810e8b37780e79c9ea8386d87e13fbb00252a864aea0937be2be
                                                                                          • Instruction Fuzzy Hash: 38F0B471B152086BD710D9A8AD06E66336C9B2525CF04CEA8BC2CC7F41FA26D860C6D2
                                                                                          Function 6C831E80 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_Ready.PYTHON27(6CA8AAA0), ref: 6C831E85
                                                                                          • Py_InitModule4.PYTHON27(_random,00000000,Module implements the Mersenne Twister random number generator.,00000000,000003F5), ref: 6C831EA4
                                                                                          • PyModule_AddObject.PYTHON27(00000000,Random,6CA8AAA0), ref: 6C831EC1
                                                                                            • Part of subcall function 6C94EC70: PyType_IsSubtype.PYTHON27(?,?,?,?,6C8257F9,00000000,deque,6CA8FF60), ref: 6C94EC87
                                                                                            • Part of subcall function 6C94EC70: PyErr_SetString.PYTHON27(6CA648B0,PyModule_AddObject() needs module as first arg,deque,6CA8FF60), ref: 6C94EC9E
                                                                                          Strings
                                                                                          • Random, xrefs: 6C831EBB
                                                                                          • _random, xrefs: 6C831E9F
                                                                                          • Module implements the Mersenne Twister random number generator., xrefs: 6C831E98
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Type_$Err_InitModule4Module_ObjectReadyStringSubtype
                                                                                          • String ID: Module implements the Mersenne Twister random number generator.$Random$_random
                                                                                          • API String ID: 2860454020-3154293513
                                                                                          • Opcode ID: 8dd89e7fb9b220ca3326a6b514c79a2689521b242e213f9ffd6b80a0973eb994
                                                                                          • Instruction ID: 19199ed626cd5a54c9ce173c7c41b765018e34454e14a8880267db402cba0ca8
                                                                                          • Opcode Fuzzy Hash: 8dd89e7fb9b220ca3326a6b514c79a2689521b242e213f9ffd6b80a0973eb994
                                                                                          • Instruction Fuzzy Hash: 51D012A5F412023BF61011D42E46F6270892730B8DFA45C20A909A0FC2F609E55881BA
                                                                                          Function 6C90B580 Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,6C90B64C,?,?,?,00000000), ref: 6C90B598
                                                                                          • PyErr_SetExcFromWindowsErrWithFilenameObject.PYTHON27(6CA650B8,00000000,00000000), ref: 6C90B5AF
                                                                                          • PyString_FromStringAndSize.PYTHON27(?,00000000,?,?,?,6C90B64C,?,?,?,00000000,?,6C823246,?,?,00000000), ref: 6C90B5C9
                                                                                          • PyString_Size.PYTHON27(?,?,?,?,6C90B64C,?,?,?,00000000,?,6C823246,?,?,00000000), ref: 6C90B5E2
                                                                                          • _PyString_Resize.PYTHON27(?,?,?,?,?,?,6C90B64C,?,?,?,00000000,?,6C823246,?,?,00000000), ref: 6C90B5F1
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 6C90B619
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String_$ByteCharFromMultiSizeWide$Err_FilenameObjectResizeStringWindowsWith
                                                                                          • String ID:
                                                                                          • API String ID: 3319194404-0
                                                                                          • Opcode ID: 568a3871590992391b1ab1f7939bd1b9dc2c141c7ece269d8f9e148df6b4303f
                                                                                          • Instruction ID: 248cd0be83ec7a49268e4fbfdb298d8146ef1f63fb99920d06c49a3b79bf6ff4
                                                                                          • Opcode Fuzzy Hash: 568a3871590992391b1ab1f7939bd1b9dc2c141c7ece269d8f9e148df6b4303f
                                                                                          • Instruction Fuzzy Hash: AA1181717042197BE7108AA9AC81FA7377CEF857ACF104659FD18CA780EB70DD4487A0
                                                                                          Function 6C829090 Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 6C829030: fgetc.MSVCR90 ref: 6C829047
                                                                                          • malloc.MSVCR90 ref: 6C8290B0
                                                                                          • PyErr_NoMemory.PYTHON27 ref: 6C8290BF
                                                                                            • Part of subcall function 6C940380: PyErr_GivenExceptionMatches.PYTHON27(00000000,6CA667A8,?,6C8F7E82,00000000,6C8AB1D5,?,?,?,6C8AF66F,00000000,?,00000000,6C8AF785,00000000), ref: 6C940396
                                                                                            • Part of subcall function 6C940380: PyErr_SetObject.PYTHON27(6CA667A8,?), ref: 6C9403B3
                                                                                          • fgetc.MSVCR90 ref: 6C8290E7
                                                                                          • PyString_FromStringAndSize.PYTHON27(00000000,?), ref: 6C8290FF
                                                                                          • free.MSVCR90 ref: 6C82910C
                                                                                          • free.MSVCR90 ref: 6C829129
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$fgetcfree$ExceptionFromGivenMatchesMemoryObjectSizeStringString_malloc
                                                                                          • String ID:
                                                                                          • API String ID: 2006357968-0
                                                                                          • Opcode ID: 81b10af61420eb9ceae1c58a533b471c71c4d9d415313e23584b948e770ecf1f
                                                                                          • Instruction ID: dffe32335acfc9b540249cc841b5b45a8a918ecd84cd7d47ce8aa27ec6c4520d
                                                                                          • Opcode Fuzzy Hash: 81b10af61420eb9ceae1c58a533b471c71c4d9d415313e23584b948e770ecf1f
                                                                                          • Instruction Fuzzy Hash: 8D112932604119A7C700DB6DDD85DABB3B8EF45238B140775EC18C7381EB36EA8587E1
                                                                                          Function 6C835C10 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,6C96BCB4,?,?), ref: 6C835C27
                                                                                          • tolower.MSVCR90 ref: 6C835C49
                                                                                          • _Py_BuildValue_SizeT.PYTHON27(6CA0FB10,00000000), ref: 6C835C58
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Size$Arg_BuildParseTuple_Value_tolower
                                                                                          • String ID:
                                                                                          • API String ID: 2724438417-0
                                                                                          • Opcode ID: 9890dc956d6e3b10ba7ae09bfa408ddcca0ea87a84ed619cba0c34b4c848090b
                                                                                          • Instruction ID: b2a8f8cb57a03085a10d5dd5416d890f94c786c60afbf38d56fa4382295d3b48
                                                                                          • Opcode Fuzzy Hash: 9890dc956d6e3b10ba7ae09bfa408ddcca0ea87a84ed619cba0c34b4c848090b
                                                                                          • Instruction Fuzzy Hash: 9E012865A0420C6FDF10D6E07D919FE733CBB6120CF445EA5EC0C96E01FA35DA5546E2
                                                                                          Function 6C8C5CA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyList_New.PYTHON27(?), ref: 6C8C5CB7
                                                                                            • Part of subcall function 6C8D93A0: PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\listobject.c,0000007E,?,?,?,?,?,6C8C5BB1,?,?,?,?,6C8C67DF,?), ref: 6C8D93C3
                                                                                          • _PyObject_GC_Malloc.PYTHON27(0000000F), ref: 6C8C5D16
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8C5D5A
                                                                                          • PyList_New.PYTHON27(?), ref: 6C8C5DC3
                                                                                          Strings
                                                                                          • GC object already tracked, xrefs: 6C8C5D55
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: List_$Err_ErrorFatalFormatMallocObject_
                                                                                          • String ID: GC object already tracked
                                                                                          • API String ID: 2451881301-3349536495
                                                                                          • Opcode ID: 7bf65158ff6ea5267b5957060c3b119a85f48970fda23a05af143c38b6fc8106
                                                                                          • Instruction ID: b6cf97f1fd0a2072cfb6fd2dfb29b04f2efbe198205220da13bcc67233110abc
                                                                                          • Opcode Fuzzy Hash: 7bf65158ff6ea5267b5957060c3b119a85f48970fda23a05af143c38b6fc8106
                                                                                          • Instruction Fuzzy Hash: A251DEB6B047028FDB24CF28D981556B7B0FF85324B258B69D8298BB41D731F856CBD2
                                                                                          Function 6C82C05E Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 112COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_ParseTuple.PYTHON27(?,OO&|zi:scanstring,?,Function_0000ADC0,?,?,?), ref: 6C82C0C9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_ParseTuple
                                                                                          • String ID: OO&|zi:scanstring$first argument must be a string, not %.80s$utf-8
                                                                                          • API String ID: 3371842430-3658668036
                                                                                          • Opcode ID: f2b4441d7083e3fef6dceb2558fc4ec2d5e55404b8cdbe50da1adb48afbfea2c
                                                                                          • Instruction ID: b333e5356e5bd012bb40a4bf7eca26cf893c4aeabb50a140382582d24c1bb99d
                                                                                          • Opcode Fuzzy Hash: f2b4441d7083e3fef6dceb2558fc4ec2d5e55404b8cdbe50da1adb48afbfea2c
                                                                                          • Instruction Fuzzy Hash: 3631A3B1D01109ABDB10DF98DD45EFAB3B8EF48318F144A98E80497741E735AA54CBE1
                                                                                          Function 6C8AE610 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 107COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AE631
                                                                                          • _PySlice_FromIndices.PYTHON27(?,?), ref: 6C8AE6AD
                                                                                            • Part of subcall function 6C8EC210: PyInt_FromLong.PYTHON27(?,?,?,6C8AE47D,?,?), ref: 6C8EC223
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,'%.200s' object doesn't support slice assignment,?), ref: 6C8AE6F2
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AE62B
                                                                                          • '%.200s' object doesn't support slice assignment, xrefs: 6C8AE6EC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_From$FormatIndicesInt_LongSlice_String
                                                                                          • String ID: '%.200s' object doesn't support slice assignment$null argument to internal routine
                                                                                          • API String ID: 4144052031-3688816455
                                                                                          • Opcode ID: e294d192bed7304492caeb4074a4ac73497e4636d8c3c84b1f4bd14fd5a5f356
                                                                                          • Instruction ID: be1956a23731bd1aa896bc348e3a87d65994fa90652910dbae68f0bf2ef3d5e4
                                                                                          • Opcode Fuzzy Hash: e294d192bed7304492caeb4074a4ac73497e4636d8c3c84b1f4bd14fd5a5f356
                                                                                          • Instruction Fuzzy Hash: B131A6766016019FDB20CE99DD80A9673B9EB84334B158F29E82887B50D735EC66CBE0
                                                                                          Function 6C82B580 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyInt_FromLong.PYTHON27 ref: 6C82B59D
                                                                                          • _PyLong_FromByteArray.PYTHON27(?,00000004,00000001,00000001), ref: 6C82B5B6
                                                                                          • _PyObject_GC_NewVar.PYTHON27(?,00000002), ref: 6C82B606
                                                                                            • Part of subcall function 6C85BAA0: _PyObject_GC_Malloc.PYTHON27(?), ref: 6C85BABC
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C82B62A
                                                                                          Strings
                                                                                          • GC object already tracked, xrefs: 6C82B625
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: FromObject_$ArrayByteErrorFatalInt_LongLong_Malloc
                                                                                          • String ID: GC object already tracked
                                                                                          • API String ID: 85452904-3349536495
                                                                                          • Opcode ID: 7e8d1105dcf1c2440858628f84e5385a48b9224c0ca9247762457106701f95f9
                                                                                          • Instruction ID: e6ed323454ecb616b401d71ef2b3fd5a7c2f50d7c79487bf15ea97f547d4c662
                                                                                          • Opcode Fuzzy Hash: 7e8d1105dcf1c2440858628f84e5385a48b9224c0ca9247762457106701f95f9
                                                                                          • Instruction Fuzzy Hash: 8F31E8B16017019FC720CF69DA45AA6B3E0FF45334F108B69D92A87B80E735E896CBD1
                                                                                          Function 6C8AF1F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AF217
                                                                                          • _PyObject_GC_NewVar.PYTHON27(?,00000000), ref: 6C8AF275
                                                                                            • Part of subcall function 6C8AF110: Py_FatalError.PYTHON27(GC object already tracked,6C8AF2E2), ref: 6C8AF17B
                                                                                            • Part of subcall function 6C8AF110: PyObject_Call.PYTHON27(6C8AF2E2,00000001,00000000), ref: 6C8AF1B2
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AF211
                                                                                          • GC object already tracked, xrefs: 6C8AF2AA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object_$CallErr_ErrorFatalString
                                                                                          • String ID: GC object already tracked$null argument to internal routine
                                                                                          • API String ID: 1493430688-2310679869
                                                                                          • Opcode ID: 403c870cb77781488e60f32c70269d35563ba928c6773a88163dfad7e842e295
                                                                                          • Instruction ID: a2b4419f70dac2f4e3052ce895d3429cb00e24dfd7ed1477905134eff4b68b4a
                                                                                          • Opcode Fuzzy Hash: 403c870cb77781488e60f32c70269d35563ba928c6773a88163dfad7e842e295
                                                                                          • Instruction Fuzzy Hash: 06212DB6B003014BC7218F99FD426A5B3A4E7A523AB544B7AED1D83B41E7319427C7E1
                                                                                          Function 6C8BF0C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_CheckReadBuffer.PYTHON27(?), ref: 6C8BF1AC
                                                                                            • Part of subcall function 6C8BEF60: Py_FatalError.PYTHON27(non-string found in code slot,?,?,6C8BF1C4), ref: 6C8BEF84
                                                                                            • Part of subcall function 6C8BEF60: PyString_InternInPlace.PYTHON27(?,6C8BF1C4), ref: 6C8BEF8D
                                                                                            • Part of subcall function 6C8BEFA0: PyString_InternInPlace.PYTHON27(?,?,?,?,?,6C8BF1E2,?), ref: 6C8BEFF4
                                                                                          • PyObject_Malloc.PYTHON27(00000048,?), ref: 6C8BF1F1
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\codeobject.c,00000070), ref: 6C8BF289
                                                                                          Strings
                                                                                          • ..\Objects\codeobject.c, xrefs: 6C8BF27E
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8BF283
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: InternObject_PlaceString_$BufferCheckErr_ErrorFatalFormatMallocRead
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\codeobject.c
                                                                                          • API String ID: 3461592393-2661852415
                                                                                          • Opcode ID: 88a6741e94801f144f7373023ee889e93c8b338c3b1407493017d36228f395ad
                                                                                          • Instruction ID: 17b4cfa80fa7e6850b16bfc6cb933f8e8ca4334a7cdf203aadbcac988cbacb3c
                                                                                          • Opcode Fuzzy Hash: 88a6741e94801f144f7373023ee889e93c8b338c3b1407493017d36228f395ad
                                                                                          • Instruction Fuzzy Hash: 42313E3C702A058FEF24CE59CB40B5A7FA5AF54648F11C96CB814ABB61E734EC459B90
                                                                                          Function 6C824DF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_ParseTupleAndKeywords.PYTHON27(?,?,|OO:deque,?,?,?), ref: 6C824E36
                                                                                          • PyInt_AsSsize_t.PYTHON27(00000000), ref: 6C824E51
                                                                                            • Part of subcall function 6C8D72B0: PyErr_SetString.PYTHON27(6CA648B0,an integer is required,?,6C8AD745,00000000,?,00000000), ref: 6C8D72C5
                                                                                          • PyErr_SetString.PYTHON27(6CA65D10,maxlen must be non-negative), ref: 6C824E7B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$Arg_Int_KeywordsParseSsize_tTuple
                                                                                          • String ID: maxlen must be non-negative$|OO:deque
                                                                                          • API String ID: 1725504813-657479167
                                                                                          • Opcode ID: 9aac912ca4bc221012055d773c3a3885773113743c2c301aa736202d93d84d6f
                                                                                          • Instruction ID: 95652cf7e32048cf6e2d9274595e82f274686505786c0827d20074c35ec3e4b7
                                                                                          • Opcode Fuzzy Hash: 9aac912ca4bc221012055d773c3a3885773113743c2c301aa736202d93d84d6f
                                                                                          • Instruction Fuzzy Hash: 0C21D5B1D001059BEB108EA9ED48B9E73BC9BC0338F148B54E82897AC0D779D99587E1
                                                                                          Function 6C82E0E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_ParseTupleAndKeywords.PYTHON27(?,?,OO&:_iterencode,6CA81D14,?,Function_0000ADC0,?), ref: 6C82E10C
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000014), ref: 6C82E143
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C82E179
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_ErrorFatalKeywordsMallocObject_ParseTuple
                                                                                          • String ID: GC object already tracked$OO&:_iterencode
                                                                                          • API String ID: 354800078-2266549790
                                                                                          • Opcode ID: 1997e178715579f6335475669b8780e06a2a817cf5c6fbf9a7ec55168c9309c5
                                                                                          • Instruction ID: 80acf76762f411c343046c5c8a0e635169f29bfaa99e9c821a05aff2d731dc86
                                                                                          • Opcode Fuzzy Hash: 1997e178715579f6335475669b8780e06a2a817cf5c6fbf9a7ec55168c9309c5
                                                                                          • Instruction Fuzzy Hash: BF3105B16002019FD724CF6DDD498AAB7E4EF95325B208F39E86883B40E734E496CBD1
                                                                                          Function 6C8E4D60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyList_New.PYTHON27(00000000,?,?,?,__methods__,?,6C8E4E9D), ref: 6C8E4D89
                                                                                          • PyString_FromString.PYTHON27(?), ref: 6C8E4DB1
                                                                                          • PyList_SetItem.PYTHON27(00000000,00000000,00000000), ref: 6C8E4DBC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: List_$FromItemStringString_
                                                                                          • String ID: __methods__
                                                                                          • API String ID: 672120553-1042264023
                                                                                          • Opcode ID: 26d05923f49357f7b2de1612bc4ac82e2a04431acdb9f6c6f3b651ccedc79f9a
                                                                                          • Instruction ID: 4d903a75fb3d14255a4f17fb31a50f5697e31f46958a247bac78c825d5931523
                                                                                          • Opcode Fuzzy Hash: 26d05923f49357f7b2de1612bc4ac82e2a04431acdb9f6c6f3b651ccedc79f9a
                                                                                          • Instruction Fuzzy Hash: D121D772F012059BD7208EA9DE40A5A73A8EFCA229B254AB9DC0987741EB31EC05C6D0
                                                                                          Function 6C8DD8F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA663F8,long int too large to convert to int), ref: 6C8DD97A
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\longobject.c,00000173,?,00000000,?,?,?,6C8D72F3,00000000,?,6C8AD745,00000000,?,00000000), ref: 6C8DD9A2
                                                                                          Strings
                                                                                          • ..\Objects\longobject.c, xrefs: 6C8DD997
                                                                                          • long int too large to convert to int, xrefs: 6C8DD974
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8DD99C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$FormatString
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\longobject.c$long int too large to convert to int
                                                                                          • API String ID: 4212644371-3173017773
                                                                                          • Opcode ID: b0d2214d2534aaeb1c3bf375bf238b682fca6f395b1d8ba16cd227ac4b86f6c5
                                                                                          • Instruction ID: 02e1fc9ae52ee4a134511392839fef309edd2e1028d6a26d62e47192dee6cd5d
                                                                                          • Opcode Fuzzy Hash: b0d2214d2534aaeb1c3bf375bf238b682fca6f395b1d8ba16cd227ac4b86f6c5
                                                                                          • Instruction Fuzzy Hash: 0E112C3270520516C724896DAD40AA5F398E7C1339F154BABEE2CC7AC1E613E49687E0
                                                                                          Function 6C831940 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_NewVar.PYTHON27(?,00000271), ref: 6C831954
                                                                                            • Part of subcall function 6C85BAA0: _PyObject_GC_Malloc.PYTHON27(?), ref: 6C85BABC
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C831986
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C961440
                                                                                            • Part of subcall function 6C961420: fprintf.MSVCR90 ref: 6C961446
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C96144C
                                                                                            • Part of subcall function 6C961420: fflush.MSVCR90 ref: 6C961452
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(Fatal Python error: ), ref: 6C961499
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32 ref: 6C96149C
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(6CA33AD4), ref: 6C9614A3
                                                                                            • Part of subcall function 6C961420: abort.MSVCR90 ref: 6C9614A5
                                                                                          • PyLong_FromUnsignedLong.PYTHON27(00000000), ref: 6C8319C3
                                                                                          • PyLong_FromLong.PYTHON27(?), ref: 6C8319EA
                                                                                          Strings
                                                                                          • GC object already tracked, xrefs: 6C831981
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: DebugOutputString$FromLongLong_Object___iob_func$ErrorFatalMallocUnsignedabortfflushfprintf
                                                                                          • String ID: GC object already tracked
                                                                                          • API String ID: 3445569843-3349536495
                                                                                          • Opcode ID: c28ec65ca7b07d04d0d7ddb35e41d57a045a1d42d54d405aba8237f828070c0c
                                                                                          • Instruction ID: 533af7f551cb2adee8f7c7f721164c918c6f8cf916b80109cf779948269295c5
                                                                                          • Opcode Fuzzy Hash: c28ec65ca7b07d04d0d7ddb35e41d57a045a1d42d54d405aba8237f828070c0c
                                                                                          • Instruction Fuzzy Hash: BD21F476A003119FD724CF9CDD80997B3E4EB85228B148B79DCAD87781E631E856CBD2
                                                                                          Function 6C827410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_UnpackTuple.PYTHON27(?,6C96AF8E,00000001,00000002,?,?), ref: 6C827432
                                                                                            • Part of subcall function 6C945D90: PyString_FromString.PYTHON27(PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DB2
                                                                                            • Part of subcall function 6C945D90: PyErr_SetObject.PYTHON27(6CA665C8,00000000,PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DBB
                                                                                          • PyType_IsSubtype.PYTHON27(6CA5E208,?), ref: 6C827453
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,dialect name must be a string or unicode), ref: 6C82746B
                                                                                          • PyDict_SetItem.PYTHON27(00000000,?,00000000), ref: 6C82749B
                                                                                          Strings
                                                                                          • dialect name must be a string or unicode, xrefs: 6C827465
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$Arg_Dict_FromItemObjectString_SubtypeTupleType_Unpack
                                                                                          • String ID: dialect name must be a string or unicode
                                                                                          • API String ID: 2914826578-4036968015
                                                                                          • Opcode ID: 35a52e9a620f2e02077ed5fd6029ac6e86845f6c92e7c45cbde41990f689a713
                                                                                          • Instruction ID: ec25d3f8115ba45e8a4ecf0ba66f40e4ea651981c43327b9d0027e9f1a470c74
                                                                                          • Opcode Fuzzy Hash: 35a52e9a620f2e02077ed5fd6029ac6e86845f6c92e7c45cbde41990f689a713
                                                                                          • Instruction Fuzzy Hash: EF214CB1E01605ABC710DAA5DD45EDB77B89B04228F1087A8ED1897B80F735ED91C7D1
                                                                                          Function 6C8230E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,O|zO:charmap_encode,?,?,?), ref: 6C823109
                                                                                          • PyUnicodeUCS2_FromObject.PYTHON27(?), ref: 6C82312F
                                                                                          • PyUnicodeUCS2_EncodeCharmap.PYTHON27(?,?,6CA5FB7C,00000000), ref: 6C823150
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Unicode$Arg_CharmapEncodeFromObjectParseSizeTuple_
                                                                                          • String ID: O|zO:charmap_encode
                                                                                          • API String ID: 412595032-3556360410
                                                                                          • Opcode ID: e985b672dafd2b02db5e9bf34cc0ecc9c6678fe8cdc683518d08ce50d7926944
                                                                                          • Instruction ID: f9696dbc16a009616e16694b58026938f573863c95a537ed77904b6b1c943980
                                                                                          • Opcode Fuzzy Hash: e985b672dafd2b02db5e9bf34cc0ecc9c6678fe8cdc683518d08ce50d7926944
                                                                                          • Instruction Fuzzy Hash: 1121B0B6E00108AFDB10DB99CD55E8AB7B8EB94328F148698E80897740E734DE85CBD1
                                                                                          Function 6C822C00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,O|zi:utf_32_encode,?,?,?), ref: 6C822C29
                                                                                          • PyUnicodeUCS2_FromObject.PYTHON27(?), ref: 6C822C3F
                                                                                          • PyUnicodeUCS2_EncodeUTF32.PYTHON27(?,?,00000000,00000000), ref: 6C822C60
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Unicode$Arg_EncodeFromObjectParseSizeTuple_
                                                                                          • String ID: O|zi:utf_32_encode
                                                                                          • API String ID: 1839821152-3782673755
                                                                                          • Opcode ID: 6e923ee8e0062421dc09bfd5dbcd5475af45d32065e076ff5200e4511c8e26d2
                                                                                          • Instruction ID: 13e1c75af775e638fd1d200a3d73ec49a83ca4e0baf56116b73908edfaa710c9
                                                                                          • Opcode Fuzzy Hash: 6e923ee8e0062421dc09bfd5dbcd5475af45d32065e076ff5200e4511c8e26d2
                                                                                          • Instruction Fuzzy Hash: 1721D4B5A00104AFC714DBA9CD44E9B73B8EB94324F1546A8E818C7741E738DE45C7D1
                                                                                          Function 6C8F7F40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA65B38,tuple assignment index out of range,00000000), ref: 6C8F7FB2
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\tupleobject.c,0000008E,00000000), ref: 6C8F7FEF
                                                                                          Strings
                                                                                          • tuple assignment index out of range, xrefs: 6C8F7FAC
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8F7FE9
                                                                                          • ..\Objects\tupleobject.c, xrefs: 6C8F7FE4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$FormatString
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\tupleobject.c$tuple assignment index out of range
                                                                                          • API String ID: 4212644371-3733875535
                                                                                          • Opcode ID: 0961c7bd15396f468a0a67988b54eb333b61087bfbd11c845f6985f6b83cdfb4
                                                                                          • Instruction ID: dfa7b13c0d0dd2376741bfa9b4a2a9afd0efae4a14511ebf30434c1af59e98b2
                                                                                          • Opcode Fuzzy Hash: 0961c7bd15396f468a0a67988b54eb333b61087bfbd11c845f6985f6b83cdfb4
                                                                                          • Instruction Fuzzy Hash: 89217F71A012058BFB14DF68DD40DA673A8EB45378B258B94E8388BBC1D635EC52CB91
                                                                                          Function 6C8229E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,O|zi:utf_16_encode,?,?,?), ref: 6C822A09
                                                                                          • PyUnicodeUCS2_FromObject.PYTHON27(?), ref: 6C822A1F
                                                                                          • PyUnicodeUCS2_EncodeUTF16.PYTHON27(?,?,00000000,00000000), ref: 6C822A40
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Unicode$Arg_EncodeFromObjectParseSizeTuple_
                                                                                          • String ID: O|zi:utf_16_encode
                                                                                          • API String ID: 1839821152-1271604007
                                                                                          • Opcode ID: d36c0c8f7868f48e44d2d654e80ef9230688d79f655968f190d82f0470b06fe0
                                                                                          • Instruction ID: f7ae93621cbd5049e77412a891528c9ae6f168f7ed7477b4fb03270a409dce71
                                                                                          • Opcode Fuzzy Hash: d36c0c8f7868f48e44d2d654e80ef9230688d79f655968f190d82f0470b06fe0
                                                                                          • Instruction Fuzzy Hash: FE21C2B5E00104ABC724CBA9C844E9AB3B9EB94324F1586A4E80997B40E738DE45C7D1
                                                                                          Function 6C8D9670 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\listobject.c,000000E4,?,?,?,?,?,6C8D9766,?), ref: 6C8D96A0
                                                                                          • PyErr_SetString.PYTHON27(6CA663F8,cannot add more objects to list,?,?,?,?,?,6C8D9766,?), ref: 6C8D96C5
                                                                                          Strings
                                                                                          • ..\Objects\listobject.c, xrefs: 6C8D9695
                                                                                          • cannot add more objects to list, xrefs: 6C8D96BF
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8D969A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$FormatString
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\listobject.c$cannot add more objects to list
                                                                                          • API String ID: 4212644371-2880859640
                                                                                          • Opcode ID: dc0d79aa9b93ab53bb9360ffedd50038d25ecde1eb9709a458e56cd7038cb1bd
                                                                                          • Instruction ID: 87445f7f24696cc05757afe51e28062a86fb684bbd6a482367996476e2d3a795
                                                                                          • Opcode Fuzzy Hash: dc0d79aa9b93ab53bb9360ffedd50038d25ecde1eb9709a458e56cd7038cb1bd
                                                                                          • Instruction Fuzzy Hash: B01129326081005FC710CE2DED9486573A8E796378B294FA9F53CC7790EE32E8468790
                                                                                          Function 6C822880 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,O|z:utf_7_encode,?,?), ref: 6C82289E
                                                                                          • PyUnicodeUCS2_FromObject.PYTHON27(?), ref: 6C8228B4
                                                                                          • PyUnicode_EncodeUTF7.PYTHON27(?,?,00000000,00000000,00000000), ref: 6C8228D5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_EncodeFromObjectParseSizeTuple_UnicodeUnicode_
                                                                                          • String ID: O|z:utf_7_encode
                                                                                          • API String ID: 3513413484-4211547508
                                                                                          • Opcode ID: 3299a6c5f0e877556a470ba33b38cbc4724afba0c0e126b35c2ac739dba3cf1e
                                                                                          • Instruction ID: d069934180122851fd60fa487e3b1e51c2483a2d02aca2af31fca6c1b68d3fac
                                                                                          • Opcode Fuzzy Hash: 3299a6c5f0e877556a470ba33b38cbc4724afba0c0e126b35c2ac739dba3cf1e
                                                                                          • Instruction Fuzzy Hash: 9711E4B5A00108AFD720DBA9DD49E8B73B8EF94334F1446A4E90897740E738EE45C7E1
                                                                                          Function 6C822CC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,O|z:utf_32_le_encode,?,?), ref: 6C822CDE
