Edit tour

Windows Analysis Report
4OVYJHCTFA.exe

Overview

General Information

Sample name:	4OVYJHCTFA.exe renamed because original name is a hash value
Original sample name:	30772bcce9852eb58cf05a75bcdce2f9.exe
Analysis ID:	1465836
MD5:	30772bcce9852eb58cf05a75bcdce2f9
SHA1:	b43da7a9785fb47cc1174bb4a896866fbb1a0df0
SHA256:	584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc
Tags:	32exetrojan
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Injects code into the Windows Explorer (explorer.exe)

LummaC encrypted strings found

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

4OVYJHCTFA.exe (PID: 5316 cmdline: "C:\Users\user\Desktop\4OVYJHCTFA.exe" MD5: 30772BCCE9852EB58CF05A75BCDCE2F9)

EASteamProxy.exe (PID: 4888 cmdline: "C:\Users\user\AppData\Local\Temp\EASteamProxy.exe" MD5: AD2735F096925010A53450CB4178C89E)

EASteamProxy.exe (PID: 2288 cmdline: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe MD5: AD2735F096925010A53450CB4178C89E)

cmd.exe (PID: 4588 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 5776 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

EASteamProxy.exe (PID: 6640 cmdline: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe MD5: AD2735F096925010A53450CB4178C89E)

cmd.exe (PID: 3272 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 5796 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["facilitycoursedw.shop", "doughtdrillyksow.shop", "disappointcredisotw.shop", "bargainnygroandjwk.shop", "injurypiggyoewirog.shop", "leafcalfconflcitw.shop", "computerexcudesp.shop", "publicitycharetew.shop", "periodicroytewrsn.shop"], "Build id": "Fe0z0o--Batman"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

Sigma detected: Proxy Execution Via Explorer.exe

Source: Process started

Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Windows\SysWOW64\explorer.exe, CommandLine: C:\Windows\SysWOW64\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\explorer.exe, NewProcessName: C:\Windows\SysWOW64\explorer.exe, OriginalFileName: C:\Windows\SysWOW64\explorer.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4588, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\explorer.exe, ProcessId: 5776, ProcessName: explorer.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: facilitycoursedw.shop	Avira URL Cloud: Label: malware
Source: computerexcudesp.shop	Avira URL Cloud: Label: malware
Source: doughtdrillyksow.shop	Avira URL Cloud: Label: malware
Source: disappointcredisotw.shop	Avira URL Cloud: Label: malware
Source: leafcalfconflcitw.shop	Avira URL Cloud: Label: malware
Source: periodicroytewrsn.shop	Avira URL Cloud: Label: malware
Source: publicitycharetew.shop	Avira URL Cloud: Label: malware
Source: bargainnygroandjwk.shop	Avira URL Cloud: Label: malware
Source: injurypiggyoewirog.shop	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\gqnmaqicmbds	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\tbh	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Found malware configuration

Source: cmd.exe.4588.3.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["facilitycoursedw.shop", "doughtdrillyksow.shop", "disappointcredisotw.shop", "bargainnygroandjwk.shop", "injurypiggyoewirog.shop", "leafcalfconflcitw.shop", "computerexcudesp.shop", "publicitycharetew.shop", "periodicroytewrsn.shop"], "Build id": "Fe0z0o--Batman"}

Multi AV Scanner detection for domain / URL

Source: facilitycoursedw.shop	Virustotal: Detection: 17%	Perma Link
Source: computerexcudesp.shop	Virustotal: Detection: 17%	Perma Link
Source: disappointcredisotw.shop	Virustotal: Detection: 17%	Perma Link
Source: doughtdrillyksow.shop	Virustotal: Detection: 17%	Perma Link
Source: publicitycharetew.shop	Virustotal: Detection: 18%	Perma Link
Source: leafcalfconflcitw.shop	Virustotal: Detection: 17%	Perma Link
Source: injurypiggyoewirog.shop	Virustotal: Detection: 16%	Perma Link
Source: bargainnygroandjwk.shop	Virustotal: Detection: 17%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Qt5Network.dll	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Temp\Qt5Network.dll	Virustotal: Detection: 8%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\gqnmaqicmbds	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\gqnmaqicmbds	Virustotal: Detection: 78%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\tbh	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\tbh	Virustotal: Detection: 78%	Perma Link
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\Qt5Network.dll	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\Qt5Network.dll	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for submitted file

Source: 4OVYJHCTFA.exe	ReversingLabs: Detection: 70%
Source: 4OVYJHCTFA.exe	Virustotal: Detection: 58%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\gqnmaqicmbds	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tbh	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String decryptor: facilitycoursedw.shop
Source: 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String decryptor: doughtdrillyksow.shop
Source: 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String decryptor: disappointcredisotw.shop
Source: 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bargainnygroandjwk.shop
Source: 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String decryptor: injurypiggyoewirog.shop
Source: 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String decryptor: leafcalfconflcitw.shop
Source: 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String decryptor: computerexcudesp.shop
Source: 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String decryptor: publicitycharetew.shop
Source: 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String decryptor: periodicroytewrsn.shop
Source: 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Fe0z0o--Batman

Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEA5B40 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	1_2_00007FFDFAEA5B40
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE97B20 CRYPTO_free,	1_2_00007FFDFAE97B20
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91CD5 CRYPTO_malloc,COMP_expand_block,	1_2_00007FFDFAE91CD5
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE916E5 CRYPTO_zalloc,	1_2_00007FFDFAE916E5
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91104 EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	1_2_00007FFDFAE91104
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91253 CRYPTO_free,	1_2_00007FFDFAE91253
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEE1AD0 CRYPTO_free,	1_2_00007FFDFAEE1AD0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE922CA ERR_put_error,CRYPTO_free,CRYPTO_strdup,	1_2_00007FFDFAE922CA
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEAFAA0 strncmp,strncmp,strncmp,strncmp,ERR_put_error,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,ERR_put_error,strncmp,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,	1_2_00007FFDFAEAFAA0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEEFA70 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,	1_2_00007FFDFAEEFA70
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9DC20 CRYPTO_free,	1_2_00007FFDFAE9DC20
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEADBC0 CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,	1_2_00007FFDFAEADBC0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91686 CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAE91686
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91028 EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_new,RSA_pkey_ctx_ctrl,CRYPTO_free,EVP_MD_CTX_free,EVP_MD_CTX_free,	1_2_00007FFDFAE91028
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91F6E CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAE91F6E
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9193D CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAE9193D
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9141F EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	1_2_00007FFDFAE9141F
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEB18D0 CRYPTO_free,CRYPTO_strdup,	1_2_00007FFDFAEB18D0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC7870 CRYPTO_free,	1_2_00007FFDFAEC7870
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91870 CRYPTO_free,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAE91870
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEB3A20 CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAEB3A20
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9207C CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,	1_2_00007FFDFAE9207C
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91C12 CRYPTO_free,CRYPTO_strdup,	1_2_00007FFDFAE91C12
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEED9C0 OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,CRYPTO_memcmp,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAEED9C0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE92144 EVP_MD_CTX_new,EVP_MD_CTX_copy_ex,EVP_MD_CTX_free,CRYPTO_memcmp,memcpy,memcpy,	1_2_00007FFDFAE92144
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE924DC CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAE924DC
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEE3980 CRYPTO_malloc,memcpy,	1_2_00007FFDFAEE3980
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE99F50 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAE99F50
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEB5F20 ERR_put_error,CRYPTO_free,ERR_put_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,	1_2_00007FFDFAEB5F20
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91861 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,OPENSSL_cleanse,OPENSSL_cleanse,EVP_MD_size,	1_2_00007FFDFAE91861
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEADEF0 CRYPTO_THREAD_run_once,	1_2_00007FFDFAEADEF0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEA7EE0 CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAEA7EE0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE97ED0 CRYPTO_zalloc,ERR_put_error,	1_2_00007FFDFAE97ED0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9150A CRYPTO_free,CRYPTO_malloc,ERR_put_error,memcpy,	1_2_00007FFDFAE9150A
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9FEA0 EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,strncmp,strncmp,strncmp,strncmp,strncmp,	1_2_00007FFDFAE9FEA0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9101E EVP_PKEY_free,BN_num_bits,BN_bn2bin,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_clear_free,	1_2_00007FFDFAE9101E
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE92095 CRYPTO_free,_time64,CRYPTO_free,CRYPTO_malloc,EVP_sha256,EVP_Digest,EVP_MD_size,CRYPTO_free,	1_2_00007FFDFAE92095
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAECA030 CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAECA030
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9E010 CRYPTO_malloc,	1_2_00007FFDFAE9E010
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91F28 CRYPTO_free,CRYPTO_malloc,memcpy,	1_2_00007FFDFAE91F28
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9218F EVP_MD_CTX_new,EVP_PKEY_size,CRYPTO_malloc,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,EVP_DigestSign,BUF_reverse,CRYPTO_free,EVP_MD_CTX_free,CRYPTO_free,EVP_MD_CTX_free,	1_2_00007FFDFAE9218F
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEA5F70 CRYPTO_free,CRYPTO_strdup,	1_2_00007FFDFAEA5F70
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEA9D50 CRYPTO_free,CRYPTO_strndup,	1_2_00007FFDFAEA9D50
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9DD30 CRYPTO_free,	1_2_00007FFDFAE9DD30
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE920F4 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,	1_2_00007FFDFAE920F4
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE918BB CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,	1_2_00007FFDFAE918BB
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9DCD0 CRYPTO_free,	1_2_00007FFDFAE9DCD0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEADCB0 COMP_zlib,CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,	1_2_00007FFDFAEADCB0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE97C70 CRYPTO_free,	1_2_00007FFDFAE97C70
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEEBC60 CRYPTO_memcmp,	1_2_00007FFDFAEEBC60
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91E6A CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,CRYPTO_free,	1_2_00007FFDFAE91E6A
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEF7E00 CRYPTO_free,CRYPTO_malloc,ERR_put_error,	1_2_00007FFDFAEF7E00
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEFBDF0 memset,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_put_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,	1_2_00007FFDFAEFBDF0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9DDE0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,	1_2_00007FFDFAE9DDE0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAECFDC0 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAECFDC0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC9D90 CRYPTO_memcmp,	1_2_00007FFDFAEC9D90
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEABD80 CRYPTO_zalloc,ERR_put_error,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,	1_2_00007FFDFAEABD80
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEEFD80 EVP_PKEY_get0_RSA,RSA_size,RSA_size,CRYPTO_malloc,RAND_priv_bytes,CRYPTO_free,	1_2_00007FFDFAEEFD80
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE97D70 CRYPTO_zalloc,ERR_put_error,	1_2_00007FFDFAE97D70
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEBD350 CRYPTO_malloc,CRYPTO_clear_free,	1_2_00007FFDFAEBD350
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAECF350 CRYPTO_realloc,	1_2_00007FFDFAECF350
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEE1310 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAEE1310
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91005 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,	1_2_00007FFDFAE91005
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC3290 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,	1_2_00007FFDFAEC3290
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEF7270 CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAEF7270
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9172B CRYPTO_free,CRYPTO_strndup,	1_2_00007FFDFAE9172B
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEA7450 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,	1_2_00007FFDFAEA7450
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91FB9 BN_bin2bn,BN_is_zero,CRYPTO_free,CRYPTO_strdup,CRYPTO_clear_free,	1_2_00007FFDFAE91FB9
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91B04 CRYPTO_malloc,CRYPTO_mem_ctrl,OPENSSL_sk_find,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,OPENSSL_sk_push,CRYPTO_mem_ctrl,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,	1_2_00007FFDFAE91B04
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC7410 CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAEC7410
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEE13B0 CRYPTO_malloc,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,CRYPTO_free,	1_2_00007FFDFAEE13B0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91C49 X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,	1_2_00007FFDFAE91C49
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC7370 CRYPTO_free,	1_2_00007FFDFAEC7370
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEB3110 ERR_put_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,	1_2_00007FFDFAEB3110
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEDB110 memset,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,	1_2_00007FFDFAEDB110
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE92446 CRYPTO_memdup,ERR_put_error,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAE92446
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91A0A EVP_MD_size,EVP_CIPHER_iv_length,EVP_CIPHER_key_length,CRYPTO_clear_free,CRYPTO_malloc,	1_2_00007FFDFAE91A0A
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE923EC CRYPTO_free,CRYPTO_malloc,memcmp,CRYPTO_memdup,	1_2_00007FFDFAE923EC
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91B63 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	1_2_00007FFDFAE91B63
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEA9210 ASN1_item_d2i,ERR_put_error,ASN1_item_free,memcpy,_time64,X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ASN1_item_free,	1_2_00007FFDFAEA9210
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC71F0 CRYPTO_free,	1_2_00007FFDFAEC71F0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC91F0 EVP_MD_size,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,EVP_DigestInit_ex,BIO_ctrl,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key,EVP_DigestSignInit,EVP_DigestUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free,	1_2_00007FFDFAEC91F0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC51C0 CRYPTO_malloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,ERR_put_error,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,	1_2_00007FFDFAEC51C0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91F05 EVP_MD_CTX_new,X509_get0_pubkey,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_size,EVP_DigestVerifyInit,EVP_PKEY_id,CRYPTO_malloc,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestVerify,BIO_free,EVP_MD_CTX_free,CRYPTO_free,	1_2_00007FFDFAE91F05
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEB9170 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	1_2_00007FFDFAEB9170
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE923DD CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAE923DD
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE92400 CRYPTO_malloc,ERR_put_error,CRYPTO_free,	1_2_00007FFDFAE92400
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91DAC CONF_parse_list,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAE91DAC
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEBF6D0 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	1_2_00007FFDFAEBF6D0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9125D BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	1_2_00007FFDFAE9125D
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEAD660 CRYPTO_THREAD_run_once,	1_2_00007FFDFAEAD660
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE924AF CRYPTO_free,CRYPTO_malloc,memcpy,	1_2_00007FFDFAE924AF
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91844 CRYPTO_free,	1_2_00007FFDFAE91844
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEAF830 CRYPTO_zalloc,ERR_put_error,CRYPTO_free,	1_2_00007FFDFAEAF830
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEDB820 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,	1_2_00007FFDFAEDB820
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAED77B0 CRYPTO_free,CRYPTO_strndup,	1_2_00007FFDFAED77B0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC3790 CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,	1_2_00007FFDFAEC3790
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE917A3 CRYPTO_free,	1_2_00007FFDFAE917A3
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE922DE ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAE922DE
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAED7520 CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAED7520
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE918C5 ERR_put_error,CRYPTO_free,CRYPTO_strdup,	1_2_00007FFDFAE918C5
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEDB4A0 X509_get0_pubkey,CRYPTO_malloc,RAND_bytes,EVP_PKEY_CTX_new,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_PKEY_CTX_free,	1_2_00007FFDFAEDB4A0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE99490 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	1_2_00007FFDFAE99490
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEB9470 ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_put_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,	1_2_00007FFDFAEB9470
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE910A5 CRYPTO_zalloc,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_put_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,	1_2_00007FFDFAE910A5
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91695 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	1_2_00007FFDFAE91695
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEB5624 CRYPTO_THREAD_unlock,CRYPTO_set_ex_data,CRYPTO_set_ex_data,COMP_CTX_get_method,	1_2_00007FFDFAEB5624
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC75D0 CRYPTO_free,	1_2_00007FFDFAEC75D0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEDD5C0 CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAEDD5C0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAECF590 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAECF590
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9231A CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAE9231A
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC7560 CRYPTO_free,	1_2_00007FFDFAEC7560
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9254A CRYPTO_malloc,ERR_put_error,BIO_snprintf,	1_2_00007FFDFAE9254A
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE92310 CRYPTO_free,	1_2_00007FFDFAE92310
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE96B30 CRYPTO_zalloc,CRYPTO_free,	1_2_00007FFDFAE96B30
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEBCB20 ERR_put_error,ERR_put_error,ERR_put_error,EVP_MD_size,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_malloc,ERR_put_error,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,ERR_put_error,EVP_PKEY_free,X509_get0_pubkey,X509_free,OPENSSL_sk_push,ERR_put_error,X509_free,ERR_put_error,	1_2_00007FFDFAEBCB20
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9EB00 EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,	1_2_00007FFDFAE9EB00
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEDAB00 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,	1_2_00007FFDFAEDAB00