                                                                                          • PyUnicodeUCS2_FromObject.PYTHON27(?), ref: 6C822CF4
                                                                                          • PyUnicodeUCS2_EncodeUTF32.PYTHON27(?,?,00000000,000000FF), ref: 6C822D13
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Unicode$Arg_EncodeFromObjectParseSizeTuple_
                                                                                          • String ID: O|z:utf_32_le_encode
                                                                                          • API String ID: 1839821152-4185464437
                                                                                          • Opcode ID: 9b92bf388f7e0aca34b31016ec8e60ad41c857dbe58452123cdd35128c404189
                                                                                          • Instruction ID: 7fbe0268c177d669e005ed86a4375f80c113035288450301ffc7b683d5b5784d
                                                                                          • Opcode Fuzzy Hash: 9b92bf388f7e0aca34b31016ec8e60ad41c857dbe58452123cdd35128c404189
                                                                                          • Instruction Fuzzy Hash: 671103B6A00008AFD710DBA9CD48D9B73B8EF95334F1546A4E81887791E738EE45C7D1
                                                                                          Function 6C822D70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,O|z:utf_32_be_encode,?,?), ref: 6C822D8E
                                                                                          • PyUnicodeUCS2_FromObject.PYTHON27(?), ref: 6C822DA4
                                                                                          • PyUnicodeUCS2_EncodeUTF32.PYTHON27(?,?,00000000,00000001), ref: 6C822DC3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Unicode$Arg_EncodeFromObjectParseSizeTuple_
                                                                                          • String ID: O|z:utf_32_be_encode
                                                                                          • API String ID: 1839821152-834389479
                                                                                          • Opcode ID: 7dd1dfaab0fac9b89478909b1a99196a78cf749d5b16fa3f62681bb34bc12687
                                                                                          • Instruction ID: 7ec7a000da2ebcf16de889d69d7e5485413655cabf95544100c853b29717d19e
                                                                                          • Opcode Fuzzy Hash: 7dd1dfaab0fac9b89478909b1a99196a78cf749d5b16fa3f62681bb34bc12687
                                                                                          • Instruction Fuzzy Hash: 0211E176A00108ABD710CBA9CD49ECB73B9EB95334F1446A4E80897741E738EE45C7D1
                                                                                          Function 6C8E5990 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_CheckSignals.PYTHON27(?,6C8E5D30,6C8AC365), ref: 6C8E5993
                                                                                          • PyOS_CheckStack.PYTHON27(?,6C8E5D30,6C8AC365), ref: 6C8E599C
                                                                                          Strings
                                                                                          • __repr__ returned non-string (type %.200s), xrefs: 6C8E5A88
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Check$Err_SignalsStack
                                                                                          • String ID: __repr__ returned non-string (type %.200s)
                                                                                          • API String ID: 359474703-4223728409
                                                                                          • Opcode ID: be40660e9cb116ce4ae85b27e086288a0ce85f3addee166b8b1e43b5b9334949
                                                                                          • Instruction ID: 21a04ed1efe4f7e91d32cdba0d8d5c5c8afde83a871a8c297ee8e42c34ae8d25
                                                                                          • Opcode Fuzzy Hash: be40660e9cb116ce4ae85b27e086288a0ce85f3addee166b8b1e43b5b9334949
                                                                                          • Instruction Fuzzy Hash: E9219D317017218FD724DB69EA80B8AB3B4AB4A778F14C629E90C8BB01D334E811DB84
                                                                                          Function 6C8D95B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\listobject.c,000000CE), ref: 6C8D95F2
                                                                                          • PyErr_SetString.PYTHON27(6CA65B38,list assignment index out of range), ref: 6C8D9659
                                                                                          Strings
                                                                                          • ..\Objects\listobject.c, xrefs: 6C8D95E7
                                                                                          • list assignment index out of range, xrefs: 6C8D9653
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8D95EC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$FormatString
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\listobject.c$list assignment index out of range
                                                                                          • API String ID: 4212644371-1587055375
                                                                                          • Opcode ID: 2aef7321c2a1fe40b823c2ad0813f260f5a2fdb23dd17db7a99f0cfdc48be271
                                                                                          • Instruction ID: 0393bff514d7b1e910d4485a0f0a5214a4058ef20c9f32a37a931f7a91950a4d
                                                                                          • Opcode Fuzzy Hash: 2aef7321c2a1fe40b823c2ad0813f260f5a2fdb23dd17db7a99f0cfdc48be271
                                                                                          • Instruction Fuzzy Hash: 57218070A002059FD714CF68ED5496533A8AB15338B198B98F83C8BBD0DB32FC52CB90
                                                                                          Function 6C8231F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,O|z:mbcs_encode,?,?), ref: 6C82320E
                                                                                          • PyUnicodeUCS2_FromObject.PYTHON27(?), ref: 6C823224
                                                                                          • PyUnicode_EncodeMBCS.PYTHON27(?,?,00000000), ref: 6C823241
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_EncodeFromObjectParseSizeTuple_UnicodeUnicode_
                                                                                          • String ID: O|z:mbcs_encode
                                                                                          • API String ID: 3513413484-52123863
                                                                                          • Opcode ID: dc69e99db0405a1046992531939d468eb251ae08c39ddcc3ce2a45344c980f27
                                                                                          • Instruction ID: 1180f952e604f5dcbf4a40e4d991477c324818e630e3247d2c88459dd5660d24
                                                                                          • Opcode Fuzzy Hash: dc69e99db0405a1046992531939d468eb251ae08c39ddcc3ce2a45344c980f27
                                                                                          • Instruction Fuzzy Hash: 3211D376A00104ABD710CBA9DD45E9BB7BDEF94324F1446A8E80897B50E734EE45C7E1
                                                                                          Function 6C822930 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,O|z:utf_8_encode,?,?), ref: 6C82294E
                                                                                          • PyUnicodeUCS2_FromObject.PYTHON27(?), ref: 6C822964
                                                                                          • PyUnicodeUCS2_EncodeUTF8.PYTHON27(?,?,00000000), ref: 6C822981
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Unicode$Arg_EncodeFromObjectParseSizeTuple_
                                                                                          • String ID: O|z:utf_8_encode
                                                                                          • API String ID: 1839821152-572985304
                                                                                          • Opcode ID: 3ef1227128a591a20d930867f207cba0a2734f33f12ce3fbddbfa2517eb20d25
                                                                                          • Instruction ID: 02ce24839c96901aa68f5aefde467e1458b2e62fbb048932cf6ba70138021aca
                                                                                          • Opcode Fuzzy Hash: 3ef1227128a591a20d930867f207cba0a2734f33f12ce3fbddbfa2517eb20d25
                                                                                          • Instruction Fuzzy Hash: 7F1100B6A00104AFC710DBA9CD48E8BB3B8EF95334F1446A4E80897741E738EE45D7E1
                                                                                          Function 6C822ED0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,O|z:raw_unicode_escape_encode,?,?), ref: 6C822EEE
                                                                                          • PyUnicodeUCS2_FromObject.PYTHON27(?), ref: 6C822F04
                                                                                          • PyUnicodeUCS2_EncodeRawUnicodeEscape.PYTHON27(?,?), ref: 6C822F1D
                                                                                          Strings
                                                                                          • O|z:raw_unicode_escape_encode, xrefs: 6C822EE1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Unicode$Arg_EncodeEscapeFromObjectParseSizeTuple_
                                                                                          • String ID: O|z:raw_unicode_escape_encode
                                                                                          • API String ID: 3152522952-1418163826
                                                                                          • Opcode ID: 7450ed423efb94c450c535972f64fd9f13dd8bbc4c62746e6ca0fb0fff7c4f6e
                                                                                          • Instruction ID: 30febf089214305664a3f38b330596a258aba01539f92f75728ee3bef645cc3e
                                                                                          • Opcode Fuzzy Hash: 7450ed423efb94c450c535972f64fd9f13dd8bbc4c62746e6ca0fb0fff7c4f6e
                                                                                          • Instruction Fuzzy Hash: FE110875A10104ABC720DBA9DD08D8B73B8EF95338F1546A4E90887B41EB38EE46C7D1
                                                                                          Function 6C9351A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(?,?,?,?,?,?,6C9081B6,?,-000000FF,?,?,?,?,6C822548), ref: 6C9351DA
                                                                                          • PyDict_GetItem.PYTHON27(00000000,00000000,?,?,?,6C822548), ref: 6C9351EA
                                                                                          • PyErr_Format.PYTHON27(6CA65A68,unknown error handler name '%.400s',?,?,?,?,6C822548), ref: 6C935217
                                                                                            • Part of subcall function 6C935BD0: Py_FatalError.PYTHON27(GC object already tracked,?,?,?,6C822548), ref: 6C935C28
                                                                                            • Part of subcall function 6C935BD0: PyDict_New.PYTHON27(?,?,?,6C822548), ref: 6C935C57
                                                                                            • Part of subcall function 6C935BD0: PyDict_New.PYTHON27(?,?,?,6C822548), ref: 6C935C5F
                                                                                            • Part of subcall function 6C935BD0: PyCFunction_NewEx.PYTHON27(6CA46BFC,00000000,00000000,?,?,?,6C822548), ref: 6C935C78
                                                                                            • Part of subcall function 6C935BD0: Py_FatalError.PYTHON27(can't initialize codec error registry,?,?,?,?,?,?,6C822548), ref: 6C935C8B
                                                                                            • Part of subcall function 6C935BD0: PyCodec_RegisterError.PYTHON27(strict,00000000,?,?,?,?,?,?,6C822548), ref: 6C935C9B
                                                                                            • Part of subcall function 6C935BD0: Py_FatalError.PYTHON27(can't initialize codec error registry,?,?,?,?,?,?,?,?,6C822548), ref: 6C935CBF
                                                                                            • Part of subcall function 6C935BD0: Py_FatalError.PYTHON27(can't initialize codec registry,?,?,?,6C822548), ref: 6C935CEA
                                                                                            • Part of subcall function 6C935BD0: _PyImport_AcquireLock.PYTHON27(?,?,?,?,6C822548), ref: 6C935CF2
                                                                                            • Part of subcall function 6C935BD0: _PyImport_ReleaseLock.PYTHON27(?,?,?,?,?,?,?,6C822548), ref: 6C935D0C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Error$Fatal$Dict_$Import_Lock$AcquireCodec_Err_FormatFromFunction_ItemRegisterReleaseStringString_
                                                                                          • String ID: strict$unknown error handler name '%.400s'
                                                                                          • API String ID: 1875080234-1473117067
                                                                                          • Opcode ID: 5671e6b5783fcc0eef6ce05770947b4124f37564cda5a3b6503eb971a01ae9fd
                                                                                          • Instruction ID: 1909d5516fe427e9e9b43b2db63a9ba3a4190b00bf6a8866f43e5cc7909f1022
                                                                                          • Opcode Fuzzy Hash: 5671e6b5783fcc0eef6ce05770947b4124f37564cda5a3b6503eb971a01ae9fd
                                                                                          • Instruction Fuzzy Hash: 92110CB370022557C7109A99BC809AAB3ACEB99279B250775FD1CC7B41F721DD1583D1
                                                                                          Function 6C8D0910 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • float() argument must be a string or a number, xrefs: 6C8D0B0E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: float() argument must be a string or a number
                                                                                          • API String ID: 0-4039469532
                                                                                          • Opcode ID: e604b37c4acd791725eb31e1a94384f045efe031602e07a3f67c7d6fbe59e670
                                                                                          • Instruction ID: f05a69581afc5c1e9334bc02270b23bafc7a1574b5348430a9675d9e898c26fd
                                                                                          • Opcode Fuzzy Hash: e604b37c4acd791725eb31e1a94384f045efe031602e07a3f67c7d6fbe59e670
                                                                                          • Instruction Fuzzy Hash: 13215B726153406FD710DE25DD80EABBBE8EB8A218F55492DF898D3700E330F504CBA2
                                                                                          Function 6C8EBFE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_IsSubtype.PYTHON27(?,?,?,?,00000000,?,?,6C8BFD81,?,?,?,?), ref: 6C8EC006
                                                                                          • PyType_IsSubtype.PYTHON27(?,?,?,?), ref: 6C8EC018
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\setobject.c,00000934,?,?,?,?), ref: 6C8EC039
                                                                                          Strings
                                                                                          • ..\Objects\setobject.c, xrefs: 6C8EC02E
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8EC033
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: SubtypeType_$Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\setobject.c
                                                                                          • API String ID: 1453002970-1012936799
                                                                                          • Opcode ID: 3a046fc72e7887f2933a5c39237b6dd39680ac4e5b1c86930c45dcb923375bf8
                                                                                          • Instruction ID: bbd5f1e636b19a1b9aaef550c6278cef3ea63433113fad6a2da5bac5d74069e2
                                                                                          • Opcode Fuzzy Hash: 3a046fc72e7887f2933a5c39237b6dd39680ac4e5b1c86930c45dcb923375bf8
                                                                                          • Instruction Fuzzy Hash: 89112C76A005045B8710DA1DED418EBB7A8FB4E27DF048A65FC2CD7B41E731EC6586E1
                                                                                          Function 6C8B9FA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyDict_GetItem.PYTHON27(?,00000000,?,00000000,?,?,?,6C8B9C75,00000000,?,?), ref: 6C8B9FB5
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\tupleobject.c,00000072), ref: 6C8B9FEF
                                                                                          • PyTuple_GetItem.PYTHON27(?,00000000,?,?), ref: 6C8BA01D
                                                                                          Strings
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8B9FE9
                                                                                          • ..\Objects\tupleobject.c, xrefs: 6C8B9FE4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Item$Dict_Err_FormatTuple_
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\tupleobject.c
                                                                                          • API String ID: 1227451338-1285866127
                                                                                          • Opcode ID: c637ca0b383f89b56f5fb14e6a0811d30d0b5e3521a59db3347bb5a61d87510c
                                                                                          • Instruction ID: 8b1944c80619cf7826183b09d55f37936f098a1fb6c712163c4564a9e619076b
                                                                                          • Opcode Fuzzy Hash: c637ca0b383f89b56f5fb14e6a0811d30d0b5e3521a59db3347bb5a61d87510c
                                                                                          • Instruction Fuzzy Hash: 3711B675604204AFD720CF5AED4099BB3A8EB85278F04CA29FC2C93B40D731E8168BE1
                                                                                          Function 6C8EBDC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8EBDE1
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8EBDF3
                                                                                          • _PyErr_BadInternalCall.PYTHON27(..\Objects\setobject.c,00000904), ref: 6C8EBE09
                                                                                            • Part of subcall function 6C940890: PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,?,6C8EBD4E,?,6C8EBD4E,..\Objects\setobject.c,000008F0), ref: 6C9408AA
                                                                                          • PyObject_Hash.PYTHON27(?), ref: 6C8EBE2D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_SubtypeType_$CallFormatHashInternalObject_
                                                                                          • String ID: ..\Objects\setobject.c
                                                                                          • API String ID: 66917421-1817486985
                                                                                          • Opcode ID: 6949c01818e51dd8253ae51fceed21a9d92a7030244c1c49cd54a0d9e3f1787b
                                                                                          • Instruction ID: 514446ff85c64c4d08ab012b84a71ea5f84d0f70613fa0838cf83ca7327448a4
                                                                                          • Opcode Fuzzy Hash: 6949c01818e51dd8253ae51fceed21a9d92a7030244c1c49cd54a0d9e3f1787b
                                                                                          • Instruction Fuzzy Hash: 30110032501212168721456DBE41AFF73685E1627DF248B35FA3CD7E81E330F8B181E6
                                                                                          Function 6C824620 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_CallFunction.PYTHON27(?,6C96AF04,?,00000000), ref: 6C82463D
                                                                                            • Part of subcall function 6C8AF1F0: PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AF217
                                                                                          • PyObject_CallFunction.PYTHON27(?,6C96AF08,?,?,00000000), ref: 6C824652
                                                                                          • PyType_IsSubtype.PYTHON27(?,6CA8FF60), ref: 6C824671
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s() must return a deque, not %.200s,?,?), ref: 6C824694
                                                                                          Strings
                                                                                          • %.200s() must return a deque, not %.200s, xrefs: 6C82468E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: CallErr_FunctionObject_$FormatStringSubtypeType_
                                                                                          • String ID: %.200s() must return a deque, not %.200s
                                                                                          • API String ID: 3684490585-3321660540
                                                                                          • Opcode ID: de2f0334e9ab719f36b83c4c9977fef79ffbace3c10638da1f5ac08cc591740f
                                                                                          • Instruction ID: 692ab468e6869aab05e321ec571c252ae65d8efa13f7bbc8fe73fdea0d5537e8
                                                                                          • Opcode Fuzzy Hash: de2f0334e9ab719f36b83c4c9977fef79ffbace3c10638da1f5ac08cc591740f
                                                                                          • Instruction Fuzzy Hash: E71125B66005016BE720D669ED80C53B3B8EBE53787148A29F92887F81E725EC51C3F0
                                                                                          Function 6C827DE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(a partial object's dictionary may not be deleted), ref: 6C827DFA
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,a partial object's dictionary may not be deleted), ref: 6C827E03
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,setting partial object's dictionary to a non-dict), ref: 6C827E40
                                                                                          Strings
                                                                                          • setting partial object's dictionary to a non-dict, xrefs: 6C827E3A
                                                                                          • a partial object's dictionary may not be deleted, xrefs: 6C827DF5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$FromObjectString_
                                                                                          • String ID: a partial object's dictionary may not be deleted$setting partial object's dictionary to a non-dict
                                                                                          • API String ID: 354487993-3418915442
                                                                                          • Opcode ID: 5090a56af5036e4313844b45479cf9f8badf2d5f56840eb78f15f8b671f71af8
                                                                                          • Instruction ID: 5e5c485d6eb87964832e6e8fc1a293049291ef061ab8939e8af264f83ff0c0e2
                                                                                          • Opcode Fuzzy Hash: 5090a56af5036e4313844b45479cf9f8badf2d5f56840eb78f15f8b671f71af8
                                                                                          • Instruction Fuzzy Hash: 4611E736A016025BD324CA6AED0489637B4DF96738B1447A9EC388B7D1E735DC8287E1
                                                                                          Function 6C838190 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_UnpackTuple.PYTHON27(?,span,00000000,00000001,?), ref: 6C8381B4
                                                                                            • Part of subcall function 6C945D90: PyString_FromString.PYTHON27(PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DB2
                                                                                            • Part of subcall function 6C945D90: PyErr_SetObject.PYTHON27(6CA665C8,00000000,PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DBB
                                                                                            • Part of subcall function 6C837BB0: PyObject_GetItem.PYTHON27(?), ref: 6C837BCE
                                                                                            • Part of subcall function 6C837BB0: PyInt_AsSsize_t.PYTHON27(00000000), ref: 6C837BE9
                                                                                          • PyString_FromString.PYTHON27(no such group), ref: 6C8381F7
                                                                                          • PyErr_SetObject.PYTHON27(6CA65B38,00000000,no such group), ref: 6C838200
                                                                                            • Part of subcall function 6C838070: Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8380CA
                                                                                            • Part of subcall function 6C838070: PyInt_FromLong.PYTHON27 ref: 6C838102
                                                                                            • Part of subcall function 6C838070: PyInt_FromLong.PYTHON27(000000FE), ref: 6C838139
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: From$Int_$Err_LongObjectStringString_$Arg_ErrorFatalItemObject_Ssize_tTupleUnpack
                                                                                          • String ID: no such group$span
                                                                                          • API String ID: 1402233924-3350333473
                                                                                          • Opcode ID: aade7a1539da067b6728cd2c58277873e061d54524bd597688661c8266eb03b1
                                                                                          • Instruction ID: e19a9b372e28ca95f94e196fe3e82a55875db91bb1d940ddf1e2ca05709073ca
                                                                                          • Opcode Fuzzy Hash: aade7a1539da067b6728cd2c58277873e061d54524bd597688661c8266eb03b1
                                                                                          • Instruction Fuzzy Hash: F21129726006106BD2308A99AD40AAB73E8EB49338F105B6FFD6CC3781D731E80086E5
                                                                                          Function 6C8AD8D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • int() argument must be a string or a number, not '%.200s', xrefs: 6C8ADAA6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: int() argument must be a string or a number, not '%.200s'
                                                                                          • API String ID: 0-4148199198
                                                                                          • Opcode ID: fd539dbb211789a1948ccb2c5f49700fe217a4cfe5726e74ad4223f9b70a66f9
                                                                                          • Instruction ID: c7cb1a34fef6e06a07bcb8d4b6f6455b04f1920830ea3a232050cbac1878c347
                                                                                          • Opcode Fuzzy Hash: fd539dbb211789a1948ccb2c5f49700fe217a4cfe5726e74ad4223f9b70a66f9
                                                                                          • Instruction Fuzzy Hash: 8001E536A041046BD320D9998B00BDB37B99F80B1CF18092DEC1597A00E720F90BC6E1
                                                                                          Function 6C8C66F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyDict_New.PYTHON27 ref: 6C8C670B
                                                                                            • Part of subcall function 6C8C4510: PyString_FromString.PYTHON27(<dummy key>,00000000,00000000,00000000,?,?,6C8E50C0,?,00000014,?,6C94DEB4), ref: 6C8C4529
                                                                                          • PyDict_Merge.PYTHON27(00000000,?,00000001), ref: 6C8C671A
                                                                                            • Part of subcall function 6C8C6460: PyDict_GetItem.PYTHON27(00000000,?,?,?,?,?,?,6C8C6452,?,?,00000001), ref: 6C8C650F
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\dictobject.c,000006CD), ref: 6C8C675C
                                                                                          Strings
                                                                                          • ..\Objects\dictobject.c, xrefs: 6C8C6751
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8C6756
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Dict_$Err_FormatFromItemMergeStringString_
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\dictobject.c
                                                                                          • API String ID: 3192880165-1541589624
                                                                                          • Opcode ID: ac18cbf0a251abe2452e9390a3118c4068fa471b8e54d9fb2acdb4818cb21f22
                                                                                          • Instruction ID: 20221de9913a6c6c92de7bc4690105d7ed8fceb8f0d2b7da2697ede6a68d30cb
                                                                                          • Opcode Fuzzy Hash: ac18cbf0a251abe2452e9390a3118c4068fa471b8e54d9fb2acdb4818cb21f22
                                                                                          • Instruction Fuzzy Hash: 5701F73670161057D3309B6DAE01EB67398DF82638F144F75EC18C7E80E615D87186D2
                                                                                          Function 6C8CA6E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute not set,object), ref: 6C8CA6FD
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute must be str,object), ref: 6C8CA726
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %.200s attribute must be str$%.200s attribute not set$object
                                                                                          • API String ID: 376477240-465120111
                                                                                          • Opcode ID: 1c72d266574f2c16db0b4633c7e91f4e2706bceebff9517056e830a5b2a09f10
                                                                                          • Instruction ID: 820170bc501cf3d35d6a546c691e670481971db2b514eb3d9c2849dcaf518306
                                                                                          • Opcode Fuzzy Hash: 1c72d266574f2c16db0b4633c7e91f4e2706bceebff9517056e830a5b2a09f10
                                                                                          • Instruction Fuzzy Hash: DF0192356156069FC700CF6CD940A9677B8BF16738B148BA4F8288BB81D736D892CBD1
                                                                                          Function 6C8E5080 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_Malloc.PYTHON27(0000000C,00000000,00000000,?,6C947421,00000014,?,6C94DEB4), ref: 6C8E508E
                                                                                          • PyString_FromString.PYTHON27(?,00000014,?,6C94DEB4), ref: 6C8E50B1
                                                                                          • PyDict_New.PYTHON27(?,00000014,?,6C94DEB4), ref: 6C8E50BB
                                                                                            • Part of subcall function 6C8C4510: PyString_FromString.PYTHON27(<dummy key>,00000000,00000000,00000000,?,?,6C8E50C0,?,00000014,?,6C94DEB4), ref: 6C8C4529
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,__name__,00000000,?,00000014,?,6C94DEB4), ref: 6C8E50D2
                                                                                            • Part of subcall function 6C8C7460: PyString_FromString.PYTHON27(00000000,?,?,6C8E50D7,00000000,__name__,00000000,?,00000014,?,6C94DEB4), ref: 6C8C7468
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$FromString_$Dict_$ItemMallocObject_
                                                                                          • String ID: __name__
                                                                                          • API String ID: 2659566555-3954359393
                                                                                          • Opcode ID: 08902234c20e9e2d4149483e803820009c54218efbf33b9f18c756b863dcb451
                                                                                          • Instruction ID: 78e93b3cad5a351f076ea408eef5e1548d935d351cdff86de3dd0abc0c48c95a
                                                                                          • Opcode Fuzzy Hash: 08902234c20e9e2d4149483e803820009c54218efbf33b9f18c756b863dcb451
                                                                                          • Instruction Fuzzy Hash: FB0188B2901B1257D3309B69DD0599777A8AF46778B144B34DC388BB80E734E951C7D1
                                                                                          Function 6C8CA840 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute not set,object), ref: 6C8CA85D
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute must be str,object), ref: 6C8CA886
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %.200s attribute must be str$%.200s attribute not set$object
                                                                                          • API String ID: 376477240-465120111
                                                                                          • Opcode ID: 4db227decd0e27ae5d4a311145ec214d25aea5b13e5fd035a4e8dcc193d2a80a
                                                                                          • Instruction ID: 49cc00275fa141a7b96585f2f9771b67d5fc32b8c48469901ecbd4a222f63115
                                                                                          • Opcode Fuzzy Hash: 4db227decd0e27ae5d4a311145ec214d25aea5b13e5fd035a4e8dcc193d2a80a
                                                                                          • Instruction Fuzzy Hash: 56019271A442159FC700CF68D98099677B4FF15328B188B98F4288BB81D736E8C3CBD1
                                                                                          Function 6C8ADE70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyNumber_Index.PYTHON27(?), ref: 6C8ADE7B
                                                                                            • Part of subcall function 6C8AD650: PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine,?,?,6C8AD72E,?,?,?,?,6C8AB2E8,6C8AEF3A,6CA65B38), ref: 6C8AD673
                                                                                          • _PyLong_Format.PYTHON27(00000000,?,00000000,00000001), ref: 6C8ADEA3
                                                                                          Strings
                                                                                          • PyNumber_ToBase: index not int or long, xrefs: 6C8ADECF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FormatIndexLong_Number_String
                                                                                          • String ID: PyNumber_ToBase: index not int or long
                                                                                          • API String ID: 2826168078-4256377746
                                                                                          • Opcode ID: d67449d7abbfd2ff584c83c21586cc40aa41daae60b37098f2d541fb070b760b
                                                                                          • Instruction ID: b8999eb9d4d214d4cdfd49f9523e6830c06b237b7e67853356304fe5c2207742
                                                                                          • Opcode Fuzzy Hash: d67449d7abbfd2ff584c83c21586cc40aa41daae60b37098f2d541fb070b760b
                                                                                          • Instruction Fuzzy Hash: 9301A27660021067D7318A959D40FDB33A99B90728F104A25FE68CB780D725ED57C7E1
                                                                                          Function 6C82A040 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(profiler already active), ref: 6C82A05C
                                                                                          • PyErr_SetObject.PYTHON27(?,00000000,profiler already active), ref: 6C82A065
                                                                                          • PyErr_SetString.PYTHON27(?,profiler already closed), ref: 6C82A09F
                                                                                          Strings
                                                                                          • profiler already closed, xrefs: 6C82A099
                                                                                          • profiler already active, xrefs: 6C82A057
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$FromObjectString_
                                                                                          • String ID: profiler already active$profiler already closed
                                                                                          • API String ID: 354487993-669324291
                                                                                          • Opcode ID: 710ef6b220c4801fe39465446c18e0b750d37879dfb4beac8adbc71d8d402571
                                                                                          • Instruction ID: a8af7a8f555bfdb451256c00acca9fc75490a99959522b445f033c385aac32c2
                                                                                          • Opcode Fuzzy Hash: 710ef6b220c4801fe39465446c18e0b750d37879dfb4beac8adbc71d8d402571
                                                                                          • Instruction Fuzzy Hash: F1F02633A021149FD3219959BD0CAE6B3E8DB9523CF1407B6EC2C43A80F72AD85682D1
                                                                                          Function 6C8BED40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,PyCObject_GetDesc with non-C-object), ref: 6C8BED6C
                                                                                          • PyString_FromString.PYTHON27(PyCObject_GetDesc called with null pointer), ref: 6C8BED8B
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,PyCObject_GetDesc called with null pointer), ref: 6C8BED94
                                                                                          Strings
                                                                                          • PyCObject_GetDesc with non-C-object, xrefs: 6C8BED66
                                                                                          • PyCObject_GetDesc called with null pointer, xrefs: 6C8BED86
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$FromObjectString_
                                                                                          • String ID: PyCObject_GetDesc called with null pointer$PyCObject_GetDesc with non-C-object
                                                                                          • API String ID: 354487993-3115127300
                                                                                          • Opcode ID: ce5b0fc1b0f32532919e94b9ac9bc9b0b2ffac4b3e202dbbc9ebfa37dc1ebdb8
                                                                                          • Instruction ID: cc12c5a1fd532997751ffe48bcf2278968a3d6a49b192d7ecb859a258c7b2649
                                                                                          • Opcode Fuzzy Hash: ce5b0fc1b0f32532919e94b9ac9bc9b0b2ffac4b3e202dbbc9ebfa37dc1ebdb8
                                                                                          • Instruction Fuzzy Hash: EB01F732A015155FC720DAADAD0499633A4DB56339B1887A9EC2C97B80E771D85283D1
                                                                                          Function 6C8EBED0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8EBEEC
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8EBF06
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\setobject.c,00000919), ref: 6C8EBF2C
                                                                                          Strings