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEEAA8C CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAEEAA8C
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE98A70 CRYPTO_free,	1_2_00007FFDFAE98A70
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEDCA70 EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAEDCA70
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91BFE ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,OPENSSL_LH_new,OPENSSL_sk_num,EVP_get_digestbyname,EVP_get_digestbyname,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,RAND_bytes,RAND_priv_bytes,RAND_priv_bytes,RAND_priv_bytes,	1_2_00007FFDFAE91BFE
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91230 memcpy,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,memcmp,_time64,	1_2_00007FFDFAE91230
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE917B7 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	1_2_00007FFDFAE917B7
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91EAB CRYPTO_memcmp,memchr,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,	1_2_00007FFDFAE91EAB
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91F78 CRYPTO_strdup,	1_2_00007FFDFAE91F78
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91B18 memset,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,CRYPTO_memcmp,	1_2_00007FFDFAE91B18
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91F0A CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_clear_free,	1_2_00007FFDFAE91F0A
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEBC870 CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAEBC870
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91D52 BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,	1_2_00007FFDFAE91D52
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEBAA24 ERR_put_error,CRYPTO_set_ex_data,CRYPTO_set_ex_data,COMP_CTX_get_method,	1_2_00007FFDFAEBAA24
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE92252 BIO_s_file,BIO_new,BIO_ctrl,strncmp,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,	1_2_00007FFDFAE92252
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEE8A00 CRYPTO_free,CRYPTO_strndup,	1_2_00007FFDFAEE8A00
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEAC9F0 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAEAC9F0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAED09F0 CRYPTO_free,CRYPTO_strndup,	1_2_00007FFDFAED09F0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9109B CRYPTO_free,CRYPTO_memdup,CRYPTO_memdup,	1_2_00007FFDFAE9109B
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEAC990 CRYPTO_get_ex_new_index,	1_2_00007FFDFAEAC990
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAED896F CRYPTO_malloc,	1_2_00007FFDFAED896F
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEBC960 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,	1_2_00007FFDFAEBC960
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91CE4 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAE91CE4
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEF8F30 HMAC_CTX_new,EVP_CIPHER_CTX_new,EVP_sha256,HMAC_Init_ex,EVP_aes_256_cbc,HMAC_size,EVP_CIPHER_CTX_iv_length,HMAC_Update,HMAC_Final,CRYPTO_memcmp,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_CTX_iv_length,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,	1_2_00007FFDFAEF8F30
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9191F ERR_put_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,OPENSSL_sk_value,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,	1_2_00007FFDFAE9191F
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC6E60 CRYPTO_free,CRYPTO_strdup,CRYPTO_free,	1_2_00007FFDFAEC6E60
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91C2B EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,	1_2_00007FFDFAE91C2B
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9228E CRYPTO_free,	1_2_00007FFDFAE9228E
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91B4F CRYPTO_THREAD_write_lock,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,	1_2_00007FFDFAE91B4F
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE92261 CRYPTO_zalloc,ERR_put_error,	1_2_00007FFDFAE92261
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE918CF CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAE918CF
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91357 memcmp,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,memcmp,memcmp,memcpy,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAE91357
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC2D10 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	1_2_00007FFDFAEC2D10
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91208 CRYPTO_zalloc,memcpy,memcpy,memcpy,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAE91208
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEE2CE0 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,memcpy,memcpy,	1_2_00007FFDFAEE2CE0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAED8CDA CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAED8CDA
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEDACD0 EVP_DigestUpdate,EVP_MD_CTX_free,EVP_PKEY_CTX_free,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,	1_2_00007FFDFAEDACD0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEAECC0 CRYPTO_THREAD_run_once,OPENSSL_sk_find,OPENSSL_sk_value,EVP_CIPHER_flags,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,	1_2_00007FFDFAEAECC0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEE8CC0 CRYPTO_malloc,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,RAND_bytes,EVP_sha256,EVP_EncryptUpdate,EVP_EncryptFinal,HMAC_Update,HMAC_Final,	1_2_00007FFDFAEE8CC0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEA6CA5 CRYPTO_free,CRYPTO_strdup,ERR_put_error,ERR_put_error,	1_2_00007FFDFAEA6CA5
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE915CD EVP_MD_CTX_new,EVP_PKEY_new,EVP_PKEY_assign,DH_free,EVP_PKEY_security_bits,EVP_PKEY_get0_DH,EVP_PKEY_free,DH_get0_key,EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,EVP_PKEY_size,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestSign,CRYPTO_free,EVP_MD_CTX_free,	1_2_00007FFDFAE915CD
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC6DF0 CRYPTO_free,	1_2_00007FFDFAEC6DF0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE919BA CRYPTO_malloc,	1_2_00007FFDFAE919BA
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEA6DAB ERR_put_error,CRYPTO_free,CRYPTO_strdup,	1_2_00007FFDFAEA6DAB
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE98D80 CRYPTO_malloc,ERR_put_error,	1_2_00007FFDFAE98D80
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91ABE CONF_parse_list,CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAE91ABE
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAED0340 CRYPTO_memcmp,	1_2_00007FFDFAED0340
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE919EC CRYPTO_malloc,ERR_put_error,CRYPTO_free,	1_2_00007FFDFAE919EC
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE92149 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,	1_2_00007FFDFAE92149
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEF02A0 BN_bin2bn,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,	1_2_00007FFDFAEF02A0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91D8E BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,CRYPTO_free,CRYPTO_strdup,	1_2_00007FFDFAE91D8E
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91EB5 CRYPTO_strdup,CRYPTO_free,	1_2_00007FFDFAE91EB5
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE94443 CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_set_data,BIO_clear_flags,	1_2_00007FFDFAE94443
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEE8420 CRYPTO_memcmp,	1_2_00007FFDFAEE8420
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE912E4 EVP_MD_size,RAND_bytes,_time64,CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAE912E4
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAED8397 CRYPTO_clear_free,	1_2_00007FFDFAED8397
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC4370 OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	1_2_00007FFDFAEC4370
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91514 CRYPTO_free,	1_2_00007FFDFAE91514
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEB2150 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,	1_2_00007FFDFAEB2150
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9225C CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,	1_2_00007FFDFAE9225C
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91BAE CRYPTO_free,CRYPTO_malloc,	1_2_00007FFDFAE91BAE
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE92116 CRYPTO_malloc,	1_2_00007FFDFAE92116
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEA60AA CRYPTO_free,	1_2_00007FFDFAEA60AA
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9215D CRYPTO_free,CRYPTO_malloc,RAND_bytes,	1_2_00007FFDFAE9215D
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAED0090 CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAED0090
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE94064 BIO_get_data,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_clear_flags,BIO_get_data,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,	1_2_00007FFDFAE94064
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAECA250 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	1_2_00007FFDFAECA250
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEE0200 CRYPTO_free,CRYPTO_free,CRYPTO_strndup,	1_2_00007FFDFAEE0200
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC41B0 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	1_2_00007FFDFAEC41B0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEA41B0 CRYPTO_clear_free,	1_2_00007FFDFAEA41B0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEA8180 EVP_PKEY_CTX_new,EVP_PKEY_derive_init,EVP_PKEY_derive_set_peer,EVP_PKEY_derive,CRYPTO_malloc,EVP_PKEY_derive,CRYPTO_clear_free,EVP_PKEY_CTX_free,	1_2_00007FFDFAEA8180
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91663 CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAE91663
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEFC750 SRP_Calc_u,BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,CRYPTO_clear_free,BN_clear_free,	1_2_00007FFDFAEFC750
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91B9A CRYPTO_free,CRYPTO_malloc,	1_2_00007FFDFAE91B9A
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAED0740 CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAED0740
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEAA710 CRYPTO_THREAD_run_once,	1_2_00007FFDFAEAA710
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEBC6D0 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,	1_2_00007FFDFAEBC6D0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE916B8 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_clear_error,OPENSSL_sk_value,X509_get0_pubkey,EVP_PKEY_missing_parameters,X509_free,X509_up_ref,X509_free,OPENSSL_sk_pop_free,	1_2_00007FFDFAE916B8
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE94660 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,	1_2_00007FFDFAE94660
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91E60 CRYPTO_clear_free,	1_2_00007FFDFAE91E60
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEE87E0 CRYPTO_free,CRYPTO_memdup,	1_2_00007FFDFAEE87E0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91249 CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,memcpy,	1_2_00007FFDFAE91249
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91AB9 CRYPTO_free,	1_2_00007FFDFAE91AB9
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91519 CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,ERR_put_error,ERR_put_error,ERR_put_error,memcpy,	1_2_00007FFDFAE91519
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC4530 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,	1_2_00007FFDFAEC4530
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEE2530 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,	1_2_00007FFDFAEE2530
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE984E0 CRYPTO_zalloc,ERR_put_error,	1_2_00007FFDFAE984E0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE917D5 CRYPTO_malloc,memcpy,	1_2_00007FFDFAE917D5
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE92513 CRYPTO_free,	1_2_00007FFDFAE92513
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91500 CRYPTO_memdup,ERR_put_error,CRYPTO_free,CRYPTO_free,	1_2_00007FFDFAE91500
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE924D7 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,OPENSSL_sk_num,CRYPTO_memcmp,CRYPTO_free,X509_free,OPENSSL_sk_pop_free,OPENSSL_sk_value,X509_get0_pubkey,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,	1_2_00007FFDFAE924D7
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC85F0 CRYPTO_zalloc,CRYPTO_free,	1_2_00007FFDFAEC85F0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEB45E0 X509_VERIFY_PARAM_free,CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,ENGINE_finish,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	1_2_00007FFDFAEB45E0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEA85D0 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,	1_2_00007FFDFAEA85D0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91F9B CRYPTO_free,BIO_clear_flags,BIO_set_flags,BIO_snprintf,ERR_add_error_data,memcpy,	1_2_00007FFDFAE91F9B
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE98590 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,	1_2_00007FFDFAE98590
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA05FA70 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,	2_2_00007FFDFA05FA70
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA01FAA0 strncmp,strncmp,strncmp,strncmp,ERR_put_error,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,ERR_put_error,strncmp,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,	2_2_00007FFDFA01FAA0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001104 EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FFDFA001104
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001253 CRYPTO_free,	2_2_00007FFDFA001253
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA051AD0 CRYPTO_free,	2_2_00007FFDFA051AD0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0022CA ERR_put_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFDFA0022CA
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0016E5 CRYPTO_zalloc,	2_2_00007FFDFA0016E5
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001CD5 CRYPTO_malloc,COMP_expand_block,	2_2_00007FFDFA001CD5
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA007B20 CRYPTO_free,	2_2_00007FFDFA007B20
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA015B40 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	2_2_00007FFDFA015B40
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001686 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA001686
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA01DBC0 CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,	2_2_00007FFDFA01DBC0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00DC20 CRYPTO_free,	2_2_00007FFDFA00DC20
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA037870 CRYPTO_free,	2_2_00007FFDFA037870
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0218D0 CRYPTO_free,CRYPTO_strdup,	2_2_00007FFDFA0218D0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00141F EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FFDFA00141F
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001F6E CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA001F6E
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00193D CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA00193D
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001028 EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_new,RSA_pkey_ctx_ctrl,CRYPTO_free,EVP_MD_CTX_free,EVP_MD_CTX_free,	2_2_00007FFDFA001028
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA053980 CRYPTO_malloc,memcpy,	2_2_00007FFDFA053980
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0024DC CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA0024DC