                                                                                          • ..\Objects\setobject.c, xrefs: 6C8EBF21
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8EBF26
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: SubtypeType_$Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\setobject.c
                                                                                          • API String ID: 1453002970-1012936799
                                                                                          • Opcode ID: ebd8478ec04131065b958446c9dd8dfcadf9048380958dd76d7e0c415ac0e9a4
                                                                                          • Instruction ID: aeced3748298b93233fdaab3061923de83dcffe60f391cff870c3f909f6a2572
                                                                                          • Opcode Fuzzy Hash: ebd8478ec04131065b958446c9dd8dfcadf9048380958dd76d7e0c415ac0e9a4
                                                                                          • Instruction Fuzzy Hash: D6F02836A01211164A20551D6E018F97358AB5A27DB148B66FC38F3F81EB31E96589EA
                                                                                          Function 6C828FC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(logreader's file object already closed), ref: 6C828FDD
                                                                                          • PyErr_SetObject.PYTHON27(6CA65D10,00000000,logreader's file object already closed), ref: 6C828FE6
                                                                                          • _fileno.MSVCR90 ref: 6C82900C
                                                                                          • PyInt_FromLong.PYTHON27(00000000), ref: 6C829013
                                                                                          Strings
                                                                                          • logreader's file object already closed, xrefs: 6C828FD8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: From$Err_Int_LongObjectStringString__fileno
                                                                                          • String ID: logreader's file object already closed
                                                                                          • API String ID: 2431734947-2904759066
                                                                                          • Opcode ID: eb2ebae64de9eed0a8d980e443bdbfe66d40816c94c928d2bdc66b98d073ae66
                                                                                          • Instruction ID: 6f454ed8ad08ae53b107bf5a88c8cc4961d16273fc5765ef457eabaef1c616a2
                                                                                          • Opcode Fuzzy Hash: eb2ebae64de9eed0a8d980e443bdbfe66d40816c94c928d2bdc66b98d073ae66
                                                                                          • Instruction Fuzzy Hash: 61F0F673A04514178720AA69AC088AB73ACCB8627871547A5ED1887B80E726E81683E1
                                                                                          Function 6C92E7C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyOS_CheckStack.PYTHON27(?,?,6C8AF0AA, while calling a Python object,00000001,?,?,6C932AB3,00000000,?,6C880E50), ref: 6C92E7CA
                                                                                          • PyErr_SetString.PYTHON27(6CA667A8,Stack overflow,?,?,6C8AF0AA, while calling a Python object,00000001,?,?,6C932AB3,00000000,?,6C880E50), ref: 6C92E7E1
                                                                                          • PyErr_Format.PYTHON27(6CA65248,maximum recursion depth exceeded%s,00000000,?,?,6C8AF0AA, while calling a Python object,00000001,?,?,6C932AB3,00000000,?,6C880E50), ref: 6C92E810
                                                                                          Strings
                                                                                          • Stack overflow, xrefs: 6C92E7DB
                                                                                          • maximum recursion depth exceeded%s, xrefs: 6C92E80A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$CheckFormatStackString
                                                                                          • String ID: Stack overflow$maximum recursion depth exceeded%s
                                                                                          • API String ID: 3709953551-2207580994
                                                                                          • Opcode ID: c8ac0d3eecd9788bd9e7a9ba16b6911863563d0e7c26bd1dec87491c901a4466
                                                                                          • Instruction ID: 5851c27a8a9f0f8de018c56a4c743c73c17a45f2e4a6a2b146d9c765939a7a37
                                                                                          • Opcode Fuzzy Hash: c8ac0d3eecd9788bd9e7a9ba16b6911863563d0e7c26bd1dec87491c901a4466
                                                                                          • Instruction Fuzzy Hash: 96F06D326107155B8B08DBB9F980C6677A8E755278304CA66F92DC3B80DB25E4508B90
                                                                                          Function 6C8F7ED0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\tupleobject.c,0000007D,?,6C8BA9F5,?,00000000,?,?,?,?,?,?,6C8AF9FC,?), ref: 6C8F7EF8
                                                                                          Strings
                                                                                          • tuple index out of range, xrefs: 6C8F7F20
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8F7EF2
                                                                                          • ..\Objects\tupleobject.c, xrefs: 6C8F7EED
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\tupleobject.c$tuple index out of range
                                                                                          • API String ID: 376477240-1998913833
                                                                                          • Opcode ID: 875d1da59ebc276112f2e92c43b0793e4030dc6ffcf0d9510064cbf1b8adf4d5
                                                                                          • Instruction ID: 25520fb13993a48fd71bec7c54892fd9f4d5e543b09ecb10be0ee1aa2bf10996
                                                                                          • Opcode Fuzzy Hash: 875d1da59ebc276112f2e92c43b0793e4030dc6ffcf0d9510064cbf1b8adf4d5
                                                                                          • Instruction Fuzzy Hash: CFF0F0317002085BE724CE68DD41E2573A4E705318F088AC9FC1CC7B40E623E852D791
                                                                                          Function 6C8CA5B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute not set,encoding), ref: 6C8CA5CE
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute must be str,encoding), ref: 6C8CA5F6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %.200s attribute must be str$%.200s attribute not set$encoding
                                                                                          • API String ID: 376477240-2505966323
                                                                                          • Opcode ID: 0334d147a9a9d53b671cb94c5a0778aa5a13a93320533f1d76c28529a29d7d60
                                                                                          • Instruction ID: 40159d892b13b856c271a0731de0eed9c51520204bd04c418cff4c539c206e88
                                                                                          • Opcode Fuzzy Hash: 0334d147a9a9d53b671cb94c5a0778aa5a13a93320533f1d76c28529a29d7d60
                                                                                          • Instruction Fuzzy Hash: AAF0E5317003095FD710DBB4EE00E6633BCAB9420CB04C865F90CC7E01EB26D8505A90
                                                                                          Function 6C8CA550 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute not set,encoding), ref: 6C8CA56E
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute must be str,encoding), ref: 6C8CA596
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %.200s attribute must be str$%.200s attribute not set$encoding
                                                                                          • API String ID: 376477240-2505966323
                                                                                          • Opcode ID: 0334d147a9a9d53b671cb94c5a0778aa5a13a93320533f1d76c28529a29d7d60
                                                                                          • Instruction ID: 373292d7ac9a50481c4a86f1801081fe80b56a06deaf63b4baba905b53151edb
                                                                                          • Opcode Fuzzy Hash: 0334d147a9a9d53b671cb94c5a0778aa5a13a93320533f1d76c28529a29d7d60
                                                                                          • Instruction Fuzzy Hash: F4F06D327103095FD714DBB5EE04E6A37BCABA424CB08C9A9F90CC7E01EB26D8559A91
                                                                                          Function 6C8CA620 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute not set,object), ref: 6C8CA63E
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute must be str,object), ref: 6C8CA666
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %.200s attribute must be str$%.200s attribute not set$object
                                                                                          • API String ID: 376477240-465120111
                                                                                          • Opcode ID: ce318895b134daabd45de49ffaa122954d09ef078881b7ebe90f84671a812190
                                                                                          • Instruction ID: a56725170ee042a5107cd5fc011efb056f438ea09c9a1bbd1d086c123779c640
                                                                                          • Opcode Fuzzy Hash: ce318895b134daabd45de49ffaa122954d09ef078881b7ebe90f84671a812190
                                                                                          • Instruction Fuzzy Hash: 18F065327543095FD714DB78EE40D6633F8A77464CB088964F80CC7E01EB2AD8959AA0
                                                                                          Function 6C8CA9B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute not set,reason), ref: 6C8CA9CE
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute must be str,reason), ref: 6C8CA9F6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %.200s attribute must be str$%.200s attribute not set$reason
                                                                                          • API String ID: 376477240-2292975759
                                                                                          • Opcode ID: 1d0ebb05f69e1e346a245586c8e74abde26fadc7e9fefa1aab802aec8ed775d7
                                                                                          • Instruction ID: 8faee843c21f2638f3ce54b8f6d878c54b1acac64b6c0f188f3a194f4741ba79
                                                                                          • Opcode Fuzzy Hash: 1d0ebb05f69e1e346a245586c8e74abde26fadc7e9fefa1aab802aec8ed775d7
                                                                                          • Instruction Fuzzy Hash: C8F06572B503095FD710DB65EE41D7537B8A764648B088D64F90CC7E01E72BE8955B90
                                                                                          Function 6C8CA950 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute not set,reason), ref: 6C8CA96E
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute must be str,reason), ref: 6C8CA996
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %.200s attribute must be str$%.200s attribute not set$reason
                                                                                          • API String ID: 376477240-2292975759
                                                                                          • Opcode ID: 1d0ebb05f69e1e346a245586c8e74abde26fadc7e9fefa1aab802aec8ed775d7
                                                                                          • Instruction ID: d58314bccdef666f0eab884b014a06a44dc2b659d2933b7848473564cb28bc93
                                                                                          • Opcode Fuzzy Hash: 1d0ebb05f69e1e346a245586c8e74abde26fadc7e9fefa1aab802aec8ed775d7
                                                                                          • Instruction Fuzzy Hash: CFF065327503095FD710DB65EE01D7537B8A7A4648B08CD64F90CC7E01E72BE8955B91
                                                                                          Function 6C8CA500 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute not set,object,6C8CA69F), ref: 6C8CA514
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%.200s attribute must be unicode,object), ref: 6C8CA53C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %.200s attribute must be unicode$%.200s attribute not set$object
                                                                                          • API String ID: 376477240-1433534347
                                                                                          • Opcode ID: 54f1ba0931a7d8e164acb1216c4e13a92f0fc63efd6bb58b4e959f1dbd191d54
                                                                                          • Instruction ID: 8a0581eb0d4d9d29b9cd5a9f5c96523a158f3374d6b4baa113778447a0c4d2f3
                                                                                          • Opcode Fuzzy Hash: 54f1ba0931a7d8e164acb1216c4e13a92f0fc63efd6bb58b4e959f1dbd191d54
                                                                                          • Instruction Fuzzy Hash: 2EE086727012456EDB10D770CE40E6B33B467B424DF08CDA8B905C7E01EB2BC4456AA0
                                                                                          Function 6C9087C0 Relevance: 7.7, APIs: 5, Instructions: 213COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_NoMemory.PYTHON27(?,00000000,00000000), ref: 6C9087EC
                                                                                            • Part of subcall function 6C940380: PyErr_GivenExceptionMatches.PYTHON27(00000000,6CA667A8,?,6C8F7E82,00000000,6C8AB1D5,?,?,?,6C8AF66F,00000000,?,00000000,6C8AF785,00000000), ref: 6C940396
                                                                                            • Part of subcall function 6C940380: PyErr_SetObject.PYTHON27(6CA667A8,?), ref: 6C9403B3
                                                                                          • PyObject_Malloc.PYTHON27(00000015,?,?,?,00000000,00000000), ref: 6C908807
                                                                                          • PyString_InternInPlace.PYTHON27(00000000,?,00000000,00000000), ref: 6C908839
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$ExceptionGivenInternMallocMatchesMemoryObjectObject_PlaceString_
                                                                                          • String ID:
                                                                                          • API String ID: 349208754-0
                                                                                          • Opcode ID: 5d311ba487d026253127d54d38205549e221b8826acb834acf31706f2e558abd
                                                                                          • Instruction ID: 899ef1ef3c5b482060a49602deb9fe525e4d015eb7c7e04d6e7efdeb06a73b67
                                                                                          • Opcode Fuzzy Hash: 5d311ba487d026253127d54d38205549e221b8826acb834acf31706f2e558abd
                                                                                          • Instruction Fuzzy Hash: 1C615636B056598FDB18AE59C4403EDBBA9EB41318F5482AFDCF48BA41D334C186C79A
                                                                                          Function 6C8C4CD0 Relevance: 7.6, APIs: 5, Instructions: 128COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Memory$freemallocmemset
                                                                                          • String ID:
                                                                                          • API String ID: 1522105653-0
                                                                                          • Opcode ID: 3ebb32cb0ad74cf42e3b44c3244cdc7abfd25dddf28775b73668f0250fef4e20
                                                                                          • Instruction ID: 384f4ea4f6da1835ad8838a83976e8b2a3c8e3d2fa029083dff113cd1b7bdadb
                                                                                          • Opcode Fuzzy Hash: 3ebb32cb0ad74cf42e3b44c3244cdc7abfd25dddf28775b73668f0250fef4e20
                                                                                          • Instruction Fuzzy Hash: 9A4126717002054BDB20DF65D9C06AAB3F9EFC4329F254A69D919C7B50E730E984C782
                                                                                          Function 6C824130 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_free$ClearMemorymalloc
                                                                                          • String ID:
                                                                                          • API String ID: 298716102-0
                                                                                          • Opcode ID: 7c42fa727c7ba210b1d4679e5460a6de3a3b770cb11a5b78f0e350925fa0e52e
                                                                                          • Instruction ID: c03adf705af83e587d043af8281ff96f57bb913eef11fa02c37ae5d432ae8952
                                                                                          • Opcode Fuzzy Hash: 7c42fa727c7ba210b1d4679e5460a6de3a3b770cb11a5b78f0e350925fa0e52e
                                                                                          • Instruction Fuzzy Hash: 094107716007028FC724CF5BD884566B7F4FBC2329B248A2DD46AC7A40E735E8968FE1
                                                                                          Function 6C950600 Relevance: 7.6, APIs: 5, Instructions: 76threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • malloc.MSVCR90 ref: 6C950607
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 6C95065C
                                                                                          • _PyThreadState_Init.PYTHON27(00000000), ref: 6C950692
                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6C9506C9
                                                                                          • SetEvent.KERNEL32(?), ref: 6C9506D7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Thread$CurrentDecrementEventInitInterlockedState_malloc
                                                                                          • String ID:
                                                                                          • API String ID: 743730388-0
                                                                                          • Opcode ID: 267d456e2cdc85680b9a73d1005efc12ff177d86cdd3324c0a213cafd9f7a56a
                                                                                          • Instruction ID: 881c4da5b3260b4257fd240d241206bcb877e3697560b7d01ce5d184e7d06722
                                                                                          • Opcode Fuzzy Hash: 267d456e2cdc85680b9a73d1005efc12ff177d86cdd3324c0a213cafd9f7a56a
                                                                                          • Instruction Fuzzy Hash: 6F31D2B1901B529FD720DF6B9584446FBF4BB492187A09A2ED5AE83B40D330E465CF80
                                                                                          Function 6C8300C0 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_Call.PYTHON27(?,00000000,00000000), ref: 6C8300D5
                                                                                            • Part of subcall function 6C8AF070: _Py_CheckRecursiveCall.PYTHON27( while calling a Python object,00000001,?,?,6C932AB3,00000000,?,6C880E50), ref: 6C8AF0A5
                                                                                            • Part of subcall function 6C8AF070: PyErr_SetString.PYTHON27(6CA665C8,NULL result without error in PyObject_Call,?,00000000,00000000), ref: 6C8AF0E4
                                                                                          • PyErr_WriteUnraisable.PYTHON27(?), ref: 6C8300E7
                                                                                            • Part of subcall function 6C940B50: PySys_GetObject.PYTHON27(stderr,00000000,?,?,?,?,6C918367,?), ref: 6C940B80
                                                                                            • Part of subcall function 6C940B50: PyFile_WriteString.PYTHON27(Exception ,00000000,?,?,?,6C918367,?), ref: 6C940B98
                                                                                            • Part of subcall function 6C940B50: strrchr.MSVCR90 ref: 6C940BC3
                                                                                            • Part of subcall function 6C940B50: PyObject_GetAttrString.PYTHON27(?,__module__,?,?,?,?,?,6C918367,?), ref: 6C940BD9
                                                                                            • Part of subcall function 6C940B50: PyFile_WriteString.PYTHON27(<unknown>,00000000,?,?,?,?,?,?,?,6C918367,?), ref: 6C940BF0
                                                                                            • Part of subcall function 6C940B50: PyFile_WriteString.PYTHON27(00000000,00000000,?,?,?,?,?,?,?,?,6C918367,?), ref: 6C940C5E
                                                                                            • Part of subcall function 6C940B50: PyFile_WriteString.PYTHON27(6CA1B634,00000000,?,?,?,?,?,?,?,?,?,?,6C918367,?), ref: 6C940C7B
                                                                                            • Part of subcall function 6C940B50: PyFile_WriteObject.PYTHON27(6C918367,00000000,00000000,6CA1B634,00000000,?,?,?,?,?,?,?,?,?,?,6C918367), ref: 6C940C84
                                                                                            • Part of subcall function 6C940B50: PyErr_Clear.PYTHON27(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C918367), ref: 6C940C90
                                                                                            • Part of subcall function 6C940B50: PyFile_WriteString.PYTHON27(<exception repr() failed>,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C940C9B
                                                                                            • Part of subcall function 6C940B50: PyFile_WriteString.PYTHON27( in ,00000000,?,?,?,?,?,6C918367,?), ref: 6C940CC1
                                                                                          • PyLong_AsLongLong.PYTHON27(00000000), ref: 6C830105
                                                                                          • PyErr_WriteUnraisable.PYTHON27(?), ref: 6C83014A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Write$String$File_$Err_$CallLongObjectObject_Unraisable$AttrCheckClearLong_RecursiveSys_strrchr
                                                                                          • String ID:
                                                                                          • API String ID: 3056655519-0
                                                                                          • Opcode ID: 7fd11368826c76ab0ce477fb1a5c9a969415b7f1df7586fcf409e939905799c1
                                                                                          • Instruction ID: 08d280b3d248004e0bbf1be54b90004f05aa67b207ad8d7fe37abb9c465aa90c
                                                                                          • Opcode Fuzzy Hash: 7fd11368826c76ab0ce477fb1a5c9a969415b7f1df7586fcf409e939905799c1
                                                                                          • Instruction Fuzzy Hash: 41110477B006019BE314DAAAED80ACB736AABD526CF054635E50D83B40D731E85A87E1
                                                                                          Function 6C829700 Relevance: 7.6, APIs: 5, Instructions: 64fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • fwrite.MSVCR90 ref: 6C82971E
                                                                                          • fflush.MSVCR90 ref: 6C829742
                                                                                          • memmove.MSVCR90(?,00000014,?), ref: 6C829761
                                                                                          • PyString_AsString.PYTHON27(?), ref: 6C829775
                                                                                          • PyErr_SetFromErrnoWithFilename.PYTHON27(6CA64EC0,00000000), ref: 6C829785
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_ErrnoFilenameFromStringString_Withfflushfwritememmove
                                                                                          • String ID:
                                                                                          • API String ID: 2743657609-0
                                                                                          • Opcode ID: ff3d6109b91e9b6b4e6684269fbac1b9fb42e68ffcf86cbe490e66fa79891236
                                                                                          • Instruction ID: 98179ea49e4898d823280f16a21a1c58499b9da468503029feb5e4cddc338eb3
                                                                                          • Opcode Fuzzy Hash: ff3d6109b91e9b6b4e6684269fbac1b9fb42e68ffcf86cbe490e66fa79891236
                                                                                          • Instruction Fuzzy Hash: F3110A766042105BDB24CE69EDC89A7376CEB45328F044765ED588B345EB35D82487F2
                                                                                          Function 6C8DF5F0 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • malloc.MSVCR90 ref: 6C8DF60D
                                                                                          • PyUnicodeUCS2_EncodeDecimal.PYTHON27(?,?,00000000,00000000), ref: 6C8DF624
                                                                                          • free.MSVCR90 ref: 6C8DF631
                                                                                          • PyLong_FromString.PYTHON27(00000000,00000000,?), ref: 6C8DF648
                                                                                          • free.MSVCR90 ref: 6C8DF653
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: free$DecimalEncodeFromLong_StringUnicodemalloc
                                                                                          • String ID:
                                                                                          • API String ID: 3848787443-0
                                                                                          • Opcode ID: 7f06542a8a0e0604c541b5a4694e35fa104e18409ff4b6b04b2bb20eb214b882
                                                                                          • Instruction ID: 7c392e84b37d86effd789800a27caf37a03eb6ce0be86c9493de5fc9a662aa3c
                                                                                          • Opcode Fuzzy Hash: 7f06542a8a0e0604c541b5a4694e35fa104e18409ff4b6b04b2bb20eb214b882
                                                                                          • Instruction Fuzzy Hash: F6F0D172B0411127EB10666ABC09A9B379CDF9127CF2A0539FA18C6A80EB71F91583A5
                                                                                          Function 6C9679B0 Relevance: 7.5, APIs: 5, Instructions: 37threadsynchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InterlockedCompareExchange.KERNEL32(?,00000000,000000FF), ref: 6C9679BF
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 6C9679D3
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,6C92E5C7,00000000,?,?,?,?,6C880EC8,6C880560,?), ref: 6C9679E3
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 6C9679EB
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 6C9679FB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentInterlockedThread$CompareExchangeIncrementObjectSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 1009837465-0
                                                                                          • Opcode ID: 28d9edb981a66b0656744968f98cfb41c18f56f1586ffa98f0e24b9405882e48
                                                                                          • Instruction ID: 8bc973b989047da57021bd10933046aace190eff8b10fb8611a6a062e70169e2
                                                                                          • Opcode Fuzzy Hash: 28d9edb981a66b0656744968f98cfb41c18f56f1586ffa98f0e24b9405882e48
                                                                                          • Instruction Fuzzy Hash: B8F054713455219BEB005EBE9D08765B7B8AB02776B208326F63DD2AC0CB38D8508790
                                                                                          Function 6C8DDD90 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 167COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA663F8,can't convert negative long to unsigned), ref: 6C8DDDB8
                                                                                          • PyErr_SetString.PYTHON27(6CA663F8,long too big to convert), ref: 6C8DDF06
                                                                                          Strings
                                                                                          • long too big to convert, xrefs: 6C8DDF00
                                                                                          • can't convert negative long to unsigned, xrefs: 6C8DDDB2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String
                                                                                          • String ID: can't convert negative long to unsigned$long too big to convert
                                                                                          • API String ID: 1450464846-3211828677
                                                                                          • Opcode ID: 92332c0680f8aa043772e670eaab4da94337b53fa1778844ada9b30fbd3df8ac
                                                                                          • Instruction ID: 693ba57371fc4b8a4ff7799366170d005cd3cba342a152b28436c752551aee92
                                                                                          • Opcode Fuzzy Hash: 92332c0680f8aa043772e670eaab4da94337b53fa1778844ada9b30fbd3df8ac
                                                                                          • Instruction Fuzzy Hash: 71510635A0421BDBCF20CE69C9C02AD77B4EF55325F164B6AE855D7A80D734A981CFB0
                                                                                          Function 6C8225D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,s*|zi:mbcs_decode,?,?,?), ref: 6C8225F4
                                                                                          • PyUnicode_DecodeMBCSStateful.PYTHON27(?,?,?,?), ref: 6C822625
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_DecodeParseSizeStatefulTuple_Unicode_
                                                                                          • String ID: s*|zi:mbcs_decode
                                                                                          • API String ID: 3965784926-1507612309
                                                                                          • Opcode ID: 68f36dd2b8f7524a9b65c895e9839392c234a3795870dabe247421685db3d637
                                                                                          • Instruction ID: 2ff86f7ec5a0acc37c3a2bfac4ff198dc11fc86e0cbecfaa746a4a6c8390ea50
                                                                                          • Opcode Fuzzy Hash: 68f36dd2b8f7524a9b65c895e9839392c234a3795870dabe247421685db3d637
                                                                                          • Instruction Fuzzy Hash: 8731C8B6E00108AFDB08CFA9DC85CFEB3B9FF84224B14466CE51997641E634EE05CB90
                                                                                          Function 6C82DCF7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_ParseTupleAndKeywords.PYTHON27(?,?,OO&:scan_once,6CA818E4,?,Function_0000ADC0,?), ref: 6C82DD5C
                                                                                            • Part of subcall function 6C82D510: PyString_FromString.PYTHON27(idx cannot be negative,?,?,?,?,?,6C82C59D,FFFFFFFD,?,?,?), ref: 6C82D532
                                                                                            • Part of subcall function 6C82D510: PyErr_SetObject.PYTHON27(6CA65D10,00000000,?), ref: 6C82D53E
                                                                                            • Part of subcall function 6C82B580: PyInt_FromLong.PYTHON27 ref: 6C82B59D
                                                                                          Strings
                                                                                          • first argument must be a string, not %.80s, xrefs: 6C82DDD2
                                                                                          • OO&:scan_once, xrefs: 6C82DD4E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: From$Arg_Err_Int_KeywordsLongObjectParseStringString_Tuple
                                                                                          • String ID: OO&:scan_once$first argument must be a string, not %.80s
                                                                                          • API String ID: 2740004086-585280560
                                                                                          • Opcode ID: 3e27bd06526b496b8e5bfed1cb1aee21b6199b437a9ff3fbb0220a66980f7685
                                                                                          • Instruction ID: 3747711e6bbbc43889f5d1ebf129b5b525ac28a477efa9a9e3df6907c33ef4a5
                                                                                          • Opcode Fuzzy Hash: 3e27bd06526b496b8e5bfed1cb1aee21b6199b437a9ff3fbb0220a66980f7685
                                                                                          • Instruction Fuzzy Hash: 76318671503208BFD748DF74D9429EBBBB8EF45308B2045ADE819C6760E736DA55CBA0
                                                                                          Function 6C8224F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,s*|zO:charmap_decode,?,?,?), ref: 6C822514
                                                                                          • PyUnicodeUCS2_DecodeCharmap.PYTHON27(?,?,?,?), ref: 6C822543
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_CharmapDecodeParseSizeTuple_Unicode
                                                                                          • String ID: s*|zO:charmap_decode
                                                                                          • API String ID: 2828756669-2412081656
                                                                                          • Opcode ID: 595a2deb50c1bbcd352a1d59879c8faf651770e6e75fc337d08b05550f5b4641
                                                                                          • Instruction ID: a518b0b4abe29e2fd1c33a6405364414d3f9a7ef64fc8817017afd549aeca78d
                                                                                          • Opcode Fuzzy Hash: 595a2deb50c1bbcd352a1d59879c8faf651770e6e75fc337d08b05550f5b4641
                                                                                          • Instruction Fuzzy Hash: DE21C5B2E01104AFDB18DEA9D994CAEB3B9EB88224B10866CE919C7640E634DE45C7D1
                                                                                          Function 6C880DB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 6C880DD6
                                                                                          • Py_BuildValue.PYTHON27((iO),00000001,?), ref: 6C880E27
                                                                                          • PyEval_CallObjectWithKeywords.PYTHON27(?,00000000,00000000), ref: 6C880E4B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: BuildCallCurrentEval_KeywordsObjectThreadValueWith
                                                                                          • String ID: (iO)
                                                                                          • API String ID: 4089372107-915891140
                                                                                          • Opcode ID: 6e9f3817ae7568d2541826e285ad9d1bd63a2ad17bf77a7706fecf7dd1ad79b7
                                                                                          • Instruction ID: ad9fa7ed4f69200ca61bc730b598aa21205adfbf6156ce1f0cebe6037beb98c5
                                                                                          • Opcode Fuzzy Hash: 6e9f3817ae7568d2541826e285ad9d1bd63a2ad17bf77a7706fecf7dd1ad79b7
                                                                                          • Instruction Fuzzy Hash: CC212B71B073039BD7248EA6DD45B5B73F4E746328F104764E91887A91E770D9528BD0
                                                                                          Function 6C8E9E50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(<dummy key>,00000000,E8526CA6,?,?,6C8BF060,00000000,?,?,?,6C8BF1E2,?), ref: 6C8E9E66
                                                                                          • memset.MSVCR90 ref: 6C8E9EB2
                                                                                          • PyObject_GC_Track.PYTHON27 ref: 6C8E9EDA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: FromObject_StringString_Trackmemset
                                                                                          • String ID: <dummy key>
                                                                                          • API String ID: 733772200-4195026744
                                                                                          • Opcode ID: 765cea1bdeda44aa9903d82ef8b5a863601516088104016856dd610839a68c75
                                                                                          • Instruction ID: 5d3ad9952946c8e3049ba592e2eccc9ca650b4cedb248e4818372d66dc9fdba4
                                                                                          • Opcode Fuzzy Hash: 765cea1bdeda44aa9903d82ef8b5a863601516088104016856dd610839a68c75
                                                                                          • Instruction Fuzzy Hash: 822105B16003018FEF24CF59EDC078637A4AF0A328F004669ED188BB85E3B5D815CBA1
                                                                                          Function 6C8C51A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\dictobject.c,0000038B), ref: 6C8C51CF
                                                                                          • PyObject_Hash.PYTHON27(?), ref: 6C8C51F6
                                                                                          Strings
                                                                                          • ..\Objects\dictobject.c, xrefs: 6C8C51C4
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8C51C9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FormatHashObject_
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\dictobject.c
                                                                                          • API String ID: 896634218-1541589624
                                                                                          • Opcode ID: 0f95415e51929f8ca92d84a2d83dbebf26d17a3e70d6c33f95b4d59b3b2b8c2d
                                                                                          • Instruction ID: b39171790a4f8a8350632cc3d5e750c903066b3253ecb3e23b74b07238fbb71d
                                                                                          • Opcode Fuzzy Hash: 0f95415e51929f8ca92d84a2d83dbebf26d17a3e70d6c33f95b4d59b3b2b8c2d
                                                                                          • Instruction Fuzzy Hash: 1D11D63270560417CB209A7EAD81A9AB358EB81239B244B66FD3CC7BC0EB31D85596D2
                                                                                          Function 6C822430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,s*|z:ascii_decode,?,?), ref: 6C82244E
                                                                                          • PyUnicodeUCS2_DecodeASCII.PYTHON27(?,?,00000000), ref: 6C82246D
                                                                                          • _Py_BuildValue_SizeT.PYTHON27(6C96A948,00000000,?), ref: 6C8224C1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Size$Arg_BuildDecodeParseTuple_UnicodeValue_
                                                                                          • String ID: s*|z:ascii_decode
                                                                                          • API String ID: 221429529-3412250790
                                                                                          • Opcode ID: 7b707a06e623664193e134b0e6319a049222cdeb6ecbf711242430698cf8e8a5
                                                                                          • Instruction ID: 0ba24b57226e1610af0004efae9835b23efef616c45025851db29e11f81640ac