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA05D9C0 OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,CRYPTO_memcmp,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA05D9C0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA002144 EVP_MD_CTX_new,EVP_MD_CTX_copy_ex,EVP_MD_CTX_free,CRYPTO_memcmp,memcpy,memcpy,	2_2_00007FFDFA002144
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001C12 CRYPTO_free,CRYPTO_strdup,	2_2_00007FFDFA001C12
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA023A20 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA023A20
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00207C CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,	2_2_00007FFDFA00207C
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001870 CRYPTO_free,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA001870
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00FEA0 EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,strncmp,strncmp,strncmp,strncmp,strncmp,	2_2_00007FFDFA00FEA0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00150A CRYPTO_free,CRYPTO_malloc,ERR_put_error,memcpy,	2_2_00007FFDFA00150A
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA007ED0 CRYPTO_zalloc,ERR_put_error,	2_2_00007FFDFA007ED0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA01DEF0 CRYPTO_THREAD_run_once,	2_2_00007FFDFA01DEF0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA017EE0 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA017EE0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001861 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,OPENSSL_cleanse,OPENSSL_cleanse,EVP_MD_size,	2_2_00007FFDFA001861
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA025F20 ERR_put_error,CRYPTO_free,ERR_put_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,	2_2_00007FFDFA025F20
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA009F50 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA009F50
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA015F70 CRYPTO_free,CRYPTO_strdup,	2_2_00007FFDFA015F70
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00218F EVP_MD_CTX_new,EVP_PKEY_size,CRYPTO_malloc,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,EVP_DigestSign,BUF_reverse,CRYPTO_free,EVP_MD_CTX_free,CRYPTO_free,EVP_MD_CTX_free,	2_2_00007FFDFA00218F
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00E010 CRYPTO_malloc,	2_2_00007FFDFA00E010
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001F28 CRYPTO_free,CRYPTO_malloc,memcpy,	2_2_00007FFDFA001F28
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA03A030 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA03A030
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00101E EVP_PKEY_free,BN_num_bits,BN_bn2bin,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_clear_free,	2_2_00007FFDFA00101E
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA002095 CRYPTO_free,_time64,CRYPTO_free,CRYPTO_malloc,EVP_sha256,EVP_Digest,EVP_MD_size,CRYPTO_free,	2_2_00007FFDFA002095
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA05BC60 CRYPTO_memcmp,	2_2_00007FFDFA05BC60
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA007C70 CRYPTO_free,	2_2_00007FFDFA007C70
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA01DCB0 COMP_zlib,CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,	2_2_00007FFDFA01DCB0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00DCD0 CRYPTO_free,	2_2_00007FFDFA00DCD0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0018BB CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,	2_2_00007FFDFA0018BB
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00DD30 CRYPTO_free,	2_2_00007FFDFA00DD30
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0020F4 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,	2_2_00007FFDFA0020F4
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA019D50 CRYPTO_free,CRYPTO_strndup,	2_2_00007FFDFA019D50
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA007D70 CRYPTO_zalloc,ERR_put_error,	2_2_00007FFDFA007D70
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA039D90 CRYPTO_memcmp,	2_2_00007FFDFA039D90
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA01BD80 CRYPTO_zalloc,ERR_put_error,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,	2_2_00007FFDFA01BD80
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA05FD80 EVP_PKEY_get0_RSA,RSA_size,RSA_size,CRYPTO_malloc,RAND_priv_bytes,CRYPTO_free,	2_2_00007FFDFA05FD80
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA03FDC0 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA03FDC0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00DDE0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,	2_2_00007FFDFA00DDE0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA067E00 CRYPTO_free,CRYPTO_malloc,ERR_put_error,	2_2_00007FFDFA067E00
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001E6A CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,CRYPTO_free,	2_2_00007FFDFA001E6A
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00172B CRYPTO_free,CRYPTO_strndup,	2_2_00007FFDFA00172B
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA033290 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,	2_2_00007FFDFA033290
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001005 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,	2_2_00007FFDFA001005
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA051310 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA051310
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA03F350 CRYPTO_realloc,	2_2_00007FFDFA03F350
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA02D350 CRYPTO_malloc,CRYPTO_clear_free,	2_2_00007FFDFA02D350
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA037370 CRYPTO_free,	2_2_00007FFDFA037370
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0513B0 CRYPTO_malloc,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,CRYPTO_free,	2_2_00007FFDFA0513B0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001C49 X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,	2_2_00007FFDFA001C49
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA037410 CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA037410
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001B04 CRYPTO_malloc,CRYPTO_mem_ctrl,OPENSSL_sk_find,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,OPENSSL_sk_push,CRYPTO_mem_ctrl,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,	2_2_00007FFDFA001B04
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA017450 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,	2_2_00007FFDFA017450
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001FB9 BN_bin2bn,BN_is_zero,CRYPTO_free,CRYPTO_strdup,CRYPTO_clear_free,	2_2_00007FFDFA001FB9
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA002446 CRYPTO_memdup,ERR_put_error,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA002446
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001A0A EVP_MD_size,EVP_CIPHER_iv_length,EVP_CIPHER_key_length,CRYPTO_clear_free,CRYPTO_malloc,	2_2_00007FFDFA001A0A
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA023110 ERR_put_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,	2_2_00007FFDFA023110
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA04B110 memset,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,	2_2_00007FFDFA04B110
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA029170 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	2_2_00007FFDFA029170
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001F05 EVP_MD_CTX_new,X509_get0_pubkey,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_size,EVP_DigestVerifyInit,EVP_PKEY_id,CRYPTO_malloc,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestVerify,BIO_free,EVP_MD_CTX_free,CRYPTO_free,	2_2_00007FFDFA001F05
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0351C0 CRYPTO_malloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,ERR_put_error,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,	2_2_00007FFDFA0351C0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0391F0 EVP_MD_size,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,EVP_DigestInit_ex,BIO_ctrl,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key,EVP_DigestSignInit,EVP_DigestUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free,	2_2_00007FFDFA0391F0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0371F0 CRYPTO_free,	2_2_00007FFDFA0371F0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA019210 ASN1_item_d2i,ERR_put_error,ASN1_item_free,memcpy,_time64,X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ASN1_item_free,	2_2_00007FFDFA019210
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0023EC CRYPTO_free,CRYPTO_malloc,memcmp,CRYPTO_memdup,	2_2_00007FFDFA0023EC
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001B63 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FFDFA001B63
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA01D660 CRYPTO_THREAD_run_once,	2_2_00007FFDFA01D660
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00125D BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FFDFA00125D
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA02F6D0 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FFDFA02F6D0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001DAC CONF_parse_list,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA001DAC
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA002400 CRYPTO_malloc,ERR_put_error,CRYPTO_free,	2_2_00007FFDFA002400
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0023DD CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA0023DD
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0017A3 CRYPTO_free,	2_2_00007FFDFA0017A3
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA033790 CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FFDFA033790
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0477B0 CRYPTO_free,CRYPTO_strndup,	2_2_00007FFDFA0477B0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA01F830 CRYPTO_zalloc,ERR_put_error,CRYPTO_free,	2_2_00007FFDFA01F830
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA04B820 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFDFA04B820
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0024AF CRYPTO_free,CRYPTO_malloc,memcpy,	2_2_00007FFDFA0024AF
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001844 CRYPTO_free,	2_2_00007FFDFA001844
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA029470 ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_put_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,	2_2_00007FFDFA029470
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0010A5 CRYPTO_zalloc,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_put_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,	2_2_00007FFDFA0010A5
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA009490 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	2_2_00007FFDFA009490
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0018C5 ERR_put_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFDFA0018C5
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA04B4A0 X509_get0_pubkey,CRYPTO_malloc,RAND_bytes,EVP_PKEY_CTX_new,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_PKEY_CTX_free,	2_2_00007FFDFA04B4A0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA047520 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA047520
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0022DE ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA0022DE
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA037560 CRYPTO_free,	2_2_00007FFDFA037560
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA03F590 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA03F590
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00231A CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA00231A
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0375D0 CRYPTO_free,	2_2_00007FFDFA0375D0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA04D5C0 CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA04D5C0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA025624 CRYPTO_THREAD_unlock,CRYPTO_set_ex_data,CRYPTO_set_ex_data,COMP_CTX_get_method,	2_2_00007FFDFA025624
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001695 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FFDFA001695
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA008A70 CRYPTO_free,	2_2_00007FFDFA008A70
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA04CA70 EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA04CA70
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001BFE ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,OPENSSL_LH_new,OPENSSL_sk_num,EVP_get_digestbyname,EVP_get_digestbyname,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,RAND_bytes,RAND_priv_bytes,RAND_priv_bytes,RAND_priv_bytes,	2_2_00007FFDFA001BFE
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA05AA8C CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA05AA8C
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00EB00 EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,	2_2_00007FFDFA00EB00
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA04AB00 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,	2_2_00007FFDFA04AB00
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA02CB20 ERR_put_error,ERR_put_error,ERR_put_error,EVP_MD_size,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_malloc,ERR_put_error,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,ERR_put_error,EVP_PKEY_free,X509_get0_pubkey,X509_free,OPENSSL_sk_push,ERR_put_error,X509_free,ERR_put_error,	2_2_00007FFDFA02CB20
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA006B30 CRYPTO_zalloc,CRYPTO_free,	2_2_00007FFDFA006B30
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00254A CRYPTO_malloc,ERR_put_error,BIO_snprintf,	2_2_00007FFDFA00254A
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA002310 CRYPTO_free,	2_2_00007FFDFA002310
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001EAB CRYPTO_memcmp,memchr,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,	2_2_00007FFDFA001EAB
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0017B7 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FFDFA0017B7
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001230 memcpy,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,memcmp,_time64,	2_2_00007FFDFA001230
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA02C870 CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA02C870
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001F0A CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_clear_free,	2_2_00007FFDFA001F0A
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001B18 memset,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,CRYPTO_memcmp,	2_2_00007FFDFA001B18
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001F78 CRYPTO_strdup,	2_2_00007FFDFA001F78
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA04896F CRYPTO_malloc,	2_2_00007FFDFA04896F
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001CE4 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA001CE4
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA02C960 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,	2_2_00007FFDFA02C960
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA01C990 CRYPTO_get_ex_new_index,	2_2_00007FFDFA01C990
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00109B CRYPTO_free,CRYPTO_memdup,CRYPTO_memdup,	2_2_00007FFDFA00109B
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0409F0 CRYPTO_free,CRYPTO_strndup,	2_2_00007FFDFA0409F0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA01C9F0 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA01C9F0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA002252 BIO_s_file,BIO_new,BIO_ctrl,strncmp,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,	2_2_00007FFDFA002252
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA058A00 CRYPTO_free,CRYPTO_strndup,	2_2_00007FFDFA058A00
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001D52 BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,	2_2_00007FFDFA001D52
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA02AA24 ERR_put_error,CRYPTO_set_ex_data,CRYPTO_set_ex_data,COMP_CTX_get_method,	2_2_00007FFDFA02AA24