                                                                                          • Opcode Fuzzy Hash: 7b707a06e623664193e134b0e6319a049222cdeb6ecbf711242430698cf8e8a5
                                                                                          • Instruction Fuzzy Hash: E521F9B1B01104AFDB18DFA5DD88CAF73B9EF84228B1446A8E91997B40E738DE05C7D1
                                                                                          Function 6C8AF110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_NewVar.PYTHON27(?,00000001), ref: 6C8AF158
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked,6C8AF2E2), ref: 6C8AF17B
                                                                                          • PyObject_Call.PYTHON27(6C8AF2E2,00000001,00000000), ref: 6C8AF1B2
                                                                                          Strings
                                                                                          • GC object already tracked, xrefs: 6C8AF176
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object_$CallErrorFatal
                                                                                          • String ID: GC object already tracked
                                                                                          • API String ID: 2672030518-3349536495
                                                                                          • Opcode ID: 834b0270a693b522aaeb477c72a5a0ff2945ca6ff2d48369b55967e26e29909e
                                                                                          • Instruction ID: cdcabd4aed626ac97ea1d2f6095d95a79a273aef74b194ea0d468475e281649a
                                                                                          • Opcode Fuzzy Hash: 834b0270a693b522aaeb477c72a5a0ff2945ca6ff2d48369b55967e26e29909e
                                                                                          • Instruction Fuzzy Hash: E521F4B16016019FD7258F59DA81AA2B3F4FB91338F248769D82D4BB80D734E857CBD1
                                                                                          Function 6C823590 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(pop from an empty deque), ref: 6C8235AF
                                                                                          • PyErr_SetObject.PYTHON27(6CA65B38,00000000,pop from an empty deque), ref: 6C8235B8
                                                                                          • free.MSVCR90 ref: 6C823632
                                                                                          Strings
                                                                                          • pop from an empty deque, xrefs: 6C8235AA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromObjectStringString_free
                                                                                          • String ID: pop from an empty deque
                                                                                          • API String ID: 1310082783-3953269096
                                                                                          • Opcode ID: 80ffa9d0f7e09d961d98e850e60e723167e2365f28b35c6d7160baa7666f61c9
                                                                                          • Instruction ID: 0c9ad2a853f2e3f63346f8f9d4cf664caf0c05ef149826f5227fde3154588327
                                                                                          • Opcode Fuzzy Hash: 80ffa9d0f7e09d961d98e850e60e723167e2365f28b35c6d7160baa7666f61c9
                                                                                          • Instruction Fuzzy Hash: 46219072A007064FD3348F2AA944966B7F8FB85328B144B69D96983B40EB35EC568BD0
                                                                                          Function 6C8234C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(pop from an empty deque), ref: 6C8234DF
                                                                                          • PyErr_SetObject.PYTHON27(6CA65B38,00000000,pop from an empty deque), ref: 6C8234E8
                                                                                          • free.MSVCR90 ref: 6C823562
                                                                                          Strings
                                                                                          • pop from an empty deque, xrefs: 6C8234DA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromObjectStringString_free
                                                                                          • String ID: pop from an empty deque
                                                                                          • API String ID: 1310082783-3953269096
                                                                                          • Opcode ID: a3dc5bb5bb11c6d89bf098833050ca71f014118b4eac65c656bd8a0d4b8332bc
                                                                                          • Instruction ID: 7423c63a31b4659394c7749788ed1e0e1764bfd9e5f81a8f43ab61b59d098119
                                                                                          • Opcode Fuzzy Hash: a3dc5bb5bb11c6d89bf098833050ca71f014118b4eac65c656bd8a0d4b8332bc
                                                                                          • Instruction Fuzzy Hash: EB21D372A04A028FD334CF1AE944566B7F8FB85328B144B2DD96D87B40E736ED468BD1
                                                                                          Function 6C8AE710 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AE731
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,'%.200s' object doesn't support slice deletion,?), ref: 6C8AE7AA
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AE72B
                                                                                          • '%.200s' object doesn't support slice deletion, xrefs: 6C8AE7A4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$FormatString
                                                                                          • String ID: '%.200s' object doesn't support slice deletion$null argument to internal routine
                                                                                          • API String ID: 4212644371-114744853
                                                                                          • Opcode ID: e50ffb050416269eb30576e1b96c1348299534aa4e40bdf8a110fb0668d5e79f
                                                                                          • Instruction ID: a13cf4e9db381899ebb55231a6e733b067755fd897d88494dd52ba4e802c75a5
                                                                                          • Opcode Fuzzy Hash: e50ffb050416269eb30576e1b96c1348299534aa4e40bdf8a110fb0668d5e79f
                                                                                          • Instruction Fuzzy Hash: CC110D366016059BD720DE99ED80B5673B8DFD1338F148F39E92C87A80E770E89687D0
                                                                                          Function 6C8AF6A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_GetAttr.PYTHON27(?,?), ref: 6C8AF6B4
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AF73A
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AF734
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttrErr_Object_String
                                                                                          • String ID: null argument to internal routine
                                                                                          • API String ID: 3019503910-2212441169
                                                                                          • Opcode ID: 32fc181ed33a3f59442fc67591d7f5bd22a44bf9f0f596ac3efa678f166ec29b
                                                                                          • Instruction ID: b5e89f33c84f0d3024afcb056a4a32ef0f2ff38e99fb5ff38436f4ee5f15f6a7
                                                                                          • Opcode Fuzzy Hash: 32fc181ed33a3f59442fc67591d7f5bd22a44bf9f0f596ac3efa678f166ec29b
                                                                                          • Instruction Fuzzy Hash: FB11E6766002125BD7249EE9ED40EDA73A8EF9123CB140B38E96C87B90E734ED57C791
                                                                                          Function 6C8387C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,O|nn:scanner,?,?,?), ref: 6C8387E8
                                                                                          • PyObject_Malloc.PYTHON27(00000368), ref: 6C838801
                                                                                          • PyErr_NoMemory.PYTHON27 ref: 6C83880D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_Err_MallocMemoryObject_ParseSizeTuple_
                                                                                          • String ID: O|nn:scanner
                                                                                          • API String ID: 3578119790-1243287501
                                                                                          • Opcode ID: b999e2d8ed09c3db6a691705d29837c48c2ab47cede55a3342952098f0dd8e4d
                                                                                          • Instruction ID: 73b288115f417a40bcdc52c08ee36b21c668e9677e97e4cc9f99ed7acfb6c847
                                                                                          • Opcode Fuzzy Hash: b999e2d8ed09c3db6a691705d29837c48c2ab47cede55a3342952098f0dd8e4d
                                                                                          • Instruction Fuzzy Hash: 7A21C6B2900128AFCB10DFE8ED808DEB7B8EB45328B149697EC1CCB641D631DA4587E1
                                                                                          Function 6C822F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,O|z:latin_1_encode,?,?), ref: 6C822F9E
                                                                                          • PyUnicodeUCS2_FromObject.PYTHON27(?), ref: 6C822FB4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_FromObjectParseSizeTuple_Unicode
                                                                                          • String ID: O|z:latin_1_encode
                                                                                          • API String ID: 22654875-4126519268
                                                                                          • Opcode ID: 968f53e70c4cdf0ae3b6fb7081f3478fcec580381bd892fec80e2fc2db88eb13
                                                                                          • Instruction ID: 08d789d05bfa4b6f87f76908985588676f103c63723ec9252e0823c550df2ae4
                                                                                          • Opcode Fuzzy Hash: 968f53e70c4cdf0ae3b6fb7081f3478fcec580381bd892fec80e2fc2db88eb13
                                                                                          • Instruction Fuzzy Hash: 7B21E4B5A00104AFD720DB99DD49E8EB3F8EF98324F1446A4E80897741E734EE45C7E1
                                                                                          Function 6C823030 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,O|z:ascii_encode,?,?), ref: 6C82304E
                                                                                          • PyUnicodeUCS2_FromObject.PYTHON27(?), ref: 6C823064
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_FromObjectParseSizeTuple_Unicode
                                                                                          • String ID: O|z:ascii_encode
                                                                                          • API String ID: 22654875-646729116
                                                                                          • Opcode ID: ef7bfb6b941dfc7a4ea9459b490c52e5cac3536e0a2b777df8e7cec06c891d81
                                                                                          • Instruction ID: 6a2952b9ca9dbdca1ebb2af415a6b9ddb5003b77c25e715094a94510a22cda7c
                                                                                          • Opcode Fuzzy Hash: ef7bfb6b941dfc7a4ea9459b490c52e5cac3536e0a2b777df8e7cec06c891d81
                                                                                          • Instruction Fuzzy Hash: A921D2B5A00108AFD710CBA9CD45E9AB3B9EF94328F1486A4E80897741EB34EE45C7E1
                                                                                          Function 6C822E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,O|z:unicode_escape_encode,?,?), ref: 6C822E3E
                                                                                          • PyUnicodeUCS2_FromObject.PYTHON27(?), ref: 6C822E54
                                                                                          Strings
                                                                                          • O|z:unicode_escape_encode, xrefs: 6C822E31
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_FromObjectParseSizeTuple_Unicode
                                                                                          • String ID: O|z:unicode_escape_encode
                                                                                          • API String ID: 22654875-2688519145
                                                                                          • Opcode ID: cd3f9d4306312b1eb24c8b8ffc26b9133bd34c3a933cee326498c3a75ae2e537
                                                                                          • Instruction ID: 1dbf095bfe6b36d22e6d87488760e82d9dd9540273054d16d52bddbaa4cd3612
                                                                                          • Opcode Fuzzy Hash: cd3f9d4306312b1eb24c8b8ffc26b9133bd34c3a933cee326498c3a75ae2e537
                                                                                          • Instruction Fuzzy Hash: 6D110A75A10104AFC710DB59CD48E8E73B8DF94328F254694E90887B41E739EE06D7D1
                                                                                          Function 6C8C4510 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(<dummy key>,00000000,00000000,00000000,?,?,6C8E50C0,?,00000014,?,6C94DEB4), ref: 6C8C4529
                                                                                          • _PyObject_GC_Malloc.PYTHON27(0000007C,00000000,00000000,00000000,?,?,6C8E50C0,?,00000014,?,6C94DEB4), ref: 6C8C4588
                                                                                          • memset.MSVCR90 ref: 6C8C45AA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: FromMallocObject_StringString_memset
                                                                                          • String ID: <dummy key>
                                                                                          • API String ID: 1835424476-4195026744
                                                                                          • Opcode ID: f44e5477deb3ac5a430450c30ea4c2f6b67f797d0f8d12792761907231cf4bdc
                                                                                          • Instruction ID: 79435ef64c58e29f073489e62bf607659c9db23a9d320a4361b2912bde28b63e
                                                                                          • Opcode Fuzzy Hash: f44e5477deb3ac5a430450c30ea4c2f6b67f797d0f8d12792761907231cf4bdc
                                                                                          • Instruction Fuzzy Hash: DD1184B2B007118FD7309F59E981666B7F4E781328B404F3ED95987E00E371E5598BD1
                                                                                          Function 6C8AE4D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine,?,?,6C8AB400,?,00000000,?), ref: 6C8AE4F1
                                                                                          Strings
                                                                                          • '%.200s' object does not support item assignment, xrefs: 6C8AE54F
                                                                                          • null argument to internal routine, xrefs: 6C8AE4EB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String
                                                                                          • String ID: '%.200s' object does not support item assignment$null argument to internal routine
                                                                                          • API String ID: 1450464846-3379225667
                                                                                          • Opcode ID: 731845c48d513d75274ce4d4852be5839fee52f3bc79fd55f3436b3a19312a4b
                                                                                          • Instruction ID: 031216f5c749942e42f33c6ecec598c67fd21add32485e066a1d8156cac1441e
                                                                                          • Opcode Fuzzy Hash: 731845c48d513d75274ce4d4852be5839fee52f3bc79fd55f3436b3a19312a4b
                                                                                          • Instruction Fuzzy Hash: 3211E3763016115BC710CEADFD80D6673B8EBC46387144B2AE92C87B80E721E856C7A0
                                                                                          Function 6C8AE570 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine,?,?,6C8AB4E5,?,00000000), ref: 6C8AE591
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AE58B
                                                                                          • '%.200s' object doesn't support item deletion, xrefs: 6C8AE5ED
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String
                                                                                          • String ID: '%.200s' object doesn't support item deletion$null argument to internal routine
                                                                                          • API String ID: 1450464846-2772571300
                                                                                          • Opcode ID: f55a46ec24ae29f8c7157217e815965eed79aa54c68bdc51ef0d4d9371b0078d
                                                                                          • Instruction ID: 9fb0762638825d567bfabfe9faeddb62520715c96ede49fac82719023388de6a
                                                                                          • Opcode Fuzzy Hash: f55a46ec24ae29f8c7157217e815965eed79aa54c68bdc51ef0d4d9371b0078d
                                                                                          • Instruction Fuzzy Hash: F411CA767056105BC611CA99FD80A5673B8DB84738B144F36F96C87E90E721E45687A0
                                                                                          Function 6C8C5100 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\dictobject.c,0000036B), ref: 6C8C512D
                                                                                          • PyObject_Hash.PYTHON27(?), ref: 6C8C5153
                                                                                          Strings
                                                                                          • ..\Objects\dictobject.c, xrefs: 6C8C5122
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8C5127
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FormatHashObject_
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\dictobject.c
                                                                                          • API String ID: 896634218-1541589624
                                                                                          • Opcode ID: fa8a738393398e697ff29a9b6666b809c70ea065994c0864fdc1190e22ca842d
                                                                                          • Instruction ID: a5e3d92ea8ac7cb685af8fe15bca95d8abe1a5fb26e99aaeee9151237226a302
                                                                                          • Opcode Fuzzy Hash: fa8a738393398e697ff29a9b6666b809c70ea065994c0864fdc1190e22ca842d
                                                                                          • Instruction Fuzzy Hash: 7F012B327056041BC6309B2D9D40AAA7368DB81338F244B56F83CC3FC0DB35D89196D3
                                                                                          Function 6C8226B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,s#|z:readbuffer_encode,?,?,?), ref: 6C8226D2
                                                                                          • PyString_FromStringAndSize.PYTHON27(?,?), ref: 6C8226EE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Size$Arg_FromParseStringString_Tuple_
                                                                                          • String ID: s#|z:readbuffer_encode
                                                                                          • API String ID: 2714287502-3227709264
                                                                                          • Opcode ID: c7af82b9c9542034a6874bf71d17eb32cd2ce92e5bd4ed57c11f502e29dc48a8
                                                                                          • Instruction ID: dae88d84fad108237a5e77625c0ec94883b811467ed8e51c9f31821835621e8f
                                                                                          • Opcode Fuzzy Hash: c7af82b9c9542034a6874bf71d17eb32cd2ce92e5bd4ed57c11f502e29dc48a8
                                                                                          • Instruction Fuzzy Hash: 7001B1B6E041086BCB20DAA9AC05DDA77FCEBD5238F0447A5EC58C3B40E6349A59C3E1
                                                                                          Function 6C822730 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,t#|z:charbuffer_encode,?,?,?), ref: 6C822752
                                                                                          • PyString_FromStringAndSize.PYTHON27(?,?), ref: 6C82276E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Size$Arg_FromParseStringString_Tuple_
                                                                                          • String ID: t#|z:charbuffer_encode
                                                                                          • API String ID: 2714287502-2725689005
                                                                                          • Opcode ID: b092257a7850781b8840144d98c6c90a3fba60fd90a068bc5198f451ffbffe89
                                                                                          • Instruction ID: f9d3adbc215b941ffbe5fa0ba8855829d5f33f2909a128d38304d50a1e341deb
                                                                                          • Opcode Fuzzy Hash: b092257a7850781b8840144d98c6c90a3fba60fd90a068bc5198f451ffbffe89
                                                                                          • Instruction Fuzzy Hash: E401B1B6E041086BC720DAA9AD04DDB77BCDBD5239F0447A5EC58C3B40E6359E5983E1
                                                                                          Function 6C8EBF50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8EBF71
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8EBF83
                                                                                          • _PyErr_BadInternalCall.PYTHON27(..\Objects\setobject.c,00000925), ref: 6C8EBF99
                                                                                            • Part of subcall function 6C940890: PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,?,6C8EBD4E,?,6C8EBD4E,..\Objects\setobject.c,000008F0), ref: 6C9408AA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_SubtypeType_$CallFormatInternal
                                                                                          • String ID: ..\Objects\setobject.c
                                                                                          • API String ID: 3748510839-1817486985
                                                                                          • Opcode ID: 81e46379cd55eb3c4cea702c60991f4453769698ca8c1cb15be901139ff8655b
                                                                                          • Instruction ID: 58c1e3a86f0342adc6a87b826f0172da93bcc7e2f534c1dc74ea16c4ef5d770a
                                                                                          • Opcode Fuzzy Hash: 81e46379cd55eb3c4cea702c60991f4453769698ca8c1cb15be901139ff8655b
                                                                                          • Instruction Fuzzy Hash: C7017B722002052B8B10890DFE409EE736CAF591BEB048435FD2CDBB80F731E9A58AE5
                                                                                          Function 6C82D0F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(-Infinity,?,?,?,?,6C82D862,FFFFFFFD,0000003A,?,?), ref: 6C82D0F9
                                                                                          • PyString_InternInPlace.PYTHON27(?,?), ref: 6C82D10C
                                                                                          • PyObject_CallFunctionObjArgs.PYTHON27(?,?,00000000,?,?,?), ref: 6C82D12E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String_$ArgsCallFromFunctionInternObject_PlaceString
                                                                                          • String ID: -Infinity
                                                                                          • API String ID: 4070845078-3424019370
                                                                                          • Opcode ID: 2b0c8ebd2fafefe24145040cdd019c3d98813896385f9fe7694ea595a8c3a5a1
                                                                                          • Instruction ID: 457ff70f7845891aafb8079e9c16c9842c0d0680f6731e04e2240a1aa025f5fb
                                                                                          • Opcode Fuzzy Hash: 2b0c8ebd2fafefe24145040cdd019c3d98813896385f9fe7694ea595a8c3a5a1
                                                                                          • Instruction Fuzzy Hash: D00126B2A01214ABD720CF5DED0099BB7ACEF85238B24077AEC1887B41E631EE05C7D1
                                                                                          Function 6C8AB550 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(?), ref: 6C8AB564
                                                                                          • PyObject_DelItem.PYTHON27(?,00000000), ref: 6C8AB57B
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AB5B3
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AB5AD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$Err_FromItemObject_String_
                                                                                          • String ID: null argument to internal routine
                                                                                          • API String ID: 1374695092-2212441169
                                                                                          • Opcode ID: 1bd3ce3388e61ce60bae6b89ec68fad38f66e89661e6f30d3d1be22817579a6a
                                                                                          • Instruction ID: 0d3e523111260c08d38b8384eb46b731cf11b4b4888e3ca663e02855bf67eef3
                                                                                          • Opcode Fuzzy Hash: 1bd3ce3388e61ce60bae6b89ec68fad38f66e89661e6f30d3d1be22817579a6a
                                                                                          • Instruction Fuzzy Hash: 4D01FE76B0061957C7105AAEFD449A737A99F85378B140B35F43C87B90D721D94786E0
                                                                                          Function 6C951D00 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Python\pystrtod.c,000004D5), ref: 6C951DE4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Python\pystrtod.c$e
                                                                                          • API String ID: 376477240-3173659257
                                                                                          • Opcode ID: bfb7a0abcef26747ab3c6ef6bd8f4001c4c4310dbc8e525795127a764c64e52e
                                                                                          • Instruction ID: 1cdc697472b74ddc14261245600d08253b8cfd1ed9400db0b42134665ae4fb21
                                                                                          • Opcode Fuzzy Hash: bfb7a0abcef26747ab3c6ef6bd8f4001c4c4310dbc8e525795127a764c64e52e
                                                                                          • Instruction Fuzzy Hash: 360147639141295BC700AE6CCC42DF737ECAB0A224F098A95FD50E3741D638CD6043E1
                                                                                          Function 6C8AEF60 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AEF81
                                                                                          • PyString_FromString.PYTHON27(?), ref: 6C8AEF90
                                                                                          • PyObject_SetItem.PYTHON27(?,00000000,?), ref: 6C8AEFAE
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AEF7B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$Err_FromItemObject_String_
                                                                                          • String ID: null argument to internal routine
                                                                                          • API String ID: 1374695092-2212441169
                                                                                          • Opcode ID: 4a3437e2fa5b5b3469195ebefb12e1eda1e852b54c6a18025ba45b25ba37b20b
                                                                                          • Instruction ID: 2a7bf2ffd0a000704dba08d8234acbc9f4ba0370ba334ac63e7fef68dc7fe073
                                                                                          • Opcode Fuzzy Hash: 4a3437e2fa5b5b3469195ebefb12e1eda1e852b54c6a18025ba45b25ba37b20b
                                                                                          • Instruction Fuzzy Hash: 6E01F972A0021557C720DAEAAD04DC737A9DF85378B144F64F92C87B80D730E856C7D0
                                                                                          Function 6C8C4F20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\dictobject.c,000002FB,00000000,?,?,6C9473E7,00000000,00000000,?,?,6C94DEB4), ref: 6C8C4F4D
                                                                                          • PyObject_Hash.PYTHON27(?,00000000,?,?,6C9473E7,00000000,00000000,?,?,6C94DEB4), ref: 6C8C4F72
                                                                                          Strings
                                                                                          • ..\Objects\dictobject.c, xrefs: 6C8C4F42
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8C4F47
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FormatHashObject_
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\dictobject.c
                                                                                          • API String ID: 896634218-1541589624
                                                                                          • Opcode ID: cfdc0e8188842f76b678e0a9e34dab3fef4f258a4b973602f0450203cbb932c9
                                                                                          • Instruction ID: f05cd58a80cbb9e887f4c160a8ca743dcd64248b5c374a6f9331e911d30df2f4
                                                                                          • Opcode Fuzzy Hash: cfdc0e8188842f76b678e0a9e34dab3fef4f258a4b973602f0450203cbb932c9
                                                                                          • Instruction Fuzzy Hash: 030126327145005BD3219B299D01DAA7368EBC2238F148B65FC3CC3E80D724E89186E2
                                                                                          Function 6C82A5B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: isdigitmallocmemmove
                                                                                          • String ID: $Revision$
                                                                                          • API String ID: 1441860961-3178937091
                                                                                          • Opcode ID: dc876dd8326a533b1102784290452319ba2bd98a568339e6c33f943b9034d596
                                                                                          • Instruction ID: fd4bb340ec790117a23bef45a40664a5455b3616c92bfc997dbb9acc6d0ce0cc
                                                                                          • Opcode Fuzzy Hash: dc876dd8326a533b1102784290452319ba2bd98a568339e6c33f943b9034d596
                                                                                          • Instruction Fuzzy Hash: 3001D6211092C25AFB314AA64F897E77BA9AF47118F240969D8D183542D72AD4D6D3E0
                                                                                          Function 6C82A0C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_ParseTuple.PYTHON27(?,ss:addinfo,?,?), ref: 6C82A0DA
                                                                                          • PyErr_SetString.PYTHON27(?,profiler already closed), ref: 6C82A0FC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_Err_ParseStringTuple
                                                                                          • String ID: profiler already closed$ss:addinfo
                                                                                          • API String ID: 385655187-3850335802
                                                                                          • Opcode ID: 4727e143a5c6f7bbe44171ca5dda34b11fbdd2e21c8e8e67069198d9ed8d491a
                                                                                          • Instruction ID: 0ecfce9b2c63d74b2ad3939db6a214dadaf976d33ea59d98fa4188c1cd4cd48e
                                                                                          • Opcode Fuzzy Hash: 4727e143a5c6f7bbe44171ca5dda34b11fbdd2e21c8e8e67069198d9ed8d491a
                                                                                          • Instruction Fuzzy Hash: 9DF0C8B6A00118AB9B04DAA9ED85CDE73BCEB54219F0486A9FC0997B00F734EA5487D1
                                                                                          Function 6C907800 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\unicodeobject.c,00000457,00000000,?,?,6C82FC12,?,00000000,?), ref: 6C907824
                                                                                          • memcpy.MSVCR90(?,?,?,00000000,?,?,6C82FC12,?,00000000,?), ref: 6C90784E
                                                                                          Strings
                                                                                          • ..\Objects\unicodeobject.c, xrefs: 6C907819
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C90781E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Formatmemcpy
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\unicodeobject.c
                                                                                          • API String ID: 347768829-2140310296
                                                                                          • Opcode ID: f35463ec91f0a181aad2e8e7501ecbe39a86ebcfc54e6d3847ddcf9691e4cd45
                                                                                          • Instruction ID: 67ee9f2f32f98e308f8ba17f34f771126297867375cd5953b07c947d80abcd45
                                                                                          • Opcode Fuzzy Hash: f35463ec91f0a181aad2e8e7501ecbe39a86ebcfc54e6d3847ddcf9691e4cd45
                                                                                          • Instruction Fuzzy Hash: 4BF0A432B045156B9710DE6DDC40C95B36CFB91278704875AFD28D3B80EB61F85586E0
                                                                                          Function 6C935130 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyCallable_Check.PYTHON27(6C935CA0,00000000,00000000,?,6C935CA0,strict,00000000,?,?,?,?,?,?,6C822548), ref: 6C935156
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,handler must be callable,00000000,?,?,?,?,?,?,6C822548), ref: 6C93516E
                                                                                            • Part of subcall function 6C935BD0: Py_FatalError.PYTHON27(GC object already tracked,?,?,?,6C822548), ref: 6C935C28
                                                                                            • Part of subcall function 6C935BD0: PyDict_New.PYTHON27(?,?,?,6C822548), ref: 6C935C57
                                                                                            • Part of subcall function 6C935BD0: PyDict_New.PYTHON27(?,?,?,6C822548), ref: 6C935C5F
                                                                                            • Part of subcall function 6C935BD0: PyCFunction_NewEx.PYTHON27(6CA46BFC,00000000,00000000,?,?,?,6C822548), ref: 6C935C78
                                                                                            • Part of subcall function 6C935BD0: Py_FatalError.PYTHON27(can't initialize codec error registry,?,?,?,?,?,?,6C822548), ref: 6C935C8B
                                                                                            • Part of subcall function 6C935BD0: PyCodec_RegisterError.PYTHON27(strict,00000000,?,?,?,?,?,?,6C822548), ref: 6C935C9B
                                                                                            • Part of subcall function 6C935BD0: Py_FatalError.PYTHON27(can't initialize codec error registry,?,?,?,?,?,?,?,?,6C822548), ref: 6C935CBF
                                                                                            • Part of subcall function 6C935BD0: Py_FatalError.PYTHON27(can't initialize codec registry,?,?,?,6C822548), ref: 6C935CEA
                                                                                            • Part of subcall function 6C935BD0: _PyImport_AcquireLock.PYTHON27(?,?,?,?,6C822548), ref: 6C935CF2
                                                                                            • Part of subcall function 6C935BD0: _PyImport_ReleaseLock.PYTHON27(?,?,?,?,?,?,?,6C822548), ref: 6C935D0C
                                                                                          • PyDict_SetItemString.PYTHON27(00000000,?,6C935CA0,00000000,?,?,?,?,?,?,6C822548), ref: 6C935186
                                                                                          Strings
                                                                                          • handler must be callable, xrefs: 6C935168
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Error$Fatal$Dict_$Import_LockString$AcquireCallable_CheckCodec_Err_Function_ItemRegisterRelease
                                                                                          • String ID: handler must be callable
                                                                                          • API String ID: 132696288-2788139689
                                                                                          • Opcode ID: 6c95349699dfbfe1e082752a84c69e0cf07e7240a34c99e5e39f09510109b86b
                                                                                          • Instruction ID: f5cb1192f03aa50907783d19fe50e5e66d3e92a2267cd09739bd90ccca847c13
                                                                                          • Opcode Fuzzy Hash: 6c95349699dfbfe1e082752a84c69e0cf07e7240a34c99e5e39f09510109b86b
                                                                                          • Instruction Fuzzy Hash: 2CF0F07360021857DB00ABADBC00C9B73BC9B9937CB049639EA2C87BA1E730E55482A1
                                                                                          Function 6C8DD880 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyLong_AsLongAndOverflow.PYTHON27(6C8D046B,?,-000000FF,00000000,6C8D046B,00000000), ref: 6C8DD894
                                                                                            • Part of subcall function 6C8DD640: PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\longobject.c,000000F4), ref: 6C8DD67A
                                                                                          • PyString_FromString.PYTHON27(Python int too large to convert to C int), ref: 6C8DD8B9
                                                                                          • PyErr_SetObject.PYTHON27(6CA663F8,00000000,?,-000000FF,00000000,6C8D046B,00000000), ref: 6C8DD8C5
                                                                                          Strings
                                                                                          • Python int too large to convert to C int, xrefs: 6C8DD8B4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$FormatFromLongLong_ObjectOverflowStringString_
                                                                                          • String ID: Python int too large to convert to C int
                                                                                          • API String ID: 2904087310-2521127726
                                                                                          • Opcode ID: 48ed424c7efc7308463dceb328bf5547e103c763642a51a421db045468a2173b
                                                                                          • Instruction ID: 022ff2db0cae36721d83ef0f8d68dd71a1ba0b46853d5a452ad4f43b44f905c3
                                                                                          • Opcode Fuzzy Hash: 48ed424c7efc7308463dceb328bf5547e103c763642a51a421db045468a2173b
                                                                                          • Instruction Fuzzy Hash: 2AF02872D002205FC221A929AD05AAA776C9B42338F154F29FC7C076D0EB31F949CBF2
                                                                                          Function 6C8DD810 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyLong_AsLongAndOverflow.PYTHON27(6C8D71C0,?,?,00000000,?,?,?,6C8D71C0,00000000,?,00000000), ref: 6C8DD823
                                                                                            • Part of subcall function 6C8DD640: PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\longobject.c,000000F4), ref: 6C8DD67A
                                                                                          • PyString_FromString.PYTHON27(Python int too large to convert to C long), ref: 6C8DD83F
                                                                                          • PyErr_SetObject.PYTHON27(6CA663F8,00000000,?,6C8D71C0,00000000,?,00000000), ref: 6C8DD84B
                                                                                          Strings
                                                                                          • Python int too large to convert to C long, xrefs: 6C8DD83A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$FormatFromLongLong_ObjectOverflowStringString_
                                                                                          • String ID: Python int too large to convert to C long
                                                                                          • API String ID: 2904087310-1537553212
                                                                                          • Opcode ID: 000e17b2cb81847842dfa53eddd6d514737f7f4ae9e2bf8b7a8d3d5cc62b7cb6
                                                                                          • Instruction ID: b783cbc9f10ddfdd3f581b9853a983976b3f5f2c805d2fe718999daa12388097
                                                                                          • Opcode Fuzzy Hash: 000e17b2cb81847842dfa53eddd6d514737f7f4ae9e2bf8b7a8d3d5cc62b7cb6
                                                                                          • Instruction Fuzzy Hash: 4EF0C2B29052216BD6208A55AC448A773ACDB45279F044B39F97C83681E725ED45CBF2
                                                                                          Function 6C8AD4D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AD4F0
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AD4EA
                                                                                          • bad operand type for unary +: '%.200s', xrefs: 6C8AD51E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String
                                                                                          • String ID: bad operand type for unary +: '%.200s'$null argument to internal routine
                                                                                          • API String ID: 1450464846-2582373171
                                                                                          • Opcode ID: 4fa45e4b8e8c71ea930e58cd7681c48d184af732411669e5a0fb41b4b417be8b
                                                                                          • Instruction ID: 88d980ad596992717a844fb66c2912204aa2f223f11b127eeab625fa7eca1a7d
                                                                                          • Opcode Fuzzy Hash: 4fa45e4b8e8c71ea930e58cd7681c48d184af732411669e5a0fb41b4b417be8b
                                                                                          • Instruction Fuzzy Hash: 30F09070B142028FD704DAB1E980C2633B9AB9470C318CAA9EC0CCBB01EB32E852CA50
                                                                                          Function 6C8AD470 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AD490
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AD48A
                                                                                          • bad operand type for unary -: '%.200s', xrefs: 6C8AD4BE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String
                                                                                          • String ID: bad operand type for unary -: '%.200s'$null argument to internal routine
                                                                                          • API String ID: 1450464846-3866959385
                                                                                          • Opcode ID: dd5b19134888b4dff0d71723ff45b1482ff9a36e915285ab3aa1567aeeb80e2b
                                                                                          • Instruction ID: f4e98c788f0774b68d281398254e8e1717648986d90c2c15455f8ba890704c3d
                                                                                          • Opcode Fuzzy Hash: dd5b19134888b4dff0d71723ff45b1482ff9a36e915285ab3aa1567aeeb80e2b
                                                                                          • Instruction Fuzzy Hash: B0F09070B142024F9704CEB1E940D1673B9EB94718318C969EC0CC7B01EB36F852DA94
                                                                                          Function 6C8AD590 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AD5B0
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AD5AA
                                                                                          • bad operand type for abs(): '%.200s', xrefs: 6C8AD5DE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String
                                                                                          • String ID: bad operand type for abs(): '%.200s'$null argument to internal routine
                                                                                          • API String ID: 1450464846-3968165083
                                                                                          • Opcode ID: 7d363f87baa2328f031bb6192fb4acff638477a6db89fc777f3d3acb66fb1e58
                                                                                          • Instruction ID: 9a72537e4165453eb5ab0ed4043130c59c00a0f8941afe77c029b0183ae212b7
                                                                                          • Opcode Fuzzy Hash: 7d363f87baa2328f031bb6192fb4acff638477a6db89fc777f3d3acb66fb1e58
                                                                                          • Instruction Fuzzy Hash: 6EF09074B142024BD704DBA1EA40C2673B9AB9531C318CA69EC0CC7B01EB32E952CAA0
                                                                                          Function 6C8AD530 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AD550
                                                                                          Strings
                                                                                          • bad operand type for unary ~: '%.200s', xrefs: 6C8AD57E
                                                                                          • null argument to internal routine, xrefs: 6C8AD54A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String
                                                                                          • String ID: bad operand type for unary ~: '%.200s'$null argument to internal routine
                                                                                          • API String ID: 1450464846-122179322
                                                                                          • Opcode ID: 57d391d7bf70710fcd84ffaad49a1c8f31b1b2af770eaeffbb5d19e2865cda7d
                                                                                          • Instruction ID: add4aefa600754e44c9c1029ea8809f76aed322f65859929ac10aca265421f38
                                                                                          • Opcode Fuzzy Hash: 57d391d7bf70710fcd84ffaad49a1c8f31b1b2af770eaeffbb5d19e2865cda7d
                                                                                          • Instruction Fuzzy Hash: AFF090B1B142025BD704CAB1E940D2633B9EB9431C328CA69EC1CCBB01EB32E952DA90
                                                                                          Function 6C8AEE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine,?,6C8AB11B,?), ref: 6C8AEE90
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AEE8A
                                                                                          • object of type '%.200s' has no len(), xrefs: 6C8AEEBE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String
                                                                                          • String ID: null argument to internal routine$object of type '%.200s' has no len()
                                                                                          • API String ID: 1450464846-3626758343
                                                                                          • Opcode ID: 3e239e1fcc03123a3b6cfbc9bd3657e6ddfdb3f8ea7541a997b7c390b45074ed
                                                                                          • Instruction ID: 1c1399f21409d5e8f76564e694d3002d4808bb1db2bb692bbda00b8fa5d06769
                                                                                          • Opcode Fuzzy Hash: 3e239e1fcc03123a3b6cfbc9bd3657e6ddfdb3f8ea7541a997b7c390b45074ed
                                                                                          • Instruction Fuzzy Hash: FFF0BB70B002024FD704DEB5ED84C1573B9AB94328328CF58E82C8BB80EB31E862D7D0
                                                                                          Function 6C8ADF70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8ADF90
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8ADF8A
                                                                                          • object of type '%.200s' has no len(), xrefs: 6C8ADFBE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String
                                                                                          • String ID: null argument to internal routine$object of type '%.200s' has no len()
                                                                                          • API String ID: 1450464846-3626758343
                                                                                          • Opcode ID: a5f54a662f104a222a364a783a9e86e66fa61a239b3b3c00321236d21b779e54
                                                                                          • Instruction ID: 54b85395aff4fc49f5013e3ceb53243558134af829ee40390564f3f3139437b0
                                                                                          • Opcode Fuzzy Hash: a5f54a662f104a222a364a783a9e86e66fa61a239b3b3c00321236d21b779e54
                                                                                          • Instruction Fuzzy Hash: D9F09670B042025FD704CAA5ED44C1677B9AB98728328CB59FC2CCBB80EB31E852C690
                                                                                          Function 6C8B91C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA65D10,PyCapsule_GetPointer called with invalid PyCapsule object), ref: 6C8B91E6
                                                                                          • PyErr_SetString.PYTHON27(6CA65D10,PyCapsule_GetPointer called with incorrect name), ref: 6C8B920E
                                                                                          Strings
                                                                                          • PyCapsule_GetPointer called with invalid PyCapsule object, xrefs: 6C8B91E0
                                                                                          • PyCapsule_GetPointer called with incorrect name, xrefs: 6C8B9208
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String
                                                                                          • String ID: PyCapsule_GetPointer called with incorrect name$PyCapsule_GetPointer called with invalid PyCapsule object
                                                                                          • API String ID: 1450464846-428115879
                                                                                          • Opcode ID: 71b70195ba8fe7171a8fa052c6a6d9a9151cec1819e7dd8708e21b9701e7f162
                                                                                          • Instruction ID: 68bfe7cc7bf39fe3a2ecf210d55ff3089409c8e76446a5f5cb7c69197e58f455
                                                                                          • Opcode Fuzzy Hash: 71b70195ba8fe7171a8fa052c6a6d9a9151cec1819e7dd8708e21b9701e7f162
                                                                                          • Instruction Fuzzy Hash: 32F0B4327542244B8B149AF9AD4CD95B3B8AB202A93088561EE0DE7F11E330E91587D0
                                                                                          Function 6C838DE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(00000000,'%c' format requires 0 <= number <= %zu), ref: 6C838E0D
                                                                                          • PyErr_Format.PYTHON27(00000000,'%c' format requires %zd <= number <= %zd), ref: 6C838E2F
                                                                                          Strings
                                                                                          • '%c' format requires %zd <= number <= %zd, xrefs: 6C838E29
                                                                                          • '%c' format requires 0 <= number <= %zu, xrefs: 6C838E07
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: '%c' format requires %zd <= number <= %zd$'%c' format requires 0 <= number <= %zu
                                                                                          • API String ID: 376477240-2382652346
                                                                                          • Opcode ID: 2dffa87ee56c1fd30824dbbd9a5f6587f8a435e30f13a38e884ed4df6a9fff59
                                                                                          • Instruction ID: d1218dfca4cce8da4ad42dae8957f7e9b498871e177b3ba410ee909905f0a490
                                                                                          • Opcode Fuzzy Hash: 2dffa87ee56c1fd30824dbbd9a5f6587f8a435e30f13a38e884ed4df6a9fff59
                                                                                          • Instruction Fuzzy Hash: 61F027F55241842FE70C8A7CDC21B3A3BAC9722334F149B9CB938C9BC1DA29C191C6A0
                                                                                          Function 6C8EBD00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8EBD21
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8EBD33
                                                                                          • _PyErr_BadInternalCall.PYTHON27(..\Objects\setobject.c,000008F0), ref: 6C8EBD49
                                                                                            • Part of subcall function 6C940890: PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,?,6C8EBD4E,?,6C8EBD4E,..\Objects\setobject.c,000008F0), ref: 6C9408AA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_SubtypeType_$CallFormatInternal
                                                                                          • String ID: ..\Objects\setobject.c
                                                                                          • API String ID: 3748510839-1817486985
                                                                                          • Opcode ID: 4d1b06d889b7f4b8e37b3d2f1e55599c7cf17b4e5f1a61eb2982705e96b7eac1
                                                                                          • Instruction ID: 1f69cadf57ff92d6dcf53185ce846332d93fa9896a8c0ea296b7fbf022c9a158
                                                                                          • Opcode Fuzzy Hash: 4d1b06d889b7f4b8e37b3d2f1e55599c7cf17b4e5f1a61eb2982705e96b7eac1
                                                                                          • Instruction Fuzzy Hash: BFF05C32642211664611111D7E019EDB3286D250BFB048675EE2CB7E51F732F47841F9
                                                                                          Function 6C839ED0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyFloat_AsDouble.PYTHON27(?), ref: 6C839EDA
                                                                                            • Part of subcall function 6C8D0B70: PyType_IsSubtype.PYTHON27(04C48318,?,?,00000000,?,6C8C0CAA,?,?,?,?), ref: 6C8D0B90
                                                                                          • PyErr_SetString.PYTHON27(00000000,required argument is not a float), ref: 6C839F0B
                                                                                          • _PyFloat_Pack4.PYTHON27(?,00000001), ref: 6C839F26
                                                                                          Strings
                                                                                          • required argument is not a float, xrefs: 6C839F05
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Float_$DoubleErr_Pack4StringSubtypeType_
                                                                                          • String ID: required argument is not a float
                                                                                          • API String ID: 2049945616-2628405891
                                                                                          • Opcode ID: e757714ffe6b8e0e19e3ad47080a80f45962a0de753516f1bb39df16bab4fbde
                                                                                          • Instruction ID: 4cfb6263fe64bc1e7b2687f53e6467afaf684ca84be375d1b3ca06dd16a73eb1
                                                                                          • Opcode Fuzzy Hash: e757714ffe6b8e0e19e3ad47080a80f45962a0de753516f1bb39df16bab4fbde
                                                                                          • Instruction Fuzzy Hash: 6AF0E9B1A1030593CB14AE64ED85B5A3769D742328F108B94FD5C477C1FB32953987D1
                                                                                          Function 6C8EBE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8EBE8B
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\setobject.c,0000090E), ref: 6C8EBEAC
                                                                                          Strings
                                                                                          • ..\Objects\setobject.c, xrefs: 6C8EBEA1
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8EBEA6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FormatSubtypeType_
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\setobject.c
                                                                                          • API String ID: 2789853835-1012936799
                                                                                          • Opcode ID: 8a563e8dbce1c68022377ad96b2df99fe6f1221b3ac7a5a4f0a89970b027b961
                                                                                          • Instruction ID: 9db528e9a111c4f6cf867d79b46a26420714129b0705e841c175a6d5aaaabbcc
                                                                                          • Opcode Fuzzy Hash: 8a563e8dbce1c68022377ad96b2df99fe6f1221b3ac7a5a4f0a89970b027b961
                                                                                          • Instruction Fuzzy Hash: E8F0EC26A0420417DB20556CBE02CEA335CA75A179B148F76FD38E7F81EA71E56447E4
                                                                                          Function 6C839F40 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyFloat_AsDouble.PYTHON27(?), ref: 6C839F4A
                                                                                            • Part of subcall function 6C8D0B70: PyType_IsSubtype.PYTHON27(04C48318,?,?,00000000,?,6C8C0CAA,?,?,?,?), ref: 6C8D0B90
                                                                                          • PyErr_SetString.PYTHON27(00000000,required argument is not a float), ref: 6C839F7B
                                                                                          • _PyFloat_Pack8.PYTHON27(?,00000001), ref: 6C839F96
                                                                                          Strings
                                                                                          • required argument is not a float, xrefs: 6C839F75
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Float_$DoubleErr_Pack8StringSubtypeType_
                                                                                          • String ID: required argument is not a float
                                                                                          • API String ID: 2598805623-2628405891
                                                                                          • Opcode ID: e03a3846756015ddcc64ed38986f4f4b102cd6bdce6ca510d8338b84be64b510
                                                                                          • Instruction ID: 6b07049495a278b1f5390a2c5289f864bb0ea6dc08a3057d41f72c9ec18c223c
                                                                                          • Opcode Fuzzy Hash: e03a3846756015ddcc64ed38986f4f4b102cd6bdce6ca510d8338b84be64b510
                                                                                          • Instruction Fuzzy Hash: DDF059B0A1420593CB14AE64ED85B5A3369D782328F008B94FD5C477C0EB32943987C1
                                                                                          Function 6C8EBD60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8EBD7B
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\setobject.c,000008FA), ref: 6C8EBD9C
                                                                                          Strings
                                                                                          • ..\Objects\setobject.c, xrefs: 6C8EBD91
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8EBD96
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FormatSubtypeType_
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\setobject.c
                                                                                          • API String ID: 2789853835-1012936799
                                                                                          • Opcode ID: 2fc3e8e96b062c7459da69bc4b8fec5890530936ca3b54648e78c7d2b17e608a
                                                                                          • Instruction ID: 665acb03aaa5c4c29f39d708c0e27f7ae40bc12854a1d4da53bd9958295f03ff
                                                                                          • Opcode Fuzzy Hash: 2fc3e8e96b062c7459da69bc4b8fec5890530936ca3b54648e78c7d2b17e608a
                                                                                          • Instruction Fuzzy Hash: F8E0EC61954314169B10556CAD02CE6335C671A139B084FA5FC2CD7F81FE65E56042E6
                                                                                          Function 6C8EC090 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8EC0AB
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\setobject.c,00000942), ref: 6C8EC0CC
                                                                                          Strings
                                                                                          • ..\Objects\setobject.c, xrefs: 6C8EC0C1
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8EC0C6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FormatSubtypeType_
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\setobject.c
                                                                                          • API String ID: 2789853835-1012936799
                                                                                          • Opcode ID: ff4757655f27c1ebef3424c038bc6e53cac0159c881c2a34c1a538bf6dc00eb1
                                                                                          • Instruction ID: 9b1eb0c7c8b0f671be0f5d510d127cc82577e189999039372a715bb7d1f8b238
                                                                                          • Opcode Fuzzy Hash: ff4757655f27c1ebef3424c038bc6e53cac0159c881c2a34c1a538bf6dc00eb1
                                                                                          • Instruction Fuzzy Hash: 6EE02BA2D54214279B20755C7E03CD7375CA71A13DB448E66FC1CD7F42FA61E96042E1
                                                                                          Function 6C8EC0F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyType_IsSubtype.PYTHON27(?,?), ref: 6C8EC10B
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\setobject.c,0000094C), ref: 6C8EC12C
                                                                                          Strings
                                                                                          • ..\Objects\setobject.c, xrefs: 6C8EC121
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8EC126
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FormatSubtypeType_
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\setobject.c
                                                                                          • API String ID: 2789853835-1012936799
                                                                                          • Opcode ID: 4e52f9af4fb753138b0a487f63885c53f5c9e33d52a57211481eb85fd550e4fb
                                                                                          • Instruction ID: fe8031be6bfda5f2b68aed377864f48fb691bc0f984a3de41139c70872f9c6b9
                                                                                          • Opcode Fuzzy Hash: 4e52f9af4fb753138b0a487f63885c53f5c9e33d52a57211481eb85fd550e4fb
                                                                                          • Instruction Fuzzy Hash: 88F0E571904204279B10E96DEE82C567B98A71A13CF948BA4FC2CDBF83EA31E96045E0
                                                                                          Function 6C92E540 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Py_FatalError.PYTHON27(PyEval_RestoreThread: NULL tstate,?,?,6C9467F6,00000000,00000000,00000000,?,?,6C94A352,__builtin__,00000000,00000000,00000000,00000000), ref: 6C92E550
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C961440
                                                                                            • Part of subcall function 6C961420: fprintf.MSVCR90 ref: 6C961446
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C96144C
                                                                                            • Part of subcall function 6C961420: fflush.MSVCR90 ref: 6C961452
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(Fatal Python error: ), ref: 6C961499
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32 ref: 6C96149C
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(6CA33AD4), ref: 6C9614A3
                                                                                            • Part of subcall function 6C961420: abort.MSVCR90 ref: 6C9614A5
                                                                                          • _errno.MSVCR90 ref: 6C92E569
                                                                                          • _errno.MSVCR90 ref: 6C92E585
                                                                                          Strings
                                                                                          • PyEval_RestoreThread: NULL tstate, xrefs: 6C92E54B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: DebugOutputString$__iob_func_errno$ErrorFatalabortfflushfprintf
                                                                                          • String ID: PyEval_RestoreThread: NULL tstate
                                                                                          • API String ID: 2486884445-2925922187
                                                                                          • Opcode ID: cc6d6626e937f0aa9a85fc5d08a62e48bdc03916e77ac6fef0a95052c341f864
                                                                                          • Instruction ID: e8a9d589a7aebbbd856de42943adcd50c0a3728fec4384b6fef1867e91a7acab
                                                                                          • Opcode Fuzzy Hash: cc6d6626e937f0aa9a85fc5d08a62e48bdc03916e77ac6fef0a95052c341f864
                                                                                          • Instruction Fuzzy Hash: D5F02E326102195FDF009F5FE84095973BCEB952697144236D51883750D734E8548BE1
                                                                                          Function 6C92E4E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Py_FatalError.PYTHON27(PyEval_SaveThread: NULL tstate,00000000,6C9467DA,00000000,00000000,?,?,6C94A352,__builtin__,00000000,00000000,00000000,00000000), ref: 6C92E4FA
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C961440
                                                                                            • Part of subcall function 6C961420: fprintf.MSVCR90 ref: 6C961446
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C96144C
                                                                                            • Part of subcall function 6C961420: fflush.MSVCR90 ref: 6C961452
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(Fatal Python error: ), ref: 6C961499
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32 ref: 6C96149C
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(6CA33AD4), ref: 6C9614A3
                                                                                            • Part of subcall function 6C961420: abort.MSVCR90 ref: 6C9614A5
                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6C92E516
                                                                                          • SetEvent.KERNEL32(?,?,?,6C94A352,__builtin__,00000000,00000000,00000000,00000000), ref: 6C92E524
                                                                                          Strings
                                                                                          • PyEval_SaveThread: NULL tstate, xrefs: 6C92E4F5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: DebugOutputString$__iob_func$DecrementErrorEventFatalInterlockedabortfflushfprintf
                                                                                          • String ID: PyEval_SaveThread: NULL tstate
                                                                                          • API String ID: 3971291581-2054007492
                                                                                          • Opcode ID: 497c100d9d4682665e7475c44fbbbffa44718146d1e8fc6b0b1e149a2d224cd0
                                                                                          • Instruction ID: dbe73539bfa03ec43705a467efc6e9607bcf26ed260c71267408c576b9fa9ad0
                                                                                          • Opcode Fuzzy Hash: 497c100d9d4682665e7475c44fbbbffa44718146d1e8fc6b0b1e149a2d224cd0
                                                                                          • Instruction Fuzzy Hash: E6E0ED727152229BEF048FABF808F9AB3F8AB0A256F05C114F808D3704E724D85187A0
                                                                                          Function 6C8259D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,"%s" must be an integer,quoting), ref: 6C8259F0
                                                                                          • PyInt_AsLong.PYTHON27 ref: 6C8259FE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FormatInt_Long
                                                                                          • String ID: "%s" must be an integer$quoting
                                                                                          • API String ID: 651860925-2813207715
                                                                                          • Opcode ID: 8c1dd9697a8eff3ec58512e21fe85032e005f2b187832e5a3c7116fbc8192d1f
                                                                                          • Instruction ID: ebd2546d8303deed61ce0be8b63fc63dfa12d317fccb677046ef58924c6ce6f4
                                                                                          • Opcode Fuzzy Hash: 8c1dd9697a8eff3ec58512e21fe85032e005f2b187832e5a3c7116fbc8192d1f
                                                                                          • Instruction Fuzzy Hash: 0FE0E5705003059BD704CB69E948A0933755B4433CF20CB68E42C8BFC0E735E4D5A780
                                                                                          Function 6C950730 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • TlsGetValue.KERNEL32(?,00000000,00000000,?,6C950697,00000000), ref: 6C950746
                                                                                          • TlsSetValue.KERNEL32(?,6C950697,?,6C950697,00000000), ref: 6C950755
                                                                                          • Py_FatalError.PYTHON27(Couldn't create autoTLSkey mapping,?,6C950697,00000000), ref: 6C950764
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C961440
                                                                                            • Part of subcall function 6C961420: fprintf.MSVCR90 ref: 6C961446
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C96144C
                                                                                            • Part of subcall function 6C961420: fflush.MSVCR90 ref: 6C961452
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(Fatal Python error: ), ref: 6C961499
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32 ref: 6C96149C
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(6CA33AD4), ref: 6C9614A3
                                                                                            • Part of subcall function 6C961420: abort.MSVCR90 ref: 6C9614A5
                                                                                          Strings
                                                                                          • Couldn't create autoTLSkey mapping, xrefs: 6C95075F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: DebugOutputString$Value__iob_func$ErrorFatalabortfflushfprintf
                                                                                          • String ID: Couldn't create autoTLSkey mapping
                                                                                          • API String ID: 3273730768-18693100
                                                                                          • Opcode ID: 6e2c2de5dcd115ebc3fc5d9fe0cb0560c029ba04b148a2316867af7fe96fefa1
                                                                                          • Instruction ID: 662f4347914218b42a9eef1fb62666fc42e1413e3df22718f1fa429f1f675bf8
                                                                                          • Opcode Fuzzy Hash: 6e2c2de5dcd115ebc3fc5d9fe0cb0560c029ba04b148a2316867af7fe96fefa1
                                                                                          • Instruction Fuzzy Hash: 40E092712042616FE710AE57AC4CF5B3FBCAB4279CF540028F509C3A40E734E4A5CAA1
                                                                                          Function 6C835FD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA65248,internal error in regular expression engine), ref: 6C835FEA
                                                                                          • PyErr_SetString.PYTHON27(6CA65248,maximum recursion limit exceeded), ref: 6C835FFF
                                                                                          Strings
                                                                                          • internal error in regular expression engine, xrefs: 6C835FE4
                                                                                          • maximum recursion limit exceeded, xrefs: 6C835FF9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String
                                                                                          • String ID: internal error in regular expression engine$maximum recursion limit exceeded
                                                                                          • API String ID: 1450464846-628104037
                                                                                          • Opcode ID: 6dd4feff50af76f3b633653d4bf5ae4203e4856ba6fe98208e5d2f1014910bb9
                                                                                          • Instruction ID: 968a9b4d748199747971736ae9d68a76b8a9d0b18039f071d8254b7434359923
                                                                                          • Opcode Fuzzy Hash: 6dd4feff50af76f3b633653d4bf5ae4203e4856ba6fe98208e5d2f1014910bb9
                                                                                          • Instruction Fuzzy Hash: 2ED02E4AA013205B8E2092F83C94C283528763323CBB07F90B03CD2EF0D738C00A82A5
                                                                                          Function 6C823810 Relevance: 6.1, APIs: 4, Instructions: 149COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PySequence_List.PYTHON27(?), ref: 6C823825
                                                                                            • Part of subcall function 6C8AE960: PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AE985
                                                                                          • PyObject_GetIter.PYTHON27(?), ref: 6C82385D
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA64978), ref: 6C823924
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C823930
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$ClearExceptionGivenIterListMatchesObject_Sequence_String
                                                                                          • String ID:
                                                                                          • API String ID: 4113104371-0
                                                                                          • Opcode ID: daf971ca2aafaa83adae96993fccd5e8abf2976d8566c91c9a3a6fcfec0bf30c
                                                                                          • Instruction ID: f151204b1a072aee9f30dbbf1f0fc9957e267e6c53e038730b8dcfdc639df53a
                                                                                          • Opcode Fuzzy Hash: daf971ca2aafaa83adae96993fccd5e8abf2976d8566c91c9a3a6fcfec0bf30c
                                                                                          • Instruction Fuzzy Hash: B541E9B1A006019BC724CE69D954A96B3B8FB46334F14473DD9288BB80E739FD96C7D1
                                                                                          Function 6C823990 Relevance: 6.1, APIs: 4, Instructions: 147COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PySequence_List.PYTHON27(?), ref: 6C8239A5
                                                                                            • Part of subcall function 6C8AE960: PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AE985
                                                                                          • PyObject_GetIter.PYTHON27(?), ref: 6C8239DD
                                                                                          • PyErr_GivenExceptionMatches.PYTHON27(?,6CA64978), ref: 6C823A9A
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C823AA6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$ClearExceptionGivenIterListMatchesObject_Sequence_String
                                                                                          • String ID:
                                                                                          • API String ID: 4113104371-0
                                                                                          • Opcode ID: 9474dccf4f81d2d14eefd823dd749d2372a799f3821a36ce6a3fe5c5fed07366
                                                                                          • Instruction ID: 5cc5c4105787f1f4e4a8ec909e95b34b325d08da101c2566d352508bf18b9f27
                                                                                          • Opcode Fuzzy Hash: 9474dccf4f81d2d14eefd823dd749d2372a799f3821a36ce6a3fe5c5fed07366
                                                                                          • Instruction Fuzzy Hash: 50410672600A029BC3248F69D994A9673B8FB45338F144B38D82987B81E739ECD2C7D1
                                                                                          Function 6C8E8F50 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_NoMemory.PYTHON27(6C8BF060,00000000,?,?,?,?,?,?,?,?,?,?,?,6C8E978E,00000000,850C2444), ref: 6C8E8F70
                                                                                          • malloc.MSVCR90 ref: 6C8E8FE3
                                                                                          • memset.MSVCR90 ref: 6C8E9004
                                                                                          • free.MSVCR90 ref: 6C8E9067
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Memoryfreemallocmemset
                                                                                          • String ID:
                                                                                          • API String ID: 3371104938-0
                                                                                          • Opcode ID: 4956a3d8033aedbb1d6c7d31b632cf7fbfc8a94c2b1053b4cb916190aeea72bb