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA036E60 CRYPTO_free,CRYPTO_strdup,CRYPTO_free,	2_2_00007FFDFA036E60
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00191F ERR_put_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,OPENSSL_sk_value,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,	2_2_00007FFDFA00191F
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0018CF CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA0018CF
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001357 memcmp,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,memcmp,memcmp,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA001357
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001B4F CRYPTO_THREAD_write_lock,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,	2_2_00007FFDFA001B4F
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA002261 CRYPTO_zalloc,ERR_put_error,	2_2_00007FFDFA002261
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00228E CRYPTO_free,	2_2_00007FFDFA00228E
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001C2B EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,	2_2_00007FFDFA001C2B
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA016CA5 CRYPTO_free,CRYPTO_strdup,ERR_put_error,ERR_put_error,	2_2_00007FFDFA016CA5
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA04ACD0 EVP_DigestUpdate,EVP_MD_CTX_free,EVP_PKEY_CTX_free,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,	2_2_00007FFDFA04ACD0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA048CDA CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA048CDA
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA01ECC0 CRYPTO_THREAD_run_once,OPENSSL_sk_find,OPENSSL_sk_value,EVP_CIPHER_flags,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,	2_2_00007FFDFA01ECC0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA058CC0 CRYPTO_malloc,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,RAND_bytes,EVP_sha256,EVP_EncryptUpdate,EVP_EncryptFinal,HMAC_Update,HMAC_Final,	2_2_00007FFDFA058CC0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001208 CRYPTO_zalloc,memcpy,memcpy,memcpy,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA001208
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA052CE0 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,memcpy,memcpy,	2_2_00007FFDFA052CE0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA032D10 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	2_2_00007FFDFA032D10
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA008D80 CRYPTO_malloc,ERR_put_error,	2_2_00007FFDFA008D80
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0019BA CRYPTO_malloc,	2_2_00007FFDFA0019BA
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA016DAB ERR_put_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFDFA016DAB
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA036DF0 CRYPTO_free,	2_2_00007FFDFA036DF0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0015CD EVP_MD_CTX_new,EVP_PKEY_new,EVP_PKEY_assign,DH_free,EVP_PKEY_security_bits,EVP_PKEY_get0_DH,EVP_PKEY_free,DH_get0_key,EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,EVP_PKEY_size,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestSign,CRYPTO_free,EVP_MD_CTX_free,	2_2_00007FFDFA0015CD
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001D8E BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFDFA001D8E
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001EB5 CRYPTO_strdup,CRYPTO_free,	2_2_00007FFDFA001EB5
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0602A0 BN_bin2bn,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,	2_2_00007FFDFA0602A0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA002149 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,	2_2_00007FFDFA002149
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0019EC CRYPTO_malloc,ERR_put_error,CRYPTO_free,	2_2_00007FFDFA0019EC
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA040340 CRYPTO_memcmp,	2_2_00007FFDFA040340
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001ABE CONF_parse_list,CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA001ABE
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA034370 OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	2_2_00007FFDFA034370
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001514 CRYPTO_free,	2_2_00007FFDFA001514
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA048397 CRYPTO_clear_free,	2_2_00007FFDFA048397
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0012E4 EVP_MD_size,RAND_bytes,_time64,CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA0012E4
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA058420 CRYPTO_memcmp,	2_2_00007FFDFA058420
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA004443 CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_set_data,BIO_clear_flags,	2_2_00007FFDFA004443
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA004064 BIO_get_data,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_clear_flags,BIO_get_data,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,	2_2_00007FFDFA004064
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA040090 CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA040090
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00215D CRYPTO_free,CRYPTO_malloc,RAND_bytes,	2_2_00007FFDFA00215D
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0160AA CRYPTO_free,	2_2_00007FFDFA0160AA
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA002116 CRYPTO_malloc,	2_2_00007FFDFA002116
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001BAE CRYPTO_free,CRYPTO_malloc,	2_2_00007FFDFA001BAE
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA022150 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,	2_2_00007FFDFA022150
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00225C CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,	2_2_00007FFDFA00225C
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001663 CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA001663
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA018180 EVP_PKEY_CTX_new,EVP_PKEY_derive_init,EVP_PKEY_derive_set_peer,EVP_PKEY_derive,CRYPTO_malloc,EVP_PKEY_derive,CRYPTO_clear_free,EVP_PKEY_CTX_free,	2_2_00007FFDFA018180
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0341B0 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	2_2_00007FFDFA0341B0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0141B0 CRYPTO_clear_free,	2_2_00007FFDFA0141B0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA050200 CRYPTO_free,CRYPTO_free,CRYPTO_strndup,	2_2_00007FFDFA050200
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA03A250 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FFDFA03A250
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA004660 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,	2_2_00007FFDFA004660
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA02C6D0 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,	2_2_00007FFDFA02C6D0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0016B8 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_clear_error,OPENSSL_sk_value,X509_get0_pubkey,EVP_PKEY_missing_parameters,X509_free,X509_up_ref,X509_free,OPENSSL_sk_pop_free,	2_2_00007FFDFA0016B8
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA01A710 CRYPTO_THREAD_run_once,	2_2_00007FFDFA01A710
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001B9A CRYPTO_free,CRYPTO_malloc,	2_2_00007FFDFA001B9A
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA040740 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA040740
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001519 CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,ERR_put_error,ERR_put_error,ERR_put_error,memcpy,	2_2_00007FFDFA001519
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001AB9 CRYPTO_free,	2_2_00007FFDFA001AB9
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001249 CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,memcpy,	2_2_00007FFDFA001249
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0587E0 CRYPTO_free,CRYPTO_memdup,	2_2_00007FFDFA0587E0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001E60 CRYPTO_clear_free,	2_2_00007FFDFA001E60
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001500 CRYPTO_memdup,ERR_put_error,CRYPTO_free,CRYPTO_free,	2_2_00007FFDFA001500
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0024D7 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,OPENSSL_sk_num,CRYPTO_memcmp,CRYPTO_free,X509_free,OPENSSL_sk_pop_free,OPENSSL_sk_value,X509_get0_pubkey,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,	2_2_00007FFDFA0024D7
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA002513 CRYPTO_free,	2_2_00007FFDFA002513
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0017D5 CRYPTO_malloc,memcpy,	2_2_00007FFDFA0017D5
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0084E0 CRYPTO_zalloc,ERR_put_error,	2_2_00007FFDFA0084E0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA034530 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,	2_2_00007FFDFA034530
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA052530 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,	2_2_00007FFDFA052530
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA008590 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,	2_2_00007FFDFA008590
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0185D0 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,	2_2_00007FFDFA0185D0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001F9B CRYPTO_free,BIO_clear_flags,BIO_set_flags,BIO_snprintf,ERR_add_error_data,memcpy,	2_2_00007FFDFA001F9B
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0385F0 CRYPTO_zalloc,CRYPTO_free,	2_2_00007FFDFA0385F0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0245E0 X509_VERIFY_PARAM_free,CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,ENGINE_finish,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FFDFA0245E0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0E0C30 ??0QUrl@@QEAA@AEBV0@@Z,??0QString@@QEAA@XZ,?setPassword@QUrl@@QEAAXAEBVQString@@W4ParsingMode@1@@Z,??1QString@@QEAA@XZ,??0QString@@QEAA@XZ,?setFragment@QUrl@@QEAAXAEBVQString@@W4ParsingMode@1@@Z,??1QString@@QEAA@XZ,??0QCryptographicHash@@QEAA@W4Algorithm@0@@Z,?toEncoded@QUrl@@QEBA?AVQByteArray@@V?$QUrlTwoFlags@W4UrlFormattingOption@QUrl@@W4ComponentFormattingOption@2@@@@Z,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,??1QByteArray@@QEAA@XZ,?result@QCryptographicHash@@QEBA?AVQByteArray@@XZ,?data@QString@@QEBAPEBVQChar@@XZ,?number@QByteArray@@SA?AV1@_JH@Z,?left@QByteArray@@QEBA?AV1@H@Z,??1QByteArray@@QEAA@XZ,??1QByteArray@@QEAA@XZ,?size@QString@@QEBAHXZ,?at@QByteArray@@QEBADH@Z,?size@QString@@QEBAHXZ,?data@QString@@QEBAPEBVQChar@@XZ,?data@QString@@QEBAPEBVQChar@@XZ,?number@QString@@SA?AV1@IH@Z,?size@QString@@QEBAHXZ,??0QString@@QEAA@HW4Initialization@Qt@@@Z,?data@QString@@QEBAPEBVQChar@@XZ,?size@QString@@QEBAHXZ,?data@QString@@QEBAPEBVQChar@@XZ,memmove,??0QChar@@QEAA@UQLatin1Char@@@Z,?appendLatin1To@QAbstractConcatenable@@KAXPEBDHPEAVQChar@@@Z,?appendLatin1To@QAbstractConcatenable@@KAXPEBDHPEAVQChar@@@Z,??1QString@@QEAA@XZ,??1QByteArray@@QEAA@XZ,??1QCryptographicHash@@QEAA@XZ,??1QUrl@@QEAA@XZ,	2_2_00007FFDFA0E0C30
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA12A940 ??0QCryptographicHash@@QEAA@W4Algorithm@0@@Z,??0QString@@QEAA@XZ,??0QByteArray@@QEAA@HD@Z,??0QByteArray@@QEAA@HD@Z,?reset@QCryptographicHash@@QEAAXXZ,?size@QString@@QEBAHXZ,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?result@QCryptographicHash@@QEBA?AVQByteArray@@XZ,??4QDateTime@@QEAAAEAV0@$$QEAV0@@Z,??1QByteArray@@QEAA@XZ,?leftJustified@QByteArray@@QEBA?AV1@HD_N@Z,??4QDateTime@@QEAAAEAV0@$$QEAV0@@Z,??1QByteArray@@QEAA@XZ,?size@QString@@QEBAHXZ,??AQByteArray@@QEAA?AVQByteRef@@H@Z,??BQByteRef@@QEBADXZ,??AQByteArray@@QEAA?AVQByteRef@@H@Z,??BQByteRef@@QEBADXZ,??AQByteArray@@QEAA?AVQByteRef@@H@Z,??4QByteRef@@QEAAAEAV0@D@Z,?size@QString@@QEBAHXZ,?size@QString@@QEBAHXZ,??AQByteArray@@QEAA?AVQByteRef@@H@Z,??BQByteRef@@QEBADXZ,??AQByteArray@@QEAA?AVQByteRef@@H@Z,??BQByteRef@@QEBADXZ,??AQByteArray@@QEAA?AVQByteRef@@H@Z,??4QByteRef@@QEAAAEAV0@D@Z,?size@QString@@QEBAHXZ,?append@QByteArray@@QEAAAEAV1@AEBV1@@Z,?reset@QCryptographicHash@@QEAAXXZ,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?result@QCryptographicHash@@QEBA?AVQByteArray@@XZ,??4QDateTime@@QEAAAEAV0@$$QEAV0@@Z,??1QByteArray@@QEAA@XZ,??0QString@@QEAA@XZ,?append@QByteArray@@QEAAAEAV1@AEBV1@@Z,?reset@QCryptographicHash@@QEAAXXZ,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?result@QCryptographicHash@@QEBA?AVQByteArray@@XZ,??4QDateTime@@QEAAAEAV0@$$QEAV0@@Z,??1QByteArray@@QEAA@XZ,??1QByteArray@@QEAA@XZ,??1QByteArray@@QEAA@XZ,??1QByteArray@@QEAA@XZ,??1QCryptographicHash@@QEAA@XZ,	2_2_00007FFDFA12A940
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA1293C0 ??0QCryptographicHash@@QEAA@W4Algorithm@0@@Z,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?addData@QCryptographicHash@@QEAAXPEBDH@Z,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?addData@QCryptographicHash@@QEAAXPEBDH@Z,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?result@QCryptographicHash@@QEBA?AVQByteArray@@XZ,?compare@QByteArray@@QEBAHPEBDW4CaseSensitivity@Qt@@@Z,?reset@QCryptographicHash@@QEAAXXZ,?toHex@QByteArray@@QEBA?AV1@XZ,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,??1QByteArray@@QEAA@XZ,?addData@QCryptographicHash@@QEAAXPEBDH@Z,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?addData@QCryptographicHash@@QEAAXPEBDH@Z,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?result@QCryptographicHash@@QEBA?AVQByteArray@@XZ,??4QDateTime@@QEAAAEAV0@$$QEAV0@@Z,??1QByteArray@@QEAA@XZ,?toHex@QByteArray@@QEBA?AV1@XZ,??4QDateTime@@QEAAAEAV0@$$QEAV0@@Z,??1QByteArray@@QEAA@XZ,?reset@QCryptographicHash@@QEAAXXZ,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?addData@QCryptographicHash@@QEAAXPEBDH@Z,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?compare@QByteArray@@QEBAHPEBDW4CaseSensitivity@Qt@@@Z,?addData@QCryptographicHash@@QEAAXPEBDH@Z,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?result@QCryptographicHash@@QEBA?AVQByteArray@@XZ,?toHex@QByteArray@@QEBA?AV1@XZ,??1QByteArray@@QEAA@XZ,?reset@QCryptographicHash@@QEAAXXZ,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?addData@QCryptographicHash@@QEAAXPEBDH@Z,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?addData@QCryptographicHash@@QEAAXPEBDH@Z,?isNull@QByteArray@@QEBA_NXZ,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?addData@QCryptographicHash@@QEAAXPEBDH@Z,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?addData@QCryptographicHash@@QEAAXPEBDH@Z,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?addData@QCryptographicHash@@QEAAXPEBDH@Z,?addData@QCryptographicHash@@QEAAXAEBVQByteArray@@@Z,?result@QCryptographicHash@@QEBA?AVQByteArray@@XZ,?toHex@QByteArray@@QEBA?AV1@XZ,??1QByteArray@@QEAA@XZ,??1QByteArray@@QEAA@XZ,??1QByteArray@@QEAA@XZ,??1QCryptographicHash@@QEAA@XZ,	2_2_00007FFDFA1293C0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA128150 ??0QString@@QEAA@XZ,??0QString@@QEAA@XZ,??0QString@@QEAA@XZ,?shared_null@QHashData@@2U1@B,??0QString@@QEAA@XZ,??0QString@@QEAA@XZ,??0QString@@QEAA@XZ,??0QString@@QEAA@XZ,??0QString@@QEAA@XZ,?system@QRandomGenerator64@@SAPEAV1@XZ,?_fillRange@QRandomGenerator@@AEAAXPEAX0@Z,?number@QByteArray@@SA?AV1@_KH@Z,?hash@QCryptographicHash@@SA?AVQByteArray@@AEBV2@W4Algorithm@1@@Z,?toHex@QByteArray@@QEBA?AV1@XZ,??4QDateTime@@QEAAAEAV0@$$QEAV0@@Z,??1QByteArray@@QEAA@XZ,??1QByteArray@@QEAA@XZ,??1QByteArray@@QEAA@XZ,	2_2_00007FFDFA128150
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA12A7C0 ?size@QString@@QEBAHXZ,??0QCryptographicHash@@QEAA@W4Algorithm@0@@Z,?size@QString@@QEBAHXZ,?begin@QByteArray@@QEAAPEADXZ,?addData@QCryptographicHash@@QEAAXPEBDH@Z,?result@QCryptographicHash@@QEBA?AVQByteArray@@XZ,?toUpper@QString@@QEGBA?AV1@XZ,??0QByteArray@@QEAA@AEBV0@@Z,??YQByteArray@@QEAAAEAV0@AEBV0@@Z,??1QByteArray@@QEAA@XZ,??1QString@@QEAA@XZ,??1QByteArray@@QEAA@XZ,??4QDateTime@@QEAAAEAV0@$$QEAV0@@Z,??1QByteArray@@QEAA@XZ,??1QByteArray@@QEAA@XZ,??1QByteArray@@QEAA@XZ,??1QByteArray@@QEAA@XZ,??1QCryptographicHash@@QEAA@XZ,??0QByteArray@@QEAA@AEBV0@@Z,	2_2_00007FFDFA12A7C0

Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_f54c6137-d

Source: 4OVYJHCTFA.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmp, EASteamProxy.exe, 00000002.00000002.1693873503.00007FFDFA536000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdbGCTL source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmp, EASteamProxy.exe, 00000002.00000002.1693873503.00007FFDFA536000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1s 1 Nov 2022built on: Fri Feb 3 01:12:04 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "D:\juno\p4\desktop\packages\openSSL\1.1.1s\installed\dist\pc64_dll_release\lib\engines-1_1"not available source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1660437574.00007FFDFB193000.00000002.00000001.01000000.0000000A.sdmp, EASteamProxy.exe, 00000002.00000002.1693576225.00007FFDFA3D3000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1662343914.00007FFE130C3000.00000002.00000001.01000000.0000000E.sdmp, EASteamProxy.exe, 00000002.00000002.1694524165.00007FFE126D3000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000003.00000002.1924825717.00000000052B0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1925067473.0000000005720000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\juno\p4\desktop\packages\openSSL\1.1.1s\installed\source\libcrypto-1_1-x64.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002E7C000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1660437574.00007FFDFB215000.00000002.00000001.01000000.0000000A.sdmp, EASteamProxy.exe, 00000002.00000002.1693576225.00007FFDFA455000.00000002.00000001.01000000.00000015.sdmp, EASteamProxy.exe, 00000005.00000002.1773030063.00007FFDFB435000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: ntdll.pdbUGP source: EASteamProxy.exe, 00000001.00000002.1658752702.0000023839E30000.00000004.00000800.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1658587407.0000023839A3A000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692224582.0000024614F7C000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692548057.0000024615570000.00000004.00000001.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692366674.0000024615370000.00000004.00000800.00020000.00000000.sdmp, EASteamProxy.exe, 00000005.00000002.1771581420.00000257755F7000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000005.00000002.1771917334.0000025775BF6000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdbGCTL source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1662343914.00007FFE130C3000.00000002.00000001.01000000.0000000E.sdmp, EASteamProxy.exe, 00000002.00000002.1694524165.00007FFE126D3000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, 00000003.00000002.1924825717.00000000052B0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1925067473.0000000005720000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Q:\build\qt\qtbase\lib\Qt5Core.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000034C8000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1660898119.00007FFDFB73C000.00000002.00000001.01000000.00000006.sdmp, EASteamProxy.exe, 00000002.00000002.1694121588.00007FFDFAA0C000.00000002.00000001.01000000.00000011.sdmp, EASteamProxy.exe, 00000005.00000002.1773451655.00007FFDFB95C000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1647120752.0000000000660000.00000004.00001000.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1662897785.00007FFE13311000.00000002.00000001.01000000.00000008.sdmp, EASteamProxy.exe, 00000002.00000002.1694632093.00007FFE126F1000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 4OVYJHCTFA.exe, 00000000.00000003.1647120752.0000000000660000.00000004.00001000.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1662897785.00007FFE13311000.00000002.00000001.01000000.00000008.sdmp, EASteamProxy.exe, 00000002.00000002.1694632093.00007FFE126F1000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: FatalErrorWarningDebugassert.report.fatalassert.report.errorassert.report.warningassert.report.debugassert.report.unknownasserts already initializedeax::foundation::initAssertionssAssertFailureFn == nullptr.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1647120752.0000000000660000.00000004.00001000.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1663012636.00007FFE148E5000.00000002.00000001.01000000.00000009.sdmp, EASteamProxy.exe, 00000002.00000002.1694701423.00007FFE12E15000.00000002.00000001.01000000.00000016.sdmp, EASteamProxy.exe, 00000005.00000002.1774511818.00007FFE148E5000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1660437574.00007FFDFB193000.00000002.00000001.01000000.0000000A.sdmp, EASteamProxy.exe, 00000002.00000002.1693576225.00007FFDFA3D3000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: .pdb.map.___> => > source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\juno\p4\desktop\packages\openSSL\1.1.1s\installed\source\libssl-1_1-x64.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmp, EASteamProxy.exe, 00000002.00000002.1693179150.00007FFDFA074000.00000002.00000001.01000000.00000018.sdmp, EASteamProxy.exe, 00000005.00000002.1773874761.00007FFDFF244000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: ntdll.pdb source: EASteamProxy.exe, 00000001.00000002.1658752702.0000023839E30000.00000004.00000800.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1658587407.0000023839A3A000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692224582.0000024614F7C000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692548057.0000024615570000.00000004.00000001.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692366674.0000024615370000.00000004.00000800.00020000.00000000.sdmp, EASteamProxy.exe, 00000005.00000002.1771581420.00000257755F7000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000005.00000002.1771917334.0000025775BF6000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Q:\build\qt\qtbase\lib\Qt5Network.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1661868306.00007FFDFF298000.00000002.00000001.01000000.0000000B.sdmp, EASteamProxy.exe, 00000002.00000002.1693336663.00007FFDFA198000.00000002.00000001.01000000.00000017.sdmp, EASteamProxy.exe, 00000005.00000002.1772708477.00007FFDFB178000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\jenkins\workspace\dev\juno-win_live\build\eaSteamProxy\pc64-vc-tool-opt\bin\EASteamProxy.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\jenkins\workspace\dev\juno-win_live\build\eaSteamProxy\pc64-vc-tool-opt\bin\EASteamProxy.pdbc source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\juno\p4\desktop\packages\openSSL\1.1.1s\installed\source\libssl-1_1-x64.pdb?? source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmp, EASteamProxy.exe, 00000002.00000002.1693179150.00007FFDFA074000.00000002.00000001.01000000.00000018.sdmp, EASteamProxy.exe, 00000005.00000002.1773874761.00007FFDFF244000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: c:\buildslave\steam_rel_client_win64\build\src\steam_api\win64\Release\steam_api64.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1662495748.00007FFE13227000.00000002.00000001.01000000.00000007.sdmp, EASteamProxy.exe, 00000002.00000002.1694444874.00007FFE11EC7000.00000002.00000001.01000000.00000012.sdmp, EASteamProxy.exe, 00000005.00000002.1774299159.00007FFE13227000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: 4OVYJHCTFA.exe, 00000000.00000003.1647120752.0000000000660000.00000004.00001000.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1663012636.00007FFE148E5000.00000002.00000001.01000000.00000009.sdmp, EASteamProxy.exe, 00000002.00000002.1694701423.00007FFE12E15000.00000002.00000001.01000000.00000016.sdmp, EASteamProxy.exe, 00000005.00000002.1774511818.00007FFE148E5000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: Q:\build\qt\qtbase\lib\Qt5Core.pdbT source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000034C8000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1660898119.00007FFDFB73C000.00000002.00000001.01000000.00000006.sdmp, EASteamProxy.exe, 00000002.00000002.1694121588.00007FFDFAA0C000.00000002.00000001.01000000.00000011.sdmp, EASteamProxy.exe, 00000005.00000002.1773451655.00007FFDFB95C000.00000002.00000001.01000000.00000011.sdmp

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF4A260 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,	1_2_00007FFDFAF4A260

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: facilitycoursedw.shop
Source: Malware configuration extractor	URLs: doughtdrillyksow.shop
Source: Malware configuration extractor	URLs: disappointcredisotw.shop
Source: Malware configuration extractor	URLs: bargainnygroandjwk.shop
Source: Malware configuration extractor	URLs: injurypiggyoewirog.shop
Source: Malware configuration extractor	URLs: leafcalfconflcitw.shop
Source: Malware configuration extractor	URLs: computerexcudesp.shop
Source: Malware configuration extractor	URLs: publicitycharetew.shop
Source: Malware configuration extractor	URLs: periodicroytewrsn.shop

Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1661868306.00007FFDFF298000.00000002.00000001.01000000.0000000B.sdmp, EASteamProxy.exe, 00000002.00000002.1693336663.00007FFDFA198000.00000002.00000001.01000000.00000017.sdmp

String found in binary or memory: 04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)

Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1661868306.00007FFDFF298000.00000002.00000001.01000000.0000000B.sdmp, EASteamProxy.exe, 00000002.00000002.1693336663.00007FFDFA198000.00000002.00000001.01000000.00000017.sdmp, EASteamProxy.exe, 00000005.00000002.1772708477.00007FFDFB178000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://bugreports.qt.io/
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1661868306.00007FFDFF298000.00000002.00000001.01000000.0000000B.sdmp, EASteamProxy.exe, 00000002.00000002.1693336663.00007FFDFA198000.00000002.00000001.01000000.00000017.sdmp, EASteamProxy.exe, 00000005.00000002.1772708477.00007FFDFB178000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca
Source: EASteamProxy.exe, 00000005.00000002.1771379374.00000257752D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c0rl.m%L
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002BE4000.00000004.00000020.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002BE4000.00000004.00000020.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002BE4000.00000004.00000020.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002BE4000.00000004.00000020.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: EASteamProxy.exe, 00000001.00000002.1658340322.0000023839710000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692036205.0000024614C50000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000005.00000002.1771379374.00000257752D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.co(m/D
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002BE4000.00000004.00000020.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002BE4000.00000004.00000020.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002BE4000.00000004.00000020.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002BE4000.00000004.00000020.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://dm.origin.com/
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://dm.origin.com/app.httpProxydevUsing
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002BE4000.00000004.00000020.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002BE4000.00000004.00000020.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002BE4000.00000004.00000020.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002BE4000.00000004.00000020.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002BE4000.00000004.00000020.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: EASteamProxy.exe, 00000001.00000002.1658471064.0000023839919000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614E5E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.0000000005617000.00000004.00000800.00020000.00000000.sdmp, EASteamProxy.exe, 00000005.00000002.1771488189.00000257754DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1661868306.00007FFDFF298000.00000002.00000001.01000000.0000000B.sdmp, EASteamProxy.exe, 00000002.00000002.1693336663.00007FFDFA198000.00000002.00000001.01000000.00000017.sdmp, EASteamProxy.exe, 00000005.00000002.1772708477.00007FFDFB178000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1661868306.00007FFDFF298000.00000002.00000001.01000000.0000000B.sdmp, EASteamProxy.exe, 00000002.00000002.1693336663.00007FFDFA198000.00000002.00000001.01000000.00000017.sdmp, EASteamProxy.exe, 00000005.00000002.1772708477.00007FFDFB178000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.phreedom.org/md5)08:27
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/netty/netty/issues/6520.
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/netty/netty/issues/6520.s
Source: EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://ps3.scedev.net/
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://statsigapi.net
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://statsigapi.net/v1/initializeeax::apps::experimentation::loadFeatureGateseax::apps::experimen
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://store.steampowered.com/app/
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://store.steampowered.com/app/User
Source: EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002EE5000.00000004.00000020.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmp, EASteamProxy.exe, 00000001.00000002.1660590275.00007FFDFB28A000.00000002.00000001.01000000.0000000A.sdmp, EASteamProxy.exe, 00000002.00000002.1693777277.00007FFDFA4CA000.00000002.00000001.01000000.00000015.sdmp, EASteamProxy.exe, 00000002.00000002.1693226925.00007FFDFA0A9000.00000002.00000001.01000000.00000018.sdmp, EASteamProxy.exe, 00000005.00000002.1773950262.00007FFDFF279000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.openssl.org/H