                                                                                          • Instruction ID: 23288cf0f50de4800c59b9dcbf918eea32f307b924d1ddd62b5c7a22c1a2fcb2
                                                                                          • Opcode Fuzzy Hash: 4956a3d8033aedbb1d6c7d31b632cf7fbfc8a94c2b1053b4cb916190aeea72bb
                                                                                          • Instruction Fuzzy Hash: CF31A871A006059FE720CF69D9C078EB7B5EF8A328F644A2AD819C7B50E771E945CB90
                                                                                          Function 6C82AF40 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromStringAndSize.PYTHON27(00000000,?), ref: 6C82AF8A
                                                                                          • _PyString_Resize.PYTHON27(?,7FFFFFFF), ref: 6C82B010
                                                                                          • _PyString_Resize.PYTHON27(?,00000002), ref: 6C82B039
                                                                                          • PyErr_NoMemory.PYTHON27 ref: 6C82B061
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String_$Resize$Err_FromMemorySizeString
                                                                                          • String ID:
                                                                                          • API String ID: 1823809671-0
                                                                                          • Opcode ID: 461fd2bc899663d6d4c01dac9ff3825c3a25ddbd50b46cf82d3d317e29ec1094
                                                                                          • Instruction ID: 472dc682c6fde6d13f35942be78f654bcde31be64ee763ad581dff1de1a9271e
                                                                                          • Opcode Fuzzy Hash: 461fd2bc899663d6d4c01dac9ff3825c3a25ddbd50b46cf82d3d317e29ec1094
                                                                                          • Instruction Fuzzy Hash: BF31F6719011099BCB20CEA8CA84AEDB7F4EF45328F604AA9D42597B94D7389587C7E1
                                                                                          Function 6C829140 Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 6C829090: malloc.MSVCR90 ref: 6C8290B0
                                                                                            • Part of subcall function 6C829090: PyErr_NoMemory.PYTHON27 ref: 6C8290BF
                                                                                            • Part of subcall function 6C829090: fgetc.MSVCR90 ref: 6C8290E7
                                                                                            • Part of subcall function 6C829090: PyString_FromStringAndSize.PYTHON27(00000000,?), ref: 6C8290FF
                                                                                            • Part of subcall function 6C829090: free.MSVCR90 ref: 6C82910C
                                                                                          • PyDict_GetItem.PYTHON27(?,?), ref: 6C829180
                                                                                          • PyList_New.PYTHON27(00000000), ref: 6C829193
                                                                                            • Part of subcall function 6C8D93A0: PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\listobject.c,0000007E,?,?,?,?,?,6C8C5BB1,?,?,?,?,6C8C67DF,?), ref: 6C8D93C3
                                                                                          • PyDict_SetItem.PYTHON27(?,?,00000000), ref: 6C8291A7
                                                                                          • PyList_Append.PYTHON27(00000000,?), ref: 6C82921A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Dict_Err_ItemList_$AppendFormatFromMemorySizeStringString_fgetcfreemalloc
                                                                                          • String ID:
                                                                                          • API String ID: 1085706943-0
                                                                                          • Opcode ID: a5f486c402d1547218ecd3b063dbb05f99a56bff58128d70b14961f654c9030b
                                                                                          • Instruction ID: 9617f88c73b2652deebb121d5d39f841f44431a7cb95e7c1b7b5d25d0375f134
                                                                                          • Opcode Fuzzy Hash: a5f486c402d1547218ecd3b063dbb05f99a56bff58128d70b14961f654c9030b
                                                                                          • Instruction Fuzzy Hash: 0731C9B1D00204ABD720DFA6DE889DEB378AF05238B144B68D92597781E73CDE85C7D1
                                                                                          Function 6C8BEFA0 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_InternInPlace.PYTHON27(?,?,?,?,?,6C8BF1E2,?), ref: 6C8BEFF4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: InternPlaceString_
                                                                                          • String ID:
                                                                                          • API String ID: 3813175135-0
                                                                                          • Opcode ID: 1834da82592784dfdacbee72cfec4b6ccc2b276b8f5d7b0aeb2e5b819f319956
                                                                                          • Instruction ID: f9419ba0a7b31a8977f521e6b7eb1904c67b9737ee2c9c4f462e4f3d426b1b9b
                                                                                          • Opcode Fuzzy Hash: 1834da82592784dfdacbee72cfec4b6ccc2b276b8f5d7b0aeb2e5b819f319956
                                                                                          • Instruction Fuzzy Hash: 2A31B3B99046018BD730CF2D9A4158A73E4AFA5328F044E79E854ABB50E735E91AC7E3
                                                                                          Function 6C8D5460 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_GetItem.PYTHON27(?,?,?,?,?,?,6C8D56D7,?,00000001,?), ref: 6C8D5482
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8D5490
                                                                                          • PyCell_Set.PYTHON27(00000000,00000000), ref: 6C8D54AA
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8D54B6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClearErr_$Cell_ItemObject_
                                                                                          • String ID:
                                                                                          • API String ID: 3031884619-0
                                                                                          • Opcode ID: a288b6bd9abaf36f3841041a24922fccdaa31430cbe23dce4e7341a2d5c638b4
                                                                                          • Instruction ID: cbc71c736a9511f0e373511605f9ecaa8231e3330effb3f569c82bd1260a741c
                                                                                          • Opcode Fuzzy Hash: a288b6bd9abaf36f3841041a24922fccdaa31430cbe23dce4e7341a2d5c638b4
                                                                                          • Instruction Fuzzy Hash: 272126F18027159BC7318E98CA4099B73A6EF11727B264B6ADC244B780D730F941D7E3
                                                                                          Function 6C8BEDC0 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(?), ref: 6C8BEDCB
                                                                                          • PyImport_Import.PYTHON27(00000000), ref: 6C8BEDDB
                                                                                          • PyObject_GetAttrString.PYTHON27(00000000,?), ref: 6C8BEDFF
                                                                                          • PyCObject_AsVoidPtr.PYTHON27(00000000), ref: 6C8BEE0E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object_String$AttrFromImportImport_String_Void
                                                                                          • String ID:
                                                                                          • API String ID: 372386033-0
                                                                                          • Opcode ID: 77110e976b69f6ba44cf362bcfce5f6268fed25b6077416a713deddafba46f1d
                                                                                          • Instruction ID: 8e092400eb8aac0dcceb01d79eabfe25fbe6e77431fcd1f48a8f2eedd4debb21
                                                                                          • Opcode Fuzzy Hash: 77110e976b69f6ba44cf362bcfce5f6268fed25b6077416a713deddafba46f1d
                                                                                          • Instruction Fuzzy Hash: 9D0104B29015116FD3219E58AD8089F73A8AF8523CB254778F92957B80E735ED0783D2
                                                                                          Function 6C8CD010 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: fflushfreereallocsetvbuf
                                                                                          • String ID:
                                                                                          • API String ID: 3621953076-0
                                                                                          • Opcode ID: 42166336c2c84471ded5f7988327100f08214c1d7cc76ce62493576aa8580947
                                                                                          • Instruction ID: 54f3248e9bddfd2af44c65f9eaea949ae5daeeeab7ed0d0e960c29e32b0fd750
                                                                                          • Opcode Fuzzy Hash: 42166336c2c84471ded5f7988327100f08214c1d7cc76ce62493576aa8580947
                                                                                          • Instruction Fuzzy Hash: 4D112BB17842009FE720AB3EC944B1777A9EB85318F108D2AF91987B41C637EC428756
                                                                                          Function 6C946770 Relevance: 6.0, APIs: 4, Instructions: 50threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 6C946784
                                                                                          • PyThread_allocate_lock.PYTHON27(?,?,6C94A352,__builtin__,00000000,00000000,00000000,00000000), ref: 6C94679A
                                                                                          • PyEval_SaveThread.PYTHON27(00000000,00000000,?,?,6C94A352,__builtin__,00000000,00000000,00000000,00000000), ref: 6C9467D5
                                                                                          • PyEval_RestoreThread.PYTHON27(00000000,00000000,00000000,?,?,6C94A352,__builtin__,00000000,00000000,00000000,00000000), ref: 6C9467F1
                                                                                            • Part of subcall function 6C9679B0: InterlockedCompareExchange.KERNEL32(?,00000000,000000FF), ref: 6C9679BF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Thread$Eval_$CompareCurrentExchangeInterlockedRestoreSaveThread_allocate_lock
                                                                                          • String ID:
                                                                                          • API String ID: 3700328054-0
                                                                                          • Opcode ID: 0cec6181df65bf767403277738b5d8730ebf80ca0d4a13bce18b0fb1f30f82f1
                                                                                          • Instruction ID: 161089c220a305414fd9567188b651a89c1f979adeecf872e2c888baf588a3c2
                                                                                          • Opcode Fuzzy Hash: 0cec6181df65bf767403277738b5d8730ebf80ca0d4a13bce18b0fb1f30f82f1
                                                                                          • Instruction Fuzzy Hash: D90196F16103034AEB045F7BA88475E32B86B5672DF24C729D426C2BC1E775D026CA51
                                                                                          Function 6C950780 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • PyThreadState_Clear: warning: thread still has a frame, xrefs: 6C950797
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: __iob_funcfprintf
                                                                                          • String ID: PyThreadState_Clear: warning: thread still has a frame
                                                                                          • API String ID: 620453056-874985626
                                                                                          • Opcode ID: 5f79163858407fc78a0502ba6498ed85affc5f546b905707d976772ea37597fd
                                                                                          • Instruction ID: c4144e4b7a55ac5269a9afec406e36dfd0d4946b4c058970ea0bc126a5bb1d1e
                                                                                          • Opcode Fuzzy Hash: 5f79163858407fc78a0502ba6498ed85affc5f546b905707d976772ea37597fd
                                                                                          • Instruction Fuzzy Hash: F8512F70A00A408FC710CF69D89085677B9BF8473C77A9B58D5AA4BE90D736FC52CB90
                                                                                          Function 6C8D4050 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA65D10,can't unpack IEEE 754 special value on non-IEEE platform), ref: 6C8D40B0
                                                                                          • ldexp.MSVCR90 ref: 6C8D4106
                                                                                          Strings
                                                                                          • can't unpack IEEE 754 special value on non-IEEE platform, xrefs: 6C8D40AA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Stringldexp
                                                                                          • String ID: can't unpack IEEE 754 special value on non-IEEE platform
                                                                                          • API String ID: 1642531332-26340962
                                                                                          • Opcode ID: 35139e6cbda2ff96b7727bc436a039c8369ca8f57614d922b0ce02333b8e1c54
                                                                                          • Instruction ID: 9b2a2ee7efa5c5975d9dc9f2c339b680a16c30ecf0d7fedf79fe3fa4f3b3f776
                                                                                          • Opcode Fuzzy Hash: 35139e6cbda2ff96b7727bc436a039c8369ca8f57614d922b0ce02333b8e1c54
                                                                                          • Instruction Fuzzy Hash: 5031BF32E091148BCB104F29DD442A6BBB4EBC6329F098B79FDA8C7651D732D804CB81
                                                                                          Function 6C824400 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(deque index out of range), ref: 6C8244DB
                                                                                          • PyErr_SetObject.PYTHON27(6CA65B38,00000000,deque index out of range), ref: 6C8244E4
                                                                                          Strings
                                                                                          • deque index out of range, xrefs: 6C8244D6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromObjectStringString_
                                                                                          • String ID: deque index out of range
                                                                                          • API String ID: 1840871587-904614084
                                                                                          • Opcode ID: 27183b0bf2ef979068a6829fe71f2572c2fceb2e65b764d05dccbea92b3d22a1
                                                                                          • Instruction ID: bf7026fc6ed05f3861fbf1896e6b9e1622d8a7662c7d811cb3518503190deb3f
                                                                                          • Opcode Fuzzy Hash: 27183b0bf2ef979068a6829fe71f2572c2fceb2e65b764d05dccbea92b3d22a1
                                                                                          • Instruction Fuzzy Hash: E9310A317015029BC724CE6DDD84956B3E4FFC5338B198769E9288BB80EB35F8928BD0
                                                                                          Function 6C8379BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(invalid SRE code,00000000,00000000,?,6C837406), ref: 6C837A79
                                                                                          • PyErr_SetObject.PYTHON27(6CA65248,00000000,invalid SRE code,00000000,00000000,?,6C837406), ref: 6C837A82
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromObjectStringString_
                                                                                          • String ID: invalid SRE code
                                                                                          • API String ID: 1840871587-2648610507
                                                                                          • Opcode ID: f94163c96dea988783a810c9644733006c55382d0e457188e90cbc421583cae4
                                                                                          • Instruction ID: fbf569e0308ad8bad270f1861b60758723f157e47d960f06284694c5d7e2c935
                                                                                          • Opcode Fuzzy Hash: f94163c96dea988783a810c9644733006c55382d0e457188e90cbc421583cae4
                                                                                          • Instruction Fuzzy Hash: BB215A62509761CBDB3205B59F449A63FA4DB1333C7183BB8D89CC6AE1E320CA06D2D2
                                                                                          Function 6C8264F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000014), ref: 6C826528
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C826560
                                                                                          Strings
                                                                                          • GC object already tracked, xrefs: 6C82655B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFatalMallocObject_
                                                                                          • String ID: GC object already tracked
                                                                                          • API String ID: 2067638752-3349536495
                                                                                          • Opcode ID: 58fee88c81bc0a1a14208659c86e5eda22ac1d7c71d08a20af97db6033e687ad
                                                                                          • Instruction ID: f98f13ccc17309f8b6a281f2857fff8a1cc7a8038c34372fa450e50125da2d80
                                                                                          • Opcode Fuzzy Hash: 58fee88c81bc0a1a14208659c86e5eda22ac1d7c71d08a20af97db6033e687ad
                                                                                          • Instruction Fuzzy Hash: AD2171B15013028FDB18CF29D645155B7E4FF493247118B7AD828C7B95E774E496CBC0
                                                                                          Function 6C837D40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,|O:groups,6CA8A204,?), ref: 6C837D63
                                                                                          • PyTuple_New.PYTHON27(?), ref: 6C837D83
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_Keywords_ParseSizeTupleTuple_
                                                                                          • String ID: |O:groups
                                                                                          • API String ID: 839320981-1302304481
                                                                                          • Opcode ID: 03d9f95186c38636dbef5a5cb1db88c8234583f4cdd62f1ce3751281ee6b7de5
                                                                                          • Instruction ID: 6b6cf8a7a979b397aa578c2cdabf29c26a1075c693c0c11d9586d02deb3b96ea
                                                                                          • Opcode Fuzzy Hash: 03d9f95186c38636dbef5a5cb1db88c8234583f4cdd62f1ce3751281ee6b7de5
                                                                                          • Instruction Fuzzy Hash: 7F11D671A00119AF9B10DA9DEE409EAB7FDEF84229B1446A5EC0C97B00E731ED15C7E1
                                                                                          Function 6C8E9890 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(pop from an empty set,?,?,?,?,?,6C8EC0E1,?), ref: 6C8E98AF
                                                                                          • PyErr_SetObject.PYTHON27(6CA65C10,00000000,pop from an empty set,?,?,?,?,?,6C8EC0E1,?), ref: 6C8E98B8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromObjectStringString_
                                                                                          • String ID: pop from an empty set
                                                                                          • API String ID: 1840871587-2672739147
                                                                                          • Opcode ID: 169d56ce0efac7a28936cb9fa52b570f3cc036f495263c3d53bd5b68664ee6a0
                                                                                          • Instruction ID: afb6edbbde991060e7d149dadd18e3bb772cbdf56748d8976c43f98cdc9ea945
                                                                                          • Opcode Fuzzy Hash: 169d56ce0efac7a28936cb9fa52b570f3cc036f495263c3d53bd5b68664ee6a0
                                                                                          • Instruction Fuzzy Hash: 2C11D8717055159F9730DE16DA804AA73B9FB8B3283248BAEC85947B50E771F806C7D1
                                                                                          Function 6C8E4680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8E46D9
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000014), ref: 6C8E4713
                                                                                          Strings
                                                                                          • GC object already tracked, xrefs: 6C8E46D4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFatalMallocObject_
                                                                                          • String ID: GC object already tracked
                                                                                          • API String ID: 2067638752-3349536495
                                                                                          • Opcode ID: e59c838dbe64130167ee713297804cefdefe38b806c2cee78406e5ea81cf89b9
                                                                                          • Instruction ID: d5dc18026134a9fbcde8233dd250b9b9d46585e628c2ebfd196c177506a11d2c
                                                                                          • Opcode Fuzzy Hash: e59c838dbe64130167ee713297804cefdefe38b806c2cee78406e5ea81cf89b9
                                                                                          • Instruction Fuzzy Hash: 2711DFB26027028FDB24CF59D904656B3F4FB9B314710CB6ADC2887BA1E331E452CB90
                                                                                          Function 6C82A1E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyArg_UnpackTuple.PYTHON27(?,runcall,00000001,00000003,?,?,?), ref: 6C82A208
                                                                                            • Part of subcall function 6C945D90: PyString_FromString.PYTHON27(PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DB2
                                                                                            • Part of subcall function 6C945D90: PyErr_SetObject.PYTHON27(6CA665C8,00000000,PyArg_UnpackTuple() argument list is not a tuple), ref: 6C945DBB
                                                                                            • Part of subcall function 6C82A040: PyString_FromString.PYTHON27(profiler already active), ref: 6C82A05C
                                                                                            • Part of subcall function 6C82A040: PyErr_SetObject.PYTHON27(?,00000000,profiler already active), ref: 6C82A065
                                                                                            • Part of subcall function 6C829F30: QueryPerformanceCounter.KERNEL32 ref: 6C829F44
                                                                                            • Part of subcall function 6C829F30: PyEval_SetTrace.PYTHON27(Function_00009E00), ref: 6C829F6B
                                                                                          • PyEval_CallObjectWithKeywords.PYTHON27(?,?,?), ref: 6C82A235
                                                                                            • Part of subcall function 6C9329C0: PyErr_SetString.PYTHON27(6CA648B0,keyword list must be a dictionary), ref: 6C932A87
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_ObjectString$Eval_FromString_$Arg_CallCounterKeywordsPerformanceQueryTraceTupleUnpackWith
                                                                                          • String ID: runcall
                                                                                          • API String ID: 2803546149-1992080128
                                                                                          • Opcode ID: a602ff1eaf5165c618a5b60a25edbd94d1a78ce63838b253eb08d1ff9581dbf0
                                                                                          • Instruction ID: 42d6424ab1b05f1789a1162021973536313aef97f35815b87b462262aceff22d
                                                                                          • Opcode Fuzzy Hash: a602ff1eaf5165c618a5b60a25edbd94d1a78ce63838b253eb08d1ff9581dbf0
                                                                                          • Instruction Fuzzy Hash: 52019276B001086BDB10DAADED44DEEB3ACDFD4518F0445A6F908D3701E675DA5582E0
                                                                                          Function 6C825090 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(deque mutated during iteration), ref: 6C8250B8
                                                                                          • PyErr_SetObject.PYTHON27(6CA65248,00000000,deque mutated during iteration), ref: 6C8250C1
                                                                                          Strings
                                                                                          • deque mutated during iteration, xrefs: 6C8250B3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromObjectStringString_
                                                                                          • String ID: deque mutated during iteration
                                                                                          • API String ID: 1840871587-601426129
                                                                                          • Opcode ID: 4c7267a5f030e0828235f513d9a13b35efe1c03098f7c9705d256043e870dc64
                                                                                          • Instruction ID: 36832a6304aff895e5099e7654215b1af10bcbcb0e043522ea05ab6512442b3d
                                                                                          • Opcode Fuzzy Hash: 4c7267a5f030e0828235f513d9a13b35efe1c03098f7c9705d256043e870dc64
                                                                                          • Instruction Fuzzy Hash: E4119E366416048BC324CE19D944AA6B7A4EFC5338B348AADDC6D4B749D736EC83CBC0
                                                                                          Function 6C8D6F00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000018), ref: 6C8D6F0E
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8D6F50
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C961440
                                                                                            • Part of subcall function 6C961420: fprintf.MSVCR90 ref: 6C961446
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C96144C
                                                                                            • Part of subcall function 6C961420: fflush.MSVCR90 ref: 6C961452
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(Fatal Python error: ), ref: 6C961499
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32 ref: 6C96149C
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(6CA33AD4), ref: 6C9614A3
                                                                                            • Part of subcall function 6C961420: abort.MSVCR90 ref: 6C9614A5
                                                                                          Strings
                                                                                          • GC object already tracked, xrefs: 6C8D6F4B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: DebugOutputString$__iob_func$ErrorFatalMallocObject_abortfflushfprintf
                                                                                          • String ID: GC object already tracked
                                                                                          • API String ID: 872466363-3349536495
                                                                                          • Opcode ID: 19f86fde0a3cc9e65fc13533db77cc1146f96349d130551a8c6d24e1a244fd4c
                                                                                          • Instruction ID: 22ecbd7932f4ad45fd6d2e6349d442a1cb7e2f3104fc9b121d0d136e2a21b40e
                                                                                          • Opcode Fuzzy Hash: 19f86fde0a3cc9e65fc13533db77cc1146f96349d130551a8c6d24e1a244fd4c
                                                                                          • Instruction Fuzzy Hash: 22119DB16007058FC724CF2DD9448A6B7F4FB863287118BAAD8798BB90D331E856CBC1
                                                                                          Function 6C8286F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(heap argument must be a list), ref: 6C828712
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,heap argument must be a list), ref: 6C82871B
                                                                                          Strings
                                                                                          • heap argument must be a list, xrefs: 6C82870D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromObjectStringString_
                                                                                          • String ID: heap argument must be a list
                                                                                          • API String ID: 1840871587-325666163
                                                                                          • Opcode ID: e90f8cc4e19f83b5a9b54ddff0e19483545b7b47d4d9374f2ed7dfe5ed440765
                                                                                          • Instruction ID: 920d1b0f8ee7a72e0fe03e83b17ca4d9774a72cfb369bbcfa02d7f79ff04b370
                                                                                          • Opcode Fuzzy Hash: e90f8cc4e19f83b5a9b54ddff0e19483545b7b47d4d9374f2ed7dfe5ed440765
                                                                                          • Instruction Fuzzy Hash: AC01B973A015114F8720953D9A08556B7A8DB472787158B6AEC7C93F90D735DC5682C1
                                                                                          Function 6C830820 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_CallFunction.PYTHON27(6CA91A50,((Olldd)),?,?,?), ref: 6C83085F
                                                                                            • Part of subcall function 6C8AF1F0: PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AF217
                                                                                          • PyList_Append.PYTHON27(?,00000000), ref: 6C83087B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: AppendCallErr_FunctionList_Object_String
                                                                                          • String ID: ((Olldd))
                                                                                          • API String ID: 1113355727-2573867300
                                                                                          • Opcode ID: 3ca48995a2d9e22ffd4cb6951bb83e33c2eb89a3307dc8f7ed0559c584d35f88
                                                                                          • Instruction ID: c93fcf9af402047394477eecefd0742892907f41b5f6f14e11b3d49ae888d712
                                                                                          • Opcode Fuzzy Hash: 3ca48995a2d9e22ffd4cb6951bb83e33c2eb89a3307dc8f7ed0559c584d35f88
                                                                                          • Instruction Fuzzy Hash: 7C0126B2A005105BC310AE5DED01856B7A8EF853307114B94FC6C477A0EB30EC65C3E1
                                                                                          Function 6C8368A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 6C8387C0: _PyArg_ParseTuple_SizeT.PYTHON27(?,O|nn:scanner,?,?,?), ref: 6C8387E8
                                                                                          • PyObject_GetAttrString.PYTHON27(00000000,search), ref: 6C8368C4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_AttrObject_ParseSizeStringTuple_
                                                                                          • String ID: search
                                                                                          • API String ID: 994136497-3035683751
                                                                                          • Opcode ID: b26fb53f35a7456ea4e6cef8148e962f482318155963187f0f6c2e7744929f32
                                                                                          • Instruction ID: 9ea9ae8a53519f905573e00490111a146def56f34c161cf0317718a9c69b7012
                                                                                          • Opcode Fuzzy Hash: b26fb53f35a7456ea4e6cef8148e962f482318155963187f0f6c2e7744929f32
                                                                                          • Instruction Fuzzy Hash: 45012B76A001251B8320599DAD00C9B337AEBC52787155739EC1CC7B40E724ED5786E1
                                                                                          Function 6C829820 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memcpy.MSVCR90(?,?), ref: 6C829898
                                                                                            • Part of subcall function 6C829700: fwrite.MSVCR90 ref: 6C82971E
                                                                                            • Part of subcall function 6C829700: fflush.MSVCR90 ref: 6C829742
                                                                                          • PyErr_SetString.PYTHON27(6CA65D10,string too large for internal buffer), ref: 6C82985A
                                                                                          Strings
                                                                                          • string too large for internal buffer, xrefs: 6C829854
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Stringfflushfwritememcpy
                                                                                          • String ID: string too large for internal buffer
                                                                                          • API String ID: 1502676727-55190435
                                                                                          • Opcode ID: 7ef5e91b1095a2bd6e12c14eb1e68a61d5248dccdbaa8a231c04fddebdd8f51c
                                                                                          • Instruction ID: e822fec2fc9113bbb47eb22982d009e57778477100826b8cb88959ad949dde2e
                                                                                          • Opcode Fuzzy Hash: 7ef5e91b1095a2bd6e12c14eb1e68a61d5248dccdbaa8a231c04fddebdd8f51c
                                                                                          • Instruction Fuzzy Hash: A0010C756027045BE738CE69A8889A7B3E8EF502087084F2AD46A83E41E324F54887E0
                                                                                          Function 6C9454D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Python\getargs.c,000005C1,?,?,?), ref: 6C945543
                                                                                          Strings
                                                                                          • ..\Python\getargs.c, xrefs: 6C945538
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C94553D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Python\getargs.c
                                                                                          • API String ID: 376477240-2001156345
                                                                                          • Opcode ID: c8876932788d99dbca1dbf82d3a0e23d490bfce7d1ce9969d4e7583abf55268f
                                                                                          • Instruction ID: 02e6b0de44fe83dfb68a408b865ef255da1ea2a4f0fa5b62ef70574f6af79f5c
                                                                                          • Opcode Fuzzy Hash: c8876932788d99dbca1dbf82d3a0e23d490bfce7d1ce9969d4e7583abf55268f
                                                                                          • Instruction Fuzzy Hash: 2C01F5727022046BEB00DE98AC01FBB736DEF90A18F10C649FC249BA80E230E556CBD1
                                                                                          Function 6C945560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Python\getargs.c,000005D9,?,?), ref: 6C9455D3
                                                                                          Strings
                                                                                          • ..\Python\getargs.c, xrefs: 6C9455C8
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C9455CD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Python\getargs.c
                                                                                          • API String ID: 376477240-2001156345
                                                                                          • Opcode ID: 183d19dc0b4c99848317e61afd91978c417b6c04e081026ebbcc3c932b1a936b
                                                                                          • Instruction ID: ec9f05ca1ba60986fc30652db42ddf0b032bf80b7829c1acd1c13a33faadd491
                                                                                          • Opcode Fuzzy Hash: 183d19dc0b4c99848317e61afd91978c417b6c04e081026ebbcc3c932b1a936b
                                                                                          • Instruction Fuzzy Hash: 1B01B1767022156BEB10DE989801FBB736DAF90A18F10C65AFC289BB84E730E555CBD1
                                                                                          Function 6C839180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(byte format requires -128 <= number <= 127), ref: 6C8391C9
                                                                                          • PyErr_SetObject.PYTHON27(00000000,00000000,byte format requires -128 <= number <= 127), ref: 6C8391D2
                                                                                          Strings
                                                                                          • byte format requires -128 <= number <= 127, xrefs: 6C8391C4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromObjectStringString_
                                                                                          • String ID: byte format requires -128 <= number <= 127
                                                                                          • API String ID: 1840871587-1890209971
                                                                                          • Opcode ID: 37a36b0d53a318712b432b923d67852bf25167ce5e7243c3caf73399e374098c
                                                                                          • Instruction ID: 9c1378ebc8abf7568a69f46acea3f2ac8fdbbcbccca6b34245504b795d19624d
                                                                                          • Opcode Fuzzy Hash: 37a36b0d53a318712b432b923d67852bf25167ce5e7243c3caf73399e374098c
                                                                                          • Instruction Fuzzy Hash: D701F7729051255BC3209A6CEC049AA3398DF41238F045776ED6C87B91EB20E905C3D2
                                                                                          Function 6C8B04E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(buffer object expected), ref: 6C8B0522
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,buffer object expected), ref: 6C8B052B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromObjectStringString_
                                                                                          • String ID: buffer object expected
                                                                                          • API String ID: 1840871587-3871874642
                                                                                          • Opcode ID: 1ed07fdf710036d56b00255d8cf7db2c39b345761da28a22375558f9480feed5
                                                                                          • Instruction ID: ea2cf1666d1bcfd3132cf68523e10c7935e8a7d182edad4d2fb7a5b0900abd02
                                                                                          • Opcode Fuzzy Hash: 1ed07fdf710036d56b00255d8cf7db2c39b345761da28a22375558f9480feed5
                                                                                          • Instruction Fuzzy Hash: A501D4B26011098BD720CA58DA04AEE73A8AB45238F148769ED2C6BF80D730EC41C7D1
                                                                                          Function 6C90A8E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_CallFunction_SizeT.PYTHON27(6CA65F20,su#nns,?,00000000,00000000,6C8D7763,6C8D7763,000000FF,000000FF,?,6C90A9E5,00000000,00000000,?,00000000,?), ref: 6C90A904
                                                                                            • Part of subcall function 6C8AF2F0: PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AF317
                                                                                          • PyUnicodeEncodeError_SetReason.PYTHON27(000000FF,000000FF,000000FF,?,6C90A9E5,00000000,00000000,?,00000000,?,?,6C8D7763,?,6C90D75E,6C8D7763,6C8D7763), ref: 6C90A91C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: CallEncodeErr_Error_Function_Object_ReasonSizeStringUnicode
                                                                                          • String ID: su#nns
                                                                                          • API String ID: 334710814-3489280294
                                                                                          • Opcode ID: bedd28d2a040be5a0f714dad88b3307649fcc67f4872deabd082663e0942acc8
                                                                                          • Instruction ID: 02425f20e392d4d3952e12d5d39e0c73f33c9b9bc612d0f8c0fe6b1e7fa87e62
                                                                                          • Opcode Fuzzy Hash: bedd28d2a040be5a0f714dad88b3307649fcc67f4872deabd082663e0942acc8
                                                                                          • Instruction Fuzzy Hash: 24014FB5704601AFE714CF9ADD40D6277ECAF99324B25461DF9A8C7650EB31E841CBA0
                                                                                          Function 6C8D8F60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000010), ref: 6C8D8F6E
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8D8FA7
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C961440
                                                                                            • Part of subcall function 6C961420: fprintf.MSVCR90 ref: 6C961446
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C96144C
                                                                                            • Part of subcall function 6C961420: fflush.MSVCR90 ref: 6C961452
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(Fatal Python error: ), ref: 6C961499
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32 ref: 6C96149C
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(6CA33AD4), ref: 6C9614A3
                                                                                            • Part of subcall function 6C961420: abort.MSVCR90 ref: 6C9614A5
                                                                                          Strings
                                                                                          • GC object already tracked, xrefs: 6C8D8FA2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: DebugOutputString$__iob_func$ErrorFatalMallocObject_abortfflushfprintf
                                                                                          • String ID: GC object already tracked
                                                                                          • API String ID: 872466363-3349536495
                                                                                          • Opcode ID: a4e99cb2b82dba7244cd4012550a5f3a94527b60121b1af1ba9f5d0d6702b961
                                                                                          • Instruction ID: d97df4921dc87587ece3f5573dde961bef0ff72f33740b54e6ef1333fc6afc89
                                                                                          • Opcode Fuzzy Hash: a4e99cb2b82dba7244cd4012550a5f3a94527b60121b1af1ba9f5d0d6702b961
                                                                                          • Instruction Fuzzy Hash: 1101B1B1601B068FC7208F5ED9054A6B7F4FB463347108B6AE86987B90D330E456CBC1
                                                                                          Function 6C8B9640 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_Malloc.PYTHON27(0000000C), ref: 6C8B964E
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8B9683
                                                                                          Strings
                                                                                          • GC object already tracked, xrefs: 6C8B967E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFatalMallocObject_
                                                                                          • String ID: GC object already tracked
                                                                                          • API String ID: 2067638752-3349536495
                                                                                          • Opcode ID: fd9646dde8455c2599aed9b746f8901cc6864fb5cc8460ecd1e73294b1f10f0b
                                                                                          • Instruction ID: aa13d16a310c37ae21bbaff223d53e2c2487854331120b2f55e1cb6a979b5b07
                                                                                          • Opcode Fuzzy Hash: fd9646dde8455c2599aed9b746f8901cc6864fb5cc8460ecd1e73294b1f10f0b
                                                                                          • Instruction Fuzzy Hash: 850184B16017068BC7248F1DD9054A6B7F4FB963247108779E86897B81E735E856C7D0
                                                                                          Function 6C8AF750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AF770
                                                                                          • PyObject_Call.PYTHON27(00000000,00000000,00000000,?,00000000,?,6C8AB1D5), ref: 6C8AF796
                                                                                            • Part of subcall function 6C8AF070: _Py_CheckRecursiveCall.PYTHON27( while calling a Python object,00000001,?,?,6C932AB3,00000000,?,6C880E50), ref: 6C8AF0A5
                                                                                            • Part of subcall function 6C8AF070: PyErr_SetString.PYTHON27(6CA665C8,NULL result without error in PyObject_Call,?,00000000,00000000), ref: 6C8AF0E4
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AF76A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: CallErr_String$CheckObject_Recursive
                                                                                          • String ID: null argument to internal routine
                                                                                          • API String ID: 2045816541-2212441169
                                                                                          • Opcode ID: f60d860b9d2f3c53e33eb2c7c4a4aa764bc9ec24903e5b0f866fb9a03b06cff7
                                                                                          • Instruction ID: f5e5faa68e82bc4e3dd08393f14e2b76e6c27ea08efc98f7bbe1e48973276bb8
                                                                                          • Opcode Fuzzy Hash: f60d860b9d2f3c53e33eb2c7c4a4aa764bc9ec24903e5b0f866fb9a03b06cff7
                                                                                          • Instruction Fuzzy Hash: 2CF022766002256BC7248AD9ED40FCA33A8DBA6378F244B74E91C8BB50D330D946C7D0
                                                                                          Function 6C8BEE50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(Invalid call to PyCObject_SetVoidPtr), ref: 6C8BEE8A
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,Invalid call to PyCObject_SetVoidPtr), ref: 6C8BEE93
                                                                                          Strings
                                                                                          • Invalid call to PyCObject_SetVoidPtr, xrefs: 6C8BEE85
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromObjectStringString_
                                                                                          • String ID: Invalid call to PyCObject_SetVoidPtr
                                                                                          • API String ID: 1840871587-391560720
                                                                                          • Opcode ID: 3125519be9538325a246e4dc69dac8ca9e8e4e4ec1fc360c053f2911ee7aa17d
                                                                                          • Instruction ID: e1ba19d73ad468e0e07b31f431e8529f45a782ad71cc8002a198b8bb892dedbd
                                                                                          • Opcode Fuzzy Hash: 3125519be9538325a246e4dc69dac8ca9e8e4e4ec1fc360c053f2911ee7aa17d
                                                                                          • Instruction Fuzzy Hash: ECF0F4329015144FC320DA69A980A9677A4DB55278F044BE9FC2C9BB91DB30E881C3D1
                                                                                          Function 6C8B0470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(buffer object expected), ref: 6C8B04B1
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,buffer object expected), ref: 6C8B04BA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromObjectStringString_
                                                                                          • String ID: buffer object expected
                                                                                          • API String ID: 1840871587-3871874642
                                                                                          • Opcode ID: 0cacf3819b792467c2f0f0f2f579e981f5f4629b43182059f590e38cad2f8d69
                                                                                          • Instruction ID: 8455f42dbad6f591ff766561916677d888118399daf836db58dd4aefc16196d4
                                                                                          • Opcode Fuzzy Hash: 0cacf3819b792467c2f0f0f2f579e981f5f4629b43182059f590e38cad2f8d69
                                                                                          • Instruction Fuzzy Hash: BFF0AD725011088FD7218A54CA44FABB3A4AF45338F1587A8EC685BB90E730EC42C7D1
                                                                                          Function 6C8AEE00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_GetAttrString.PYTHON27(?,__getitem__), ref: 6C8AEE1A
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8AEE3E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttrClearErr_Object_String
                                                                                          • String ID: __getitem__
                                                                                          • API String ID: 2543148516-3646536032
                                                                                          • Opcode ID: e8f60e3e79e116e23adc79dc5df903b7804a91a27150f3d8a1b429591a47fc00
                                                                                          • Instruction ID: 6cc623a783193be154030be8669ff25b2fd66aba2a9fe0f509fbc2622ce4091d
                                                                                          • Opcode Fuzzy Hash: e8f60e3e79e116e23adc79dc5df903b7804a91a27150f3d8a1b429591a47fc00
                                                                                          • Instruction Fuzzy Hash: B5F062317022055FEB65CAA5DB40B6633A49B4031CF254E68D81DCBE91D726E873C7D1
                                                                                          Function 6C8C3EB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyObject_GC_Malloc.PYTHON27(00000010), ref: 6C8C3EBE
                                                                                          • Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8C3EF7
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C961440
                                                                                            • Part of subcall function 6C961420: fprintf.MSVCR90 ref: 6C961446
                                                                                            • Part of subcall function 6C961420: __iob_func.MSVCR90 ref: 6C96144C
                                                                                            • Part of subcall function 6C961420: fflush.MSVCR90 ref: 6C961452
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(Fatal Python error: ), ref: 6C961499
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32 ref: 6C96149C
                                                                                            • Part of subcall function 6C961420: OutputDebugStringW.KERNEL32(6CA33AD4), ref: 6C9614A3
                                                                                            • Part of subcall function 6C961420: abort.MSVCR90 ref: 6C9614A5
                                                                                          Strings
                                                                                          • GC object already tracked, xrefs: 6C8C3EF2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: DebugOutputString$__iob_func$ErrorFatalMallocObject_abortfflushfprintf
                                                                                          • String ID: GC object already tracked
                                                                                          • API String ID: 872466363-3349536495
                                                                                          • Opcode ID: a2ea79e6faa010ce2716600287f0f500c3daca88360d8a3ef91efd59c9d7d8c0
                                                                                          • Instruction ID: b7d82962fc1136c341cec837f70f911c026e664f6520a7bd99b12c1c6df7de68
                                                                                          • Opcode Fuzzy Hash: a2ea79e6faa010ce2716600287f0f500c3daca88360d8a3ef91efd59c9d7d8c0
                                                                                          • Instruction Fuzzy Hash: 5B01DFB1602B028FC7248F09C6054A6B7F8FF463247108B69E86987B90D334E497CBC1
                                                                                          Function 6C8307C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(memory was exhausted while profiling), ref: 6C8307E5
                                                                                          • PyErr_SetObject.PYTHON27(6CA667A8,00000000,memory was exhausted while profiling), ref: 6C8307EE
                                                                                          Strings
                                                                                          • memory was exhausted while profiling, xrefs: 6C8307E0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromObjectStringString_
                                                                                          • String ID: memory was exhausted while profiling
                                                                                          • API String ID: 1840871587-1801820754
                                                                                          • Opcode ID: 468d93e229c2b82da2859038765cc6e8e6601059ef0f96f859c9812efe773e97
                                                                                          • Instruction ID: 9c89d1747c11c88669d714c34e52978d7fe8acb507b78cf5703dc130c6d18565
                                                                                          • Opcode Fuzzy Hash: 468d93e229c2b82da2859038765cc6e8e6601059ef0f96f859c9812efe773e97
                                                                                          • Instruction Fuzzy Hash: 4EF0B47391252417932599ADAD059E73798CB96238B2417A9EC3C877D1EB11D80287E2
                                                                                          Function 6C83A020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(bad char in struct format), ref: 6C83A04C
                                                                                          • PyErr_SetObject.PYTHON27(00000000,00000000,bad char in struct format), ref: 6C83A055
                                                                                          Strings
                                                                                          • bad char in struct format, xrefs: 6C83A047
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromObjectStringString_
                                                                                          • String ID: bad char in struct format
                                                                                          • API String ID: 1840871587-2911813636
                                                                                          • Opcode ID: 7c95f533268631363660e7b7aa775c8c6ef832c0f232910278fdce60c509dd65
                                                                                          • Instruction ID: 5094637ed88c5f1e9be3d08ee204bae0c8fead7a2656aff2d1a435dac1ad1e67
                                                                                          • Opcode Fuzzy Hash: 7c95f533268631363660e7b7aa775c8c6ef832c0f232910278fdce60c509dd65
                                                                                          • Instruction Fuzzy Hash: 1EF05922801130478B3455D99D209FB37D89EA367C7282B64DCFC4BB92E71BDC4283E1
                                                                                          Function 6C82B520 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_GetAttrString.PYTHON27(00000000,join), ref: 6C82B543
                                                                                          • PyObject_CallFunctionObjArgs.PYTHON27(?,?,00000000), ref: 6C82B571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object_$ArgsAttrCallFunctionString
                                                                                          • String ID: join
                                                                                          • API String ID: 167733998-677501143
                                                                                          • Opcode ID: 772c61c348abead2febbf4f199317897cce41780d9ea92037afdb18e04b276e6
                                                                                          • Instruction ID: dc8f880c2ecd611f1f963ba93a65b0883bf95a44c9bddaccb80a11fd80fd38a4
                                                                                          • Opcode Fuzzy Hash: 772c61c348abead2febbf4f199317897cce41780d9ea92037afdb18e04b276e6
                                                                                          • Instruction Fuzzy Hash: 66F0E972A0131357D724DAE9FE04EAB33F8AB42759B008A34F919CBB40F714E9528BD1
                                                                                          Function 6C8ADF00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_GetAttrString.PYTHON27(?,__getitem__), ref: 6C8ADF1A
                                                                                          • PyErr_Clear.PYTHON27 ref: 6C8ADF3E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttrClearErr_Object_String
                                                                                          • String ID: __getitem__
                                                                                          • API String ID: 2543148516-3646536032
                                                                                          • Opcode ID: cccaa5235b2820beec61793e984ca8f9f8ce2919e7998a15f2b118afe21f7de2
                                                                                          • Instruction ID: 75be8a9aeea529eb2ee5a1701b09d8769ab131afa1fdda73f1b5d2ba3da0f787
                                                                                          • Opcode Fuzzy Hash: cccaa5235b2820beec61793e984ca8f9f8ce2919e7998a15f2b118afe21f7de2
                                                                                          • Instruction Fuzzy Hash: 43F0B4716162044FEB648BE5AB40F6733B89F4572CF158A6AEC2CCBE81D725D843CA50
                                                                                          Function 6C8ACCA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 6C8AC430: PyType_IsSubtype.PYTHON27(00000000,?,?,?,?,?,?,6C8ACA14,?,?,00000040), ref: 6C8AC48B
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,unsupported operand type(s) for %.100s: '%.100s' and '%.100s',divmod(),?,?), ref: 6C8ACCEE
                                                                                          Strings
                                                                                          • unsupported operand type(s) for %.100s: '%.100s' and '%.100s', xrefs: 6C8ACCE8
                                                                                          • divmod(), xrefs: 6C8ACCE3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FormatSubtypeType_
                                                                                          • String ID: divmod()$unsupported operand type(s) for %.100s: '%.100s' and '%.100s'
                                                                                          • API String ID: 2789853835-4006302392
                                                                                          • Opcode ID: 52ca011e33a470f2fb416aa46111b6a5600f535641d5eed1038981de5b87b8ca
                                                                                          • Instruction ID: d7fb81730be7a1cadf6ab7a5c5ba82acecaef8dfe551248b07dd7782e0348f59
                                                                                          • Opcode Fuzzy Hash: 52ca011e33a470f2fb416aa46111b6a5600f535641d5eed1038981de5b87b8ca
                                                                                          • Instruction Fuzzy Hash: 23F096766041046FC714EB98DC40C96B3A8EB99374705CA68ED199BB41D631EC42C7E1
                                                                                          Function 6C8ACD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyNumber_AsSsize_t.PYTHON27(?,6CA663F8), ref: 6C8ACDA6
                                                                                            • Part of subcall function 6C8AD720: PyNumber_Index.PYTHON27(?,?,?,?,6C8AB2E8,6C8AEF3A,6CA65B38), ref: 6C8AD729
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,can't multiply sequence by non-int of type '%.200s',?,?,6C8ACE69,?,?), ref: 6C8ACDDC
                                                                                          Strings
                                                                                          • can't multiply sequence by non-int of type '%.200s', xrefs: 6C8ACDD6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Number_$Err_FormatIndexSsize_t
                                                                                          • String ID: can't multiply sequence by non-int of type '%.200s'
                                                                                          • API String ID: 939530772-2793022148
                                                                                          • Opcode ID: b024a2a00f466077cdd618552f7edb9ab735fac29442707418fbb700821c424e
                                                                                          • Instruction ID: 12f69d474f67b5304323a875ae00c2e3fd415d3d2f047676d36a7199004ac264
                                                                                          • Opcode Fuzzy Hash: b024a2a00f466077cdd618552f7edb9ab735fac29442707418fbb700821c424e
                                                                                          • Instruction Fuzzy Hash: 10F0C2716043069FDB14DBB0DA84B7537BDAB4435DF14CA58EE1C8AA83DB32D897C690
                                                                                          Function 6C826090 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Py_BuildValue.PYTHON27((O)), ref: 6C8260A4
                                                                                          • PyObject_Call.PYTHON27(6CA8E5E8,00000000,?), ref: 6C8260C0
                                                                                            • Part of subcall function 6C8AF070: _Py_CheckRecursiveCall.PYTHON27( while calling a Python object,00000001,?,?,6C932AB3,00000000,?,6C880E50), ref: 6C8AF0A5
                                                                                            • Part of subcall function 6C8AF070: PyErr_SetString.PYTHON27(6CA665C8,NULL result without error in PyObject_Call,?,00000000,00000000), ref: 6C8AF0E4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Call$BuildCheckErr_Object_RecursiveStringValue
                                                                                          • String ID: (O)
                                                                                          • API String ID: 705347834-4232840684
                                                                                          • Opcode ID: 249a3bc0b6c59a2df6514f7db193f7affeab3476612f36d6529ab9f8c32d8273
                                                                                          • Instruction ID: 0fdeb4a1188941597078d3ed5fbdf6e87f7b260425b5caf98cb412b1c8ed35fc
                                                                                          • Opcode Fuzzy Hash: 249a3bc0b6c59a2df6514f7db193f7affeab3476612f36d6529ab9f8c32d8273
                                                                                          • Instruction Fuzzy Hash: 24F0A7F2600215279B20659B6D0589B779C9AD13B97180B74FD0CCBF40F715EC4782E1
                                                                                          Function 6C8B9710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\cellobject.c,00000024), ref: 6C8B9734
                                                                                          Strings
                                                                                          • ..\Objects\cellobject.c, xrefs: 6C8B9729
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8B972E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\cellobject.c
                                                                                          • API String ID: 376477240-3279096532
                                                                                          • Opcode ID: 46bb482265cb0953fb2f9979ee5124827ccf33100992e6f2f595b432cd57b17c
                                                                                          • Instruction ID: 22e75c95a46dfaa3f096638e813207e4872213bc382068045afc7a9942126a43
                                                                                          • Opcode Fuzzy Hash: 46bb482265cb0953fb2f9979ee5124827ccf33100992e6f2f595b432cd57b17c
                                                                                          • Instruction Fuzzy Hash: 22F0F034A002018BD710CE68DD05925B3A8FB12238B248B98EC2C8BFD2D731D881CBC0
                                                                                          Function 6C8395C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyFloat_AsDouble.PYTHON27(?), ref: 6C8395CD
                                                                                            • Part of subcall function 6C8D0B70: PyType_IsSubtype.PYTHON27(04C48318,?,?,00000000,?,6C8C0CAA,?,?,?,?), ref: 6C8D0B90
                                                                                          • PyErr_SetString.PYTHON27(00000000,required argument is not a float), ref: 6C839600
                                                                                          Strings
                                                                                          • required argument is not a float, xrefs: 6C8395FA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: DoubleErr_Float_StringSubtypeType_
                                                                                          • String ID: required argument is not a float
                                                                                          • API String ID: 4162100309-2628405891
                                                                                          • Opcode ID: 42ca19fd38d9280940b1adf136ab04c03b477024517d368576b06e7d16ea0628
                                                                                          • Instruction ID: ecdba676369e4dc23b90ab3a4df31f60ea020b726c94a5641746205b28d7b0f2
                                                                                          • Opcode Fuzzy Hash: 42ca19fd38d9280940b1adf136ab04c03b477024517d368576b06e7d16ea0628
                                                                                          • Instruction Fuzzy Hash: 9BF0F6746143049BC704DF68EA44A1937A9AB86328F10C798ED6C477D0EB31D834D781
                                                                                          Function 6C8AB0D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AB0F0
                                                                                          • PyMapping_Size.PYTHON27(?), ref: 6C8AB116
                                                                                            • Part of subcall function 6C8AEE70: PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine,?,6C8AB11B,?), ref: 6C8AEE90
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AB0EA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_String$Mapping_Size
                                                                                          • String ID: null argument to internal routine
                                                                                          • API String ID: 3862615131-2212441169
                                                                                          • Opcode ID: d42b932ffdda27c709c86cf852acb949302502f26f0819a53f06341bd31d8d76
                                                                                          • Instruction ID: 35535ee52fdbbb0d2c9c6de812d1fe481bc6174189b1ba6e83d84866bac0c28a
                                                                                          • Opcode Fuzzy Hash: d42b932ffdda27c709c86cf852acb949302502f26f0819a53f06341bd31d8d76
                                                                                          • Instruction Fuzzy Hash: AFF0EC7070430A57DB18CFAAFE40D6633A95B4122C7184B7CF42C8BB41E722E462C650
                                                                                          Function 6C839560 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyFloat_AsDouble.PYTHON27(?), ref: 6C839568
                                                                                            • Part of subcall function 6C8D0B70: PyType_IsSubtype.PYTHON27(04C48318,?,?,00000000,?,6C8C0CAA,?,?,?,?), ref: 6C8D0B90
                                                                                          • PyErr_SetString.PYTHON27(00000000,required argument is not a float), ref: 6C83959B
                                                                                          Strings
                                                                                          • required argument is not a float, xrefs: 6C839595
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: DoubleErr_Float_StringSubtypeType_
                                                                                          • String ID: required argument is not a float
                                                                                          • API String ID: 4162100309-2628405891
                                                                                          • Opcode ID: 52ab4fa4429db8005162eac8ee51fc6feec6cab6ca7b3a7fcb628423bb35b5d8
                                                                                          • Instruction ID: 2b485f335e75886f5751ee87fd605bc1eb36a181bdbf7c726fc1debabb10c501
                                                                                          • Opcode Fuzzy Hash: 52ab4fa4429db8005162eac8ee51fc6feec6cab6ca7b3a7fcb628423bb35b5d8
                                                                                          • Instruction Fuzzy Hash: 92F0E974610208EFCB08CF94EA446593775EB46328F1087D4E91C47780DB32D961CB94
                                                                                          Function 6C8DA400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\listobject.c,000002CB), ref: 6C8DA42B
                                                                                          Strings
                                                                                          • ..\Objects\listobject.c, xrefs: 6C8DA420
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8DA425
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\listobject.c
                                                                                          • API String ID: 376477240-2051030382
                                                                                          • Opcode ID: 1e38129ab8c8e355bc2757ce1f6e4d30ad3742b8b65d60d9f33d73370085944a
                                                                                          • Instruction ID: 0f31f68260fd9c3dfe23953a6d173eee3527ea0ad7ec87d0193ac4d5fa3231ca
                                                                                          • Opcode Fuzzy Hash: 1e38129ab8c8e355bc2757ce1f6e4d30ad3742b8b65d60d9f33d73370085944a
                                                                                          • Instruction Fuzzy Hash: 5FF0A7756442086BE714DE58DD46DBA3369EB45328F148B8CBC28477C1D631E81197E1
                                                                                          Function 6C8F8760 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\tupleobject.c,000001AA,?,6C827AC3,?,00000001,7FFFFFFF), ref: 6C8F87A4
                                                                                          Strings
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8F879E
                                                                                          • ..\Objects\tupleobject.c, xrefs: 6C8F8799
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\tupleobject.c
                                                                                          • API String ID: 376477240-1285866127
                                                                                          • Opcode ID: abab19b4c4c1e10c5555062c0682e468cf9444e2251ccb7829a328a472501937
                                                                                          • Instruction ID: af81409cc5579c8fc058cfd1cfa15f059b0bfee1fdc2ceee2f2ab6736b4e036f
                                                                                          • Opcode Fuzzy Hash: abab19b4c4c1e10c5555062c0682e468cf9444e2251ccb7829a328a472501937
                                                                                          • Instruction Fuzzy Hash: FDE0EC757012041FEB20DE54DD45F763358E74225CF148A59BC2C87780E731E81197D1
                                                                                          Function 6C8D50D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(__builtins__), ref: 6C8D50D9
                                                                                          • PyString_InternInPlace.PYTHON27(?), ref: 6C8D50FE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: String_$FromInternPlaceString
                                                                                          • String ID: __builtins__
                                                                                          • API String ID: 2843024944-2109793290
                                                                                          • Opcode ID: 9cb4346eefcbb17de538ea351e8e60d795a46e8d6ce1cc93d7d7f2707d29911d
                                                                                          • Instruction ID: 53d8551aa143e4a2a65bd6568f005269823a1bf00a8ae071baa3a04670e5557f
                                                                                          • Opcode Fuzzy Hash: 9cb4346eefcbb17de538ea351e8e60d795a46e8d6ce1cc93d7d7f2707d29911d
                                                                                          • Instruction Fuzzy Hash: B2E01BF1F052095B5B14CEBDAD0259A76ECD70A254B04457EEC09C3740FE31DE145795
                                                                                          Function 6C836090 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyDict_Size.PYTHON27 ref: 6C836098
                                                                                          • PyErr_Format.PYTHON27(6CA648B0,%s() takes at most %d positional arguments (%zd given),?,?,?), ref: 6C8360C8
                                                                                          Strings
                                                                                          • %s() takes at most %d positional arguments (%zd given), xrefs: 6C8360C2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Dict_Err_FormatSize
                                                                                          • String ID: %s() takes at most %d positional arguments (%zd given)
                                                                                          • API String ID: 20579995-2187905400
                                                                                          • Opcode ID: f8361638c51bf48b77f180f8a86b1ab6b6c395d6e49e974a0009b8852488db58
                                                                                          • Instruction ID: 4c3c765193ab78722249d0f73353d3ce3c24b8f61ef786769064c20cfa90f49b
                                                                                          • Opcode Fuzzy Hash: f8361638c51bf48b77f180f8a86b1ab6b6c395d6e49e974a0009b8852488db58
                                                                                          • Instruction Fuzzy Hash: D9E092F17011146BEF14E6B8ED55D6B325CAB5525CB049878B80DD3B01E936E85185E1
                                                                                          Function 6C827520 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyDict_GetItem.PYTHON27(00000000,?), ref: 6C82752F
                                                                                          • PyErr_Format.PYTHON27(00000000,unknown dialect), ref: 6C827553
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Dict_Err_FormatItem
                                                                                          • String ID: unknown dialect
                                                                                          • API String ID: 3923838959-3850176341
                                                                                          • Opcode ID: e225fd7e1e3a8fddbc23b75bae5bffed538c6fa7ffb80475535587066deaa3ea
                                                                                          • Instruction ID: 0be9ab2342a6e9bb9d041a6581e9d3d03055b540fd35191f72732508d197473c
                                                                                          • Opcode Fuzzy Hash: e225fd7e1e3a8fddbc23b75bae5bffed538c6fa7ffb80475535587066deaa3ea
                                                                                          • Instruction Fuzzy Hash: CEE0D87270021597C7248A99EA408FAB37CEB446A97048625FE0C87F00E735DC9187D0
                                                                                          Function 6C8D9E70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\listobject.c,000001F0), ref: 6C8D9E9B
                                                                                          Strings
                                                                                          • ..\Objects\listobject.c, xrefs: 6C8D9E90
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8D9E95
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\listobject.c
                                                                                          • API String ID: 376477240-2051030382
                                                                                          • Opcode ID: 6c469da63fc8fc0188749425694785368d37f5bf754a905ba8ac4414d575e48f
                                                                                          • Instruction ID: 895dc77ae9dd40ad0471a3c7d72cad211d300ed5340160c2b92a96a06fef15ca
                                                                                          • Opcode Fuzzy Hash: 6c469da63fc8fc0188749425694785368d37f5bf754a905ba8ac4414d575e48f
                                                                                          • Instruction Fuzzy Hash: 58E02B757403086FD710DE54DD46D76336CD785218F048B98FC1C47781EA31E81097D0
                                                                                          Function 6C8371C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyString_FromString.PYTHON27(cannot copy this pattern object), ref: 6C8371D3