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Code function: 0_2_00404FAA	0_2_00404FAA
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Code function: 0_2_0041206B	0_2_0041206B
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Code function: 0_2_0041022D	0_2_0041022D
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Code function: 0_2_00411F91	0_2_00411F91
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91C08	1_2_00007FFDFAE91C08
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9FEA0	1_2_00007FFDFAE9FEA0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEEFD80	1_2_00007FFDFAEEFD80
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE92491	1_2_00007FFDFAE92491
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91BC2	1_2_00007FFDFAE91BC2
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC91F0	1_2_00007FFDFAEC91F0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE923F6	1_2_00007FFDFAE923F6
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9F745	1_2_00007FFDFAE9F745
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE9B480	1_2_00007FFDFAE9B480
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEA5640	1_2_00007FFDFAEA5640
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEA2A10	1_2_00007FFDFAEA2A10
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEF8F30	1_2_00007FFDFAEF8F30
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91357	1_2_00007FFDFAE91357
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE912B2	1_2_00007FFDFAE912B2
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91924	1_2_00007FFDFAE91924
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAEC2D10	1_2_00007FFDFAEC2D10
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE96C80	1_2_00007FFDFAE96C80
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE915CD	1_2_00007FFDFAE915CD
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91E83	1_2_00007FFDFAE91E83
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE912E4	1_2_00007FFDFAE912E4
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91E7E	1_2_00007FFDFAE91E7E
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE924D7	1_2_00007FFDFAE924D7
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF7AAFC	1_2_00007FFDFAF7AAFC
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF64B30	1_2_00007FFDFAF64B30
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF4FA30	1_2_00007FFDFAF4FA30
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF56A58	1_2_00007FFDFAF56A58
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF4E8D0	1_2_00007FFDFAF4E8D0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF5AFD0	1_2_00007FFDFAF5AFD0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF55E60	1_2_00007FFDFAF55E60
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF66EFC	1_2_00007FFDFAF66EFC
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF7FF06	1_2_00007FFDFAF7FF06
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF7BF18	1_2_00007FFDFAF7BF18
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF79E18	1_2_00007FFDFAF79E18
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF60E3C	1_2_00007FFDFAF60E3C
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF74CA0	1_2_00007FFDFAF74CA0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF5FCD0	1_2_00007FFDFAF5FCD0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF563C8	1_2_00007FFDFAF563C8
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF7344C	1_2_00007FFDFAF7344C
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF5D2B0	1_2_00007FFDFAF5D2B0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF4B338	1_2_00007FFDFAF4B338
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF6B160	1_2_00007FFDFAF6B160
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF5C140	1_2_00007FFDFAF5C140
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF4D7B0	1_2_00007FFDFAF4D7B0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF657E0	1_2_00007FFDFAF657E0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF7183C	1_2_00007FFDFAF7183C
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF66668	1_2_00007FFDFAF66668
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF4C6B0	1_2_00007FFDFAF4C6B0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF6A6C0	1_2_00007FFDFAF6A6C0
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF566FC	1_2_00007FFDFAF566FC
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF6C720	1_2_00007FFDFAF6C720
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF60560	1_2_00007FFDFAF60560
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF7C610	1_2_00007FFDFAF7C610
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF76650	1_2_00007FFDFAF76650
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF75470	1_2_00007FFDFAF75470
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF5E470	1_2_00007FFDFAF5E470
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF6250C	1_2_00007FFDFAF6250C
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF77540	1_2_00007FFDFAF77540
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001C08	2_2_00007FFDFA001C08
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00FEA0	2_2_00007FFDFA00FEA0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA05FD80	2_2_00007FFDFA05FD80
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA002491	2_2_00007FFDFA002491
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001BC2	2_2_00007FFDFA001BC2
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0391F0	2_2_00007FFDFA0391F0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0023F6	2_2_00007FFDFA0023F6
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00F745	2_2_00007FFDFA00F745
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA00B480	2_2_00007FFDFA00B480
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA015640	2_2_00007FFDFA015640
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA012A10	2_2_00007FFDFA012A10
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001357	2_2_00007FFDFA001357
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA006C80	2_2_00007FFDFA006C80
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA032D10	2_2_00007FFDFA032D10
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001924	2_2_00007FFDFA001924
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0012B2	2_2_00007FFDFA0012B2
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0015CD	2_2_00007FFDFA0015CD
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001E83	2_2_00007FFDFA001E83
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0012E4	2_2_00007FFDFA0012E4
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001E7E	2_2_00007FFDFA001E7E
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0024D7	2_2_00007FFDFA0024D7
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0B3560	2_2_00007FFDFA0B3560
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA13CA80	2_2_00007FFDFA13CA80
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0ECAA0	2_2_00007FFDFA0ECAA0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0CFAC0	2_2_00007FFDFA0CFAC0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA111AE0	2_2_00007FFDFA111AE0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0C9B00	2_2_00007FFDFA0C9B00
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0DFB30	2_2_00007FFDFA0DFB30
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA140BD0	2_2_00007FFDFA140BD0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA186C00	2_2_00007FFDFA186C00
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0FB8C0	2_2_00007FFDFA0FB8C0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0D58E0	2_2_00007FFDFA0D58E0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA1838E0	2_2_00007FFDFA1838E0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA123990	2_2_00007FFDFA123990
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0BA960	2_2_00007FFDFA0BA960
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0EF980	2_2_00007FFDFA0EF980
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0E49F0	2_2_00007FFDFA0E49F0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0E3A00	2_2_00007FFDFA0E3A00
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0CBA30	2_2_00007FFDFA0CBA30
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0FCA40	2_2_00007FFDFA0FCA40
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0B6E60	2_2_00007FFDFA0B6E60
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0CAE60	2_2_00007FFDFA0CAE60
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA114E60	2_2_00007FFDFA114E60
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA118F50	2_2_00007FFDFA118F50
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0CDF50	2_2_00007FFDFA0CDF50
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0CFF60	2_2_00007FFDFA0CFF60
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0E1FE0	2_2_00007FFDFA0E1FE0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA123C90	2_2_00007FFDFA123C90
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0F3CA0	2_2_00007FFDFA0F3CA0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA110CF0	2_2_00007FFDFA110CF0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0BFD00	2_2_00007FFDFA0BFD00
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA118D70	2_2_00007FFDFA118D70
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0C9DA0	2_2_00007FFDFA0C9DA0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0BEDC0	2_2_00007FFDFA0BEDC0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0FCDC0	2_2_00007FFDFA0FCDC0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA103E50	2_2_00007FFDFA103E50
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA113E30	2_2_00007FFDFA113E30
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA118260	2_2_00007FFDFA118260
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0D82D0	2_2_00007FFDFA0D82D0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0EE340	2_2_00007FFDFA0EE340
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0D9340	2_2_00007FFDFA0D9340
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0F7380	2_2_00007FFDFA0F7380
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA1423B0	2_2_00007FFDFA1423B0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA1193B0	2_2_00007FFDFA1193B0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0FC3C0	2_2_00007FFDFA0FC3C0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA117400	2_2_00007FFDFA117400
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0F4440	2_2_00007FFDFA0F4440
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0EF0B0	2_2_00007FFDFA0EF0B0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0FC1A0	2_2_00007FFDFA0FC1A0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA13F1A0	2_2_00007FFDFA13F1A0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0CD1D0	2_2_00007FFDFA0CD1D0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA112690	2_2_00007FFDFA112690
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0F06F0	2_2_00007FFDFA0F06F0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0F26E0	2_2_00007FFDFA0F26E0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA1236F0	2_2_00007FFDFA1236F0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA10E740	2_2_00007FFDFA10E740
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0F8800	2_2_00007FFDFA0F8800
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0D6850	2_2_00007FFDFA0D6850
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0F34B0	2_2_00007FFDFA0F34B0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0CC530	2_2_00007FFDFA0CC530
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0F1590	2_2_00007FFDFA0F1590
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0B35E0	2_2_00007FFDFA0B35E0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0FB630	2_2_00007FFDFA0FB630
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA0C9620	2_2_00007FFDFA0C9620

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\msvcp140.dll 74892D9B4028C05DEBAF0B9B5D9DC6D22F7956FA7D7EEE00C681318C26792823

Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: String function: 00007FFDFA06CD3F appears 196 times
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: String function: 00007FFDFA06CDD5 appears 104 times
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: String function: 00007FFDFA001023 appears 558 times
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Code function: String function: 0040243B appears 37 times
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: String function: 00007FFDFAE91023 appears 577 times
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: String function: 00007FFDFAEFCDD5 appears 105 times
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: String function: 00007FFDFAEFCD3F appears 200 times

Source: 4OVYJHCTFA.exe, 00000000.00000003.1635577840.000000000246D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 4OVYJHCTFA.exe
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002EE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs 4OVYJHCTFA.exe
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002BE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEASteamProxy.exe& vs 4OVYJHCTFA.exe
Source: 4OVYJHCTFA.exe, 00000000.00000000.1634565659.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 4OVYJHCTFA.exe
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs 4OVYJHCTFA.exe
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dllT vs 4OVYJHCTFA.exe
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140_1.dllT vs 4OVYJHCTFA.exe
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000034C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Core.dll( vs 4OVYJHCTFA.exe
Source: 4OVYJHCTFA.exe, 00000000.00000003.1647120752.0000000000660000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs 4OVYJHCTFA.exe
Source: 4OVYJHCTFA.exe, 00000000.00000003.1647120752.0000000000660000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs 4OVYJHCTFA.exe
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Network.dll( vs 4OVYJHCTFA.exe
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesteam_api.dllB vs 4OVYJHCTFA.exe
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs 4OVYJHCTFA.exe
Source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs 4OVYJHCTFA.exe