                                                                                          • PyErr_SetObject.PYTHON27(6CA648B0,00000000,cannot copy this pattern object), ref: 6C8371DC
                                                                                          Strings
                                                                                          • cannot copy this pattern object, xrefs: 6C8371CE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_FromObjectStringString_
                                                                                          • String ID: cannot copy this pattern object
                                                                                          • API String ID: 1840871587-1000097356
                                                                                          • Opcode ID: 07088b1067fbc38d153d9f303aa2675121bd0204765565e9f94b883cc9c84d6e
                                                                                          • Instruction ID: 877ed02fe2c1f42cf688901b59516a90b9905ce4e67d8fa81841afb68d8f8ccf
                                                                                          • Opcode Fuzzy Hash: 07088b1067fbc38d153d9f303aa2675121bd0204765565e9f94b883cc9c84d6e
                                                                                          • Instruction Fuzzy Hash: ABE0D8339415225B8220A5A96D0589B77A89A566787040769DC7C877E0EB11EC01C2D2
                                                                                          Function 6C8D97C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\listobject.c,00000122), ref: 6C8D97FF
                                                                                            • Part of subcall function 6C8D9770: PyErr_SetString.PYTHON27(6CA663F8,cannot add more objects to list,00000000,00000000,?,6C8DA6DB,00000000), ref: 6C8D978D
                                                                                          Strings
                                                                                          • ..\Objects\listobject.c, xrefs: 6C8D97F4
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8D97F9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$FormatString
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\listobject.c
                                                                                          • API String ID: 4212644371-2051030382
                                                                                          • Opcode ID: 003725c1fbb14c74754624934e9d7799c710a0151737b888bffc27b25722096d
                                                                                          • Instruction ID: 3ee13b34e98a453c05f6e66fa7a0ea26dec6804fd386e731a27930838305d91f
                                                                                          • Opcode Fuzzy Hash: 003725c1fbb14c74754624934e9d7799c710a0151737b888bffc27b25722096d
                                                                                          • Instruction Fuzzy Hash: 0DE02B7570130427E724CE28ED52E7933189B02228F148B8CBC2C0BBC1DA21E410D7C1
                                                                                          Function 6C8C67C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\dictobject.c,000006E7), ref: 6C8C67FC
                                                                                            • Part of subcall function 6C8C5BA0: PyList_New.PYTHON27(?,?,?,?,6C8C67DF,?), ref: 6C8C5BAC
                                                                                            • Part of subcall function 6C8C5BA0: PyList_New.PYTHON27(?), ref: 6C8C5BD2
                                                                                          Strings
                                                                                          • ..\Objects\dictobject.c, xrefs: 6C8C67F1
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8C67F6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: List_$Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\dictobject.c
                                                                                          • API String ID: 817396481-1541589624
                                                                                          • Opcode ID: 6a27d25c0204f84ddf9262a00644db6ee555945e6578b2150e43ede9a8dbefc2
                                                                                          • Instruction ID: 483f28236dbe9c7a45f04888783aca1d2323da2c995fffb7338cbda17801df13
                                                                                          • Opcode Fuzzy Hash: 6a27d25c0204f84ddf9262a00644db6ee555945e6578b2150e43ede9a8dbefc2
                                                                                          • Instruction Fuzzy Hash: C7E0D865F043441FE720DF649E42E763758975115CF044FA8AC1CC7A81FA26D424A6D2
                                                                                          Function 6C8D9720 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\listobject.c,00000103), ref: 6C8D974B
                                                                                          Strings
                                                                                          • ..\Objects\listobject.c, xrefs: 6C8D9740
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8D9745
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\listobject.c
                                                                                          • API String ID: 376477240-2051030382
                                                                                          • Opcode ID: cce02a875fa94d0961d351ca95371e05b520d99ec786b126bca274562bb7579e
                                                                                          • Instruction ID: c897cbc8962ce164451d6fba6a8bdef4e44d7ea9e8a2cc5713f925546cdaf6ad
                                                                                          • Opcode Fuzzy Hash: cce02a875fa94d0961d351ca95371e05b520d99ec786b126bca274562bb7579e
                                                                                          • Instruction Fuzzy Hash: 15E02B75A003082BD720CE28ED51D653328D702328F048B88FC3C0BBC0DA32E55097D1
                                                                                          Function 6C8C6810 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\dictobject.c,000006F1), ref: 6C8C684C
                                                                                            • Part of subcall function 6C8C5C20: PyList_New.PYTHON27(?,?,?,?,6C8C682F,?), ref: 6C8C5C2C
                                                                                            • Part of subcall function 6C8C5C20: PyList_New.PYTHON27(?), ref: 6C8C5C52
                                                                                          Strings
                                                                                          • ..\Objects\dictobject.c, xrefs: 6C8C6841
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8C6846
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: List_$Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\dictobject.c
                                                                                          • API String ID: 817396481-1541589624
                                                                                          • Opcode ID: 27e8ce45e115fc73efc64cf03ba16ec8e698273121198d7d8a0412c77f9dad3f
                                                                                          • Instruction ID: b43cfedb36568cd0d5b7cd8f60a3ffa6eaae1d7b38490777ea736cdf8531eff8
                                                                                          • Opcode Fuzzy Hash: 27e8ce45e115fc73efc64cf03ba16ec8e698273121198d7d8a0412c77f9dad3f
                                                                                          • Instruction Fuzzy Hash: 7CE06860B002041BEB30DB685E82E763758C711158F044AB9BC1CC7A81FA22D460E6C2
                                                                                          Function 6C8C6860 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\dictobject.c,000006FB), ref: 6C8C689C
                                                                                            • Part of subcall function 6C8C5CA0: PyList_New.PYTHON27(?), ref: 6C8C5CB7
                                                                                            • Part of subcall function 6C8C5CA0: Py_FatalError.PYTHON27(GC object already tracked), ref: 6C8C5D5A
                                                                                            • Part of subcall function 6C8C5CA0: PyList_New.PYTHON27(?), ref: 6C8C5DC3
                                                                                          Strings
                                                                                          • ..\Objects\dictobject.c, xrefs: 6C8C6891
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8C6896
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: List_$Err_ErrorFatalFormat
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\dictobject.c
                                                                                          • API String ID: 2187311682-1541589624
                                                                                          • Opcode ID: e04da4197aee81771c7848aab78f9c40fb2776d91e3d5122c8908cbdbf8a2379
                                                                                          • Instruction ID: 51c90dfced50c25fbaebb502b9139fc78b102e8be01687293b3531a369901549
                                                                                          • Opcode Fuzzy Hash: e04da4197aee81771c7848aab78f9c40fb2776d91e3d5122c8908cbdbf8a2379
                                                                                          • Instruction Fuzzy Hash: F4E0D861B012041BE724DF649F82E763758D755158F044BA9AC1CD7E81FA26D460A6D2
                                                                                          Function 6C907920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyUnicodeUCS2_FromUnicode.PYTHON27(0C508BF8,4D8BE774), ref: 6C907946
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Unicode$From
                                                                                          • String ID: strict
                                                                                          • API String ID: 3080050696-2947452218
                                                                                          • Opcode ID: c9b33a4ef7da2abcc43bdfbec3e64ed0e56286dd1033945b1da4ab597588ad93
                                                                                          • Instruction ID: 203f18abd605bda813ccab4d50db063e2e2a0a73c030722afd4793c7de91286d
                                                                                          • Opcode Fuzzy Hash: c9b33a4ef7da2abcc43bdfbec3e64ed0e56286dd1033945b1da4ab597588ad93
                                                                                          • Instruction Fuzzy Hash: 08E0DF756002086FD7008B54E846F66336D9B9463CF54808CF80C0BB52D335E8A4E690
                                                                                          Function 6C8B96C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\cellobject.c,00000018), ref: 6C8B96E4
                                                                                          Strings
                                                                                          • ..\Objects\cellobject.c, xrefs: 6C8B96D9
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8B96DE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\cellobject.c
                                                                                          • API String ID: 376477240-3279096532
                                                                                          • Opcode ID: 0c319f63b004a90fc08be3ed8a3795e5329161e95b6d1f1c51ba282661e7b906
                                                                                          • Instruction ID: 0dc2c2eeb25b2016badb1df10012c69f979e28dfb879a542c7189987c2224f22
                                                                                          • Opcode Fuzzy Hash: 0c319f63b004a90fc08be3ed8a3795e5329161e95b6d1f1c51ba282661e7b906
                                                                                          • Instruction Fuzzy Hash: 2EE092316002089FC310D948D946B607364E71631DF148AC9E81C9BF92EB33DC92CBD1
                                                                                          Function 6C8BEF60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Py_FatalError.PYTHON27(non-string found in code slot,?,?,6C8BF1C4), ref: 6C8BEF84
                                                                                          • PyString_InternInPlace.PYTHON27(?,6C8BF1C4), ref: 6C8BEF8D
                                                                                          Strings
                                                                                          • non-string found in code slot, xrefs: 6C8BEF7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFatalInternPlaceString_
                                                                                          • String ID: non-string found in code slot
                                                                                          • API String ID: 3605443080-3375376674
                                                                                          • Opcode ID: 75b17939958d07795c11e46f2b545b4a9e9a854b3e7d19b91a57a0b2efd2bbb7
                                                                                          • Instruction ID: 9915700aed71f2ff51f97c2791d07370846dbeeadbbeff229adac5decd5ecae5
                                                                                          • Opcode Fuzzy Hash: 75b17939958d07795c11e46f2b545b4a9e9a854b3e7d19b91a57a0b2efd2bbb7
                                                                                          • Instruction Fuzzy Hash: 03E080379055205FA320471DAE4095777A55E9112470745F9DC15B7F25D730E8C682D2
                                                                                          Function 6C8C6770 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\dictobject.c,000006DD,?,6C8BAC0A,?), ref: 6C8C67A6
                                                                                          Strings
                                                                                          • ..\Objects\dictobject.c, xrefs: 6C8C679B
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8C67A0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\dictobject.c
                                                                                          • API String ID: 376477240-1541589624
                                                                                          • Opcode ID: 621e3f1c65221646338158b8316a365d5d4a419326e5e43f14b050d8aa70788b
                                                                                          • Instruction ID: fa85066966e6034e3ee7b2822d97a0d3bdf83d8a280cc4570c9bd621bdac0626
                                                                                          • Opcode Fuzzy Hash: 621e3f1c65221646338158b8316a365d5d4a419326e5e43f14b050d8aa70788b
                                                                                          • Instruction Fuzzy Hash: 6AE0D8347102045BE320DF688D45E757795D742278F148F89BC2C8BAC1D622E42096D1
                                                                                          Function 6C825850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyDict_GetItem.PYTHON27(00000000), ref: 6C825859
                                                                                          • PyErr_Format.PYTHON27(00000000,unknown dialect), ref: 6C82587D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Dict_Err_FormatItem
                                                                                          • String ID: unknown dialect
                                                                                          • API String ID: 3923838959-3850176341
                                                                                          • Opcode ID: 3deee61b7a39a21f7d65ded4348b8fbef008a716fe222db280f14868c2197d14
                                                                                          • Instruction ID: 523e8e1082c827c2a903eaa6af4e34d2c3f231785788b0ada0394cea38ff99bf
                                                                                          • Opcode Fuzzy Hash: 3deee61b7a39a21f7d65ded4348b8fbef008a716fe222db280f14868c2197d14
                                                                                          • Instruction Fuzzy Hash: C4E08672B042229B87284A55BE488EA7379D7952653054A65F90597E44D734CCC287D0
                                                                                          Function 6C90A950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,codec must pass exception instance,?,6C90B04C), ref: 6C90A972
                                                                                          • PyErr_SetObject.PYTHON27(00000000,?,?,6C90B04C), ref: 6C90A988
                                                                                          Strings
                                                                                          • codec must pass exception instance, xrefs: 6C90A96C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_$ObjectString
                                                                                          • String ID: codec must pass exception instance
                                                                                          • API String ID: 1622067708-3174393782
                                                                                          • Opcode ID: 33b9a3744ba193c740d4b6cbd0a19f2dc66158233bedca1815d34fe070ede2dd
                                                                                          • Instruction ID: f84757b1b5ce9c4e0fe08300a8dc371666fdaf9fdc688aea9b38f7eaef43e2c8
                                                                                          • Opcode Fuzzy Hash: 33b9a3744ba193c740d4b6cbd0a19f2dc66158233bedca1815d34fe070ede2dd
                                                                                          • Instruction Fuzzy Hash: 06E026B27116001FC3088754EA45D0A7338575831CF29449CE82A8FE20DB22E8C492A0
                                                                                          Function 6C8D94D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\listobject.c,000000A9), ref: 6C8D94FB
                                                                                          Strings
                                                                                          • ..\Objects\listobject.c, xrefs: 6C8D94F0
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8D94F5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\listobject.c
                                                                                          • API String ID: 376477240-2051030382
                                                                                          • Opcode ID: 41ebb40de55802b9c286a52075b9cbf052c0248774f1c96a8339f1d66f275070
                                                                                          • Instruction ID: 5d96ffb09980a0dd971abf79c821b8309a38e50391fb5bc2b946b49141c334fe
                                                                                          • Opcode Fuzzy Hash: 41ebb40de55802b9c286a52075b9cbf052c0248774f1c96a8339f1d66f275070
                                                                                          • Instruction Fuzzy Hash: 95E04F357443085FE320DA68D946E657768D752238F188BC8FC6C4BBD1DA22E851A6D1
                                                                                          Function 6C8F7E90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\tupleobject.c,00000072,?,6C8B9B5A,?), ref: 6C8F7EB8
                                                                                          Strings
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8F7EB2
                                                                                          • ..\Objects\tupleobject.c, xrefs: 6C8F7EAD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\tupleobject.c
                                                                                          • API String ID: 376477240-1285866127
                                                                                          • Opcode ID: 7a2fbe9ace7b32248bdfc047a02b29a39b79685fe6bf3dacb12d18dbc0ef226f
                                                                                          • Instruction ID: c7057aa93ec80e9994408aca330eba27f74e70c481c975abf9a4f68e9af72335
                                                                                          • Opcode Fuzzy Hash: 7a2fbe9ace7b32248bdfc047a02b29a39b79685fe6bf3dacb12d18dbc0ef226f
                                                                                          • Instruction Fuzzy Hash: 84E02634A042481FE320CE28DC01E257764D70533CF08CBC8BC2C8BBC1D621EC60A6C1
                                                                                          Function 6C8E47C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\methodobject.c,00000040), ref: 6C8E47E4
                                                                                          Strings
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8E47DE
                                                                                          • ..\Objects\methodobject.c, xrefs: 6C8E47D9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\methodobject.c
                                                                                          • API String ID: 376477240-511127496
                                                                                          • Opcode ID: 85513237350baf10143ecda6c581884146da79fff7b9f905106fbb3403277d4d
                                                                                          • Instruction ID: 8c2193e7cd6c7cb576df89fbe049b6a1b09da4f4562a5e727192ec536192b230
                                                                                          • Opcode Fuzzy Hash: 85513237350baf10143ecda6c581884146da79fff7b9f905106fbb3403277d4d
                                                                                          • Instruction Fuzzy Hash: FCE02632A042484BC320DA9CDC06E20B758E703238F0887C8BC2C8BFD2D732E8908AC4
                                                                                          Function 6C8E4740 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\methodobject.c,0000002C), ref: 6C8E4764
                                                                                          Strings
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8E475E
                                                                                          • ..\Objects\methodobject.c, xrefs: 6C8E4759
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\methodobject.c
                                                                                          • API String ID: 376477240-511127496
                                                                                          • Opcode ID: 5efa1af475acb7ce1b9a033784c454600ab3d85d46c0e44b5f9f1f4020f274fc
                                                                                          • Instruction ID: 47f47f059bb863716e3bbbba373f5e05b3fa852c1f3191ccb3378b84c0e00863
                                                                                          • Opcode Fuzzy Hash: 5efa1af475acb7ce1b9a033784c454600ab3d85d46c0e44b5f9f1f4020f274fc
                                                                                          • Instruction Fuzzy Hash: 7AE086366012085B8710EA98DD4AD65B798E747158B4886C9BC1C87F92E732E9518AC1
                                                                                          Function 6C8AB030 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyObject_Compare.PYTHON27(?,?), ref: 6C8AB043
                                                                                          • PyErr_SetString.PYTHON27(6CA665C8,null argument to internal routine), ref: 6C8AB077
                                                                                          Strings
                                                                                          • null argument to internal routine, xrefs: 6C8AB071
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: CompareErr_Object_String
                                                                                          • String ID: null argument to internal routine
                                                                                          • API String ID: 874617099-2212441169
                                                                                          • Opcode ID: c5a34b922fccd67c27274c43868770c005e5a365aac2bab8b199c8049ac64458
                                                                                          • Instruction ID: 77910fb2839c4463dcbb8706f407b2f79b7145b0fbd4aa42c48f0b2d9eab151d
                                                                                          • Opcode Fuzzy Hash: c5a34b922fccd67c27274c43868770c005e5a365aac2bab8b199c8049ac64458
                                                                                          • Instruction Fuzzy Hash: E8E0867071030D9BDB1CCEA6D994F7633A99B15728F104B1CA8388BB90D771E881C668
                                                                                          Function 6C8231B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _PyArg_ParseTuple_SizeT.PYTHON27(?,U:charmap_build,?), ref: 6C8231C1
                                                                                          • PyUnicode_BuildEncodingMap.PYTHON27(?), ref: 6C8231D5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Arg_BuildEncodingParseSizeTuple_Unicode_
                                                                                          • String ID: U:charmap_build
                                                                                          • API String ID: 2048781984-921886291
                                                                                          • Opcode ID: 2ec7c85d107d62ed545814f1bbcdb691e9fd435ba4de418f480950c7060369d4
                                                                                          • Instruction ID: 4febb8873928761baba18739604d2a7797123fe20fad4c98f42789c6ed1befa0
                                                                                          • Opcode Fuzzy Hash: 2ec7c85d107d62ed545814f1bbcdb691e9fd435ba4de418f480950c7060369d4
                                                                                          • Instruction Fuzzy Hash: 4DD012E5A0410CA79B14DAA1AD51C6A736C9B6511DF0446A8FD0C43B01FA36DE1452D1
                                                                                          Function 6C8274E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyDict_DelItem.PYTHON27(00000000,?), ref: 6C8274EE
                                                                                            • Part of subcall function 6C8C5100: PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\dictobject.c,0000036B), ref: 6C8C512D
                                                                                          • PyErr_Format.PYTHON27(00000000,unknown dialect), ref: 6C827506
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format$Dict_Item
                                                                                          • String ID: unknown dialect
                                                                                          • API String ID: 2379282386-3850176341
                                                                                          • Opcode ID: a39048b90410f3d6fc48292c507cd005d030f55ced3d1ae52edf56a15d3fbf96
                                                                                          • Instruction ID: 025fa640954ae28831552b57d322fc7dc39e46368b2a0f3b24c5791750dfe462
                                                                                          • Opcode Fuzzy Hash: a39048b90410f3d6fc48292c507cd005d030f55ced3d1ae52edf56a15d3fbf96
                                                                                          • Instruction Fuzzy Hash: 0AD0C2B6710308ABCB045A5CAE41876B33C9798109740C929FD0C86F41EA31E8519690
                                                                                          Function 6C8B9DA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\classobject.c,00000098), ref: 6C8B9DC7
                                                                                          Strings
                                                                                          • ..\Objects\classobject.c, xrefs: 6C8B9DBC
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8B9DC1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\classobject.c
                                                                                          • API String ID: 376477240-1919307765
                                                                                          • Opcode ID: ffa83974db97b0bf904bf029549a6c437398f22a10bb7aa75566e94d9d2801d4
                                                                                          • Instruction ID: d7a4fbaaea1f7721940eb358de70bd1d7704d1dba23eb7636ef024e43d9dc68b
                                                                                          • Opcode Fuzzy Hash: ffa83974db97b0bf904bf029549a6c437398f22a10bb7aa75566e94d9d2801d4
                                                                                          • Instruction Fuzzy Hash: 60E0C2316042085F8720DE6C9D06E24B398D71612AF088BC6BC1CD7F91EA32E85087D1
                                                                                          Function 6C8B9DE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\classobject.c,000000A2), ref: 6C8B9E07
                                                                                          Strings
                                                                                          • ..\Objects\classobject.c, xrefs: 6C8B9DFC
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8B9E01
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\classobject.c
                                                                                          • API String ID: 376477240-1919307765
                                                                                          • Opcode ID: 0205c8942be558b360cd404a621b0787a56902454a7db218d35dd5e21c0dda90
                                                                                          • Instruction ID: 7cbf7055a4cbe4baf08c6da849ba7f37db0399edc3e3e238718e4ea92197304d
                                                                                          • Opcode Fuzzy Hash: 0205c8942be558b360cd404a621b0787a56902454a7db218d35dd5e21c0dda90
                                                                                          • Instruction Fuzzy Hash: 31E08C316043085F8720DE5C9D02E247398E316218B448AD5BC2C97F91EA22E86086D1
                                                                                          Function 6C8B9D60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\classobject.c,0000008E), ref: 6C8B9D87
                                                                                          Strings
                                                                                          • ..\Objects\classobject.c, xrefs: 6C8B9D7C
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8B9D81
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\classobject.c
                                                                                          • API String ID: 376477240-1919307765
                                                                                          • Opcode ID: 9a5ed3fe2afb76454861417cc48a706ed655e78fdc6e91238eae44a1a80b8433
                                                                                          • Instruction ID: bb86456d6c609ab1c93afcddde5f12f8cff66a728212f22ab3a5b35bbf136a49
                                                                                          • Opcode Fuzzy Hash: 9a5ed3fe2afb76454861417cc48a706ed655e78fdc6e91238eae44a1a80b8433
                                                                                          • Instruction Fuzzy Hash: 6AE0C2316042085F8720EE5CDD06E247399E315119F088BD5BC5CDBF91EB32E89087D1
                                                                                          Function 6C8E4780 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\methodobject.c,00000036), ref: 6C8E47A4
                                                                                          Strings
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8E479E
                                                                                          • ..\Objects\methodobject.c, xrefs: 6C8E4799
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\methodobject.c
                                                                                          • API String ID: 376477240-511127496
                                                                                          • Opcode ID: b3147ecc429ebf79c0f878f1322ee82a93a0296bada0323b9d5b2856da87cc4f
                                                                                          • Instruction ID: 336e2c0267ab715f83d3773521a2b8289b47982e1ebfbdadadb0ebdaf09ec55c
                                                                                          • Opcode Fuzzy Hash: b3147ecc429ebf79c0f878f1322ee82a93a0296bada0323b9d5b2856da87cc4f
                                                                                          • Instruction Fuzzy Hash: 23E0CD326011085B8720DA9C9D06D65B7D8D316154F48C7C5BC1CC7F91E631D95046C1
                                                                                          Function 6C8D59B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\funcobject.c,00000057), ref: 6C8D59D4
                                                                                          Strings
                                                                                          • ..\Objects\funcobject.c, xrefs: 6C8D59C9
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8D59CE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\funcobject.c
                                                                                          • API String ID: 376477240-778741475
                                                                                          • Opcode ID: f9bb779a8edf1f78c21a07efcdd2bfdfae127aca4c1f0fbfbe510de6f0bc12c6
                                                                                          • Instruction ID: 11986ee7e0821ccccbb4bbafdb9d769ad3b0bad7bbcc6ad011d95a64225faed6
                                                                                          • Opcode Fuzzy Hash: f9bb779a8edf1f78c21a07efcdd2bfdfae127aca4c1f0fbfbe510de6f0bc12c6
                                                                                          • Instruction Fuzzy Hash: BBE0C271A062086B8720EA5CAD03D347798E316129F448BC6FD5CC7F91E631E9A09BD1
                                                                                          Function 6C8D59F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\funcobject.c,00000061), ref: 6C8D5A14
                                                                                          Strings
                                                                                          • ..\Objects\funcobject.c, xrefs: 6C8D5A09
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8D5A0E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\funcobject.c
                                                                                          • API String ID: 376477240-778741475
                                                                                          • Opcode ID: af5217f570f43723e0acb076b090ba92489fd10c8fc0742fd9d21032853563bb
                                                                                          • Instruction ID: 1270028c882c9afaf3d9e3439214e2fb057de07a135c8ef1642975eff4036192
                                                                                          • Opcode Fuzzy Hash: af5217f570f43723e0acb076b090ba92489fd10c8fc0742fd9d21032853563bb
                                                                                          • Instruction Fuzzy Hash: AAE0C271A513085B8720EA5C9D43D64B798E712119F488AD6FD2CC7F91E632E8A097D1
                                                                                          Function 6C8D5930 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyErr_Format.PYTHON27(6CA665C8,%s:%d: bad argument to internal function,..\Objects\funcobject.c,00000043), ref: 6C8D5954
                                                                                          Strings
                                                                                          • ..\Objects\funcobject.c, xrefs: 6C8D5949
                                                                                          • %s:%d: bad argument to internal function, xrefs: 6C8D594E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: Err_Format
                                                                                          • String ID: %s:%d: bad argument to internal function$..\Objects\funcobject.c
                                                                                          • API String ID: 376477240-778741475
                                                                                          • Opcode ID: c59315f3ae174744ed2871057e5544058b2dcb3456a3919088de22c7ba79d876
                                                                                          • Instruction ID: 2b34e70f232d0d794329a824d2b6a884b3c825f855e4224fd8c6a4e2d1a48575
                                                                                          • Opcode Fuzzy Hash: c59315f3ae174744ed2871057e5544058b2dcb3456a3919088de22c7ba79d876
                                                                                          • Instruction Fuzzy Hash: 26E0C271A012086B8720EB5CED06D24B798E312129F488AC6FD5CD7F91E631EA9097D1
                                                                                          Function 6C8D70A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyInt_FromLong.PYTHON27(?), ref: 6C8D70AE
                                                                                          • _PyLong_FromByteArray.PYTHON27(?,00000004,00000001,00000000), ref: 6C8D70C5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: From$ArrayByteInt_LongLong_
                                                                                          • String ID: &k
                                                                                          • API String ID: 14725604-4254052200
                                                                                          • Opcode ID: 1e2aa13561610bc81dfad886fb63ff6865535c2438d11388074d983dbbe60a2c
                                                                                          • Instruction ID: 34aca4fe16abc0ee0dc7d69b22b96f9c9735dafdf033f86c8e46b7479682b841
                                                                                          • Opcode Fuzzy Hash: 1e2aa13561610bc81dfad886fb63ff6865535c2438d11388074d983dbbe60a2c
                                                                                          • Instruction Fuzzy Hash: 77D05BB198030872DB1059A8EC41BC5374C470076DF504961FB1C9E6C1E672F69446D5
                                                                                          Function 6C8E7140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PyNumber_CoerceEx.PYTHON27(?,6C8AC8C1,?,6C8AC8C1,?,?), ref: 6C8E714B
                                                                                          • PyErr_SetString.PYTHON27(6CA648B0,number coercion failed,?,?), ref: 6C8E7163
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2019079001.000000006C821000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C820000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2019056053.000000006C820000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019331400.000000006C96A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019540090.000000006CA3F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA40000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019595704.000000006CA54000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019691419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2019712012.000000006CAA4000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_6c820000_pyexec.jbxd
                                                                                          Similarity
                                                                                          • API ID: CoerceErr_Number_String
                                                                                          • String ID: number coercion failed
                                                                                          • API String ID: 559835178-3059949011
                                                                                          • Opcode ID: e497d6d1d2c6df4ce03aeda9704006b23951803410cc489ee5a7e5b063eac0ad
                                                                                          • Instruction ID: 078278bb70975fd2c230b6ae86eae83d20442d3eeaccd2bc3c224ffdc4139aea
                                                                                          • Opcode Fuzzy Hash: e497d6d1d2c6df4ce03aeda9704006b23951803410cc489ee5a7e5b063eac0ad
                                                                                          • Instruction Fuzzy Hash: B0D05E66610305279A109668AD40C5633AC9B59629B108A28BD2C86781EB31E50846A0