Source: 4OVYJHCTFA.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Qt5Core.dll.0.dr	Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
Source: Qt5Core.dll.1.dr	Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317

Source: classification engine

Classification label: mal100.troj.evad.winEXE@16/28@0/0

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe

Code function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00407776

Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe

Code function: 2_2_00007FFDFA186E00 ?shared_null@QListData@@2UData@1@B,CertOpenSystemStoreW,CertFindCertificateInStore,??0QByteArray@@QEAA@PEBDH@Z,?append@QListData@@QEAAPEAPEAXXZ,??1QByteArray@@QEAA@XZ,CertFindCertificateInStore,CertCloseStore,

2_2_00007FFDFA186E00

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe

Code function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040118A

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe

Code function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_004034C1

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe

Code function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_00401BDF

Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe

File created: C:\Users\user\AppData\Roaming\demoWordpad_dbg

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe

File created: C:\Users\user\AppData\Local\Temp\blackleg.pptx

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: 4OVYJHCTFA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 4OVYJHCTFA.exe	ReversingLabs: Detection: 70%
Source: 4OVYJHCTFA.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe

File read: C:\Users\user\Desktop\4OVYJHCTFA.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\4OVYJHCTFA.exe "C:\Users\user\Desktop\4OVYJHCTFA.exe"
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Process created: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe "C:\Users\user\AppData\Local\Temp\EASteamProxy.exe"
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Process created: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Process created: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe "C:\Users\user\AppData\Local\Temp\EASteamProxy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Process created: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: steam_api64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: libcrypto-1_1-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: libssl-1_1-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: msvcp140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: steam_api64.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: libcrypto-1_1-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: libssl-1_1-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: msvcp140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: steam_api64.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: libcrypto-1_1-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: libssl-1_1-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: msvcp140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: 4OVYJHCTFA.exe

Static file information: File size 6198600 > 1048576

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmp, EASteamProxy.exe, 00000002.00000002.1693873503.00007FFDFA536000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdbGCTL source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmp, EASteamProxy.exe, 00000002.00000002.1693873503.00007FFDFA536000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1s 1 Nov 2022built on: Fri Feb 3 01:12:04 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "D:\juno\p4\desktop\packages\openSSL\1.1.1s\installed\dist\pc64_dll_release\lib\engines-1_1"not available source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1660437574.00007FFDFB193000.00000002.00000001.01000000.0000000A.sdmp, EASteamProxy.exe, 00000002.00000002.1693576225.00007FFDFA3D3000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1662343914.00007FFE130C3000.00000002.00000001.01000000.0000000E.sdmp, EASteamProxy.exe, 00000002.00000002.1694524165.00007FFE126D3000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000003.00000002.1924825717.00000000052B0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1925067473.0000000005720000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\juno\p4\desktop\packages\openSSL\1.1.1s\installed\source\libcrypto-1_1-x64.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002E7C000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1660437574.00007FFDFB215000.00000002.00000001.01000000.0000000A.sdmp, EASteamProxy.exe, 00000002.00000002.1693576225.00007FFDFA455000.00000002.00000001.01000000.00000015.sdmp, EASteamProxy.exe, 00000005.00000002.1773030063.00007FFDFB435000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: ntdll.pdbUGP source: EASteamProxy.exe, 00000001.00000002.1658752702.0000023839E30000.00000004.00000800.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1658587407.0000023839A3A000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692224582.0000024614F7C000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692548057.0000024615570000.00000004.00000001.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692366674.0000024615370000.00000004.00000800.00020000.00000000.sdmp, EASteamProxy.exe, 00000005.00000002.1771581420.00000257755F7000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000005.00000002.1771917334.0000025775BF6000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdbGCTL source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1662343914.00007FFE130C3000.00000002.00000001.01000000.0000000E.sdmp, EASteamProxy.exe, 00000002.00000002.1694524165.00007FFE126D3000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, 00000003.00000002.1924825717.00000000052B0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1925067473.0000000005720000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Q:\build\qt\qtbase\lib\Qt5Core.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000034C8000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1660898119.00007FFDFB73C000.00000002.00000001.01000000.00000006.sdmp, EASteamProxy.exe, 00000002.00000002.1694121588.00007FFDFAA0C000.00000002.00000001.01000000.00000011.sdmp, EASteamProxy.exe, 00000005.00000002.1773451655.00007FFDFB95C000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1647120752.0000000000660000.00000004.00001000.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1662897785.00007FFE13311000.00000002.00000001.01000000.00000008.sdmp, EASteamProxy.exe, 00000002.00000002.1694632093.00007FFE126F1000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 4OVYJHCTFA.exe, 00000000.00000003.1647120752.0000000000660000.00000004.00001000.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1662897785.00007FFE13311000.00000002.00000001.01000000.00000008.sdmp, EASteamProxy.exe, 00000002.00000002.1694632093.00007FFE126F1000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: FatalErrorWarningDebugassert.report.fatalassert.report.errorassert.report.warningassert.report.debugassert.report.unknownasserts already initializedeax::foundation::initAssertionssAssertFailureFn == nullptr.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1647120752.0000000000660000.00000004.00001000.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1663012636.00007FFE148E5000.00000002.00000001.01000000.00000009.sdmp, EASteamProxy.exe, 00000002.00000002.1694701423.00007FFE12E15000.00000002.00000001.01000000.00000016.sdmp, EASteamProxy.exe, 00000005.00000002.1774511818.00007FFE148E5000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1660437574.00007FFDFB193000.00000002.00000001.01000000.0000000A.sdmp, EASteamProxy.exe, 00000002.00000002.1693576225.00007FFDFA3D3000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: .pdb.map.___> => > source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\juno\p4\desktop\packages\openSSL\1.1.1s\installed\source\libssl-1_1-x64.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmp, EASteamProxy.exe, 00000002.00000002.1693179150.00007FFDFA074000.00000002.00000001.01000000.00000018.sdmp, EASteamProxy.exe, 00000005.00000002.1773874761.00007FFDFF244000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: ntdll.pdb source: EASteamProxy.exe, 00000001.00000002.1658752702.0000023839E30000.00000004.00000800.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1658587407.0000023839A3A000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692224582.0000024614F7C000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692548057.0000024615570000.00000004.00000001.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692366674.0000024615370000.00000004.00000800.00020000.00000000.sdmp, EASteamProxy.exe, 00000005.00000002.1771581420.00000257755F7000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000005.00000002.1771917334.0000025775BF6000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Q:\build\qt\qtbase\lib\Qt5Network.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1661868306.00007FFDFF298000.00000002.00000001.01000000.0000000B.sdmp, EASteamProxy.exe, 00000002.00000002.1693336663.00007FFDFA198000.00000002.00000001.01000000.00000017.sdmp, EASteamProxy.exe, 00000005.00000002.1772708477.00007FFDFB178000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\jenkins\workspace\dev\juno-win_live\build\eaSteamProxy\pc64-vc-tool-opt\bin\EASteamProxy.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\jenkins\workspace\dev\juno-win_live\build\eaSteamProxy\pc64-vc-tool-opt\bin\EASteamProxy.pdbc source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\juno\p4\desktop\packages\openSSL\1.1.1s\installed\source\libssl-1_1-x64.pdb?? source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmp, EASteamProxy.exe, 00000002.00000002.1693179150.00007FFDFA074000.00000002.00000001.01000000.00000018.sdmp, EASteamProxy.exe, 00000005.00000002.1773874761.00007FFDFF244000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: c:\buildslave\steam_rel_client_win64\build\src\steam_api\win64\Release\steam_api64.pdb source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1662495748.00007FFE13227000.00000002.00000001.01000000.00000007.sdmp, EASteamProxy.exe, 00000002.00000002.1694444874.00007FFE11EC7000.00000002.00000001.01000000.00000012.sdmp, EASteamProxy.exe, 00000005.00000002.1774299159.00007FFE13227000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: 4OVYJHCTFA.exe, 00000000.00000003.1647120752.0000000000660000.00000004.00001000.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1663012636.00007FFE148E5000.00000002.00000001.01000000.00000009.sdmp, EASteamProxy.exe, 00000002.00000002.1694701423.00007FFE12E15000.00000002.00000001.01000000.00000016.sdmp, EASteamProxy.exe, 00000005.00000002.1774511818.00007FFE148E5000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: Q:\build\qt\qtbase\lib\Qt5Core.pdbT source: 4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000034C8000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1660898119.00007FFDFB73C000.00000002.00000001.01000000.00000006.sdmp, EASteamProxy.exe, 00000002.00000002.1694121588.00007FFDFAA0C000.00000002.00000001.01000000.00000011.sdmp, EASteamProxy.exe, 00000005.00000002.1773451655.00007FFDFB95C000.00000002.00000001.01000000.00000011.sdmp

Source: vcruntime140.dll.0.dr

Static PE information: 0xC94BF788 [Wed Jan 6 22:49:44 2077 UTC]

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: 4OVYJHCTFA.exe	Static PE information: real checksum: 0x33302 should be: 0x5ead76
Source: libcrypto-1_1-x64.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x2bdc1b
Source: Qt5Network.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x156ab5
Source: libcrypto-1_1-x64.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x2bdc1b
Source: gqnmaqicmbds.3.dr	Static PE information: real checksum: 0x0 should be: 0x523b9
Source: libssl-1_1-x64.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xa8dea
Source: libssl-1_1-x64.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0xa8dea
Source: Qt5Network.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x156ab5
Source: Qt5Core.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x607c55
Source: tbh.6.dr	Static PE information: real checksum: 0x0 should be: 0x523b9
Source: Qt5Core.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x607c55

Source: vcruntime140.dll.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1-x64.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1-x64.dll.0.dr	Static PE information: section name: .00cfg
Source: Qt5Core.dll.0.dr	Static PE information: section name: .qtmimed
Source: steam_api64.dll.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1-x64.dll.1.dr	Static PE information: section name: .00cfg
Source: libssl-1_1-x64.dll.1.dr	Static PE information: section name: .00cfg
Source: Qt5Core.dll.1.dr	Static PE information: section name: .qtmimed
Source: steam_api64.dll.1.dr	Static PE information: section name: _RDATA
Source: vcruntime140.dll.1.dr	Static PE information: section name: _RDATA
Source: gqnmaqicmbds.3.dr	Static PE information: section name: qtam
Source: tbh.6.dr	Static PE information: section name: qtam

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Code function: 0_2_00411C20 push eax; ret	0_2_00411C4E
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAED6011 push rcx; ret	1_2_00007FFDFAED6012
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF7D5EA push rdx; retf	1_2_00007FFDFAF7D5EB
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA046011 push rcx; ret	2_2_00007FFDFA046012

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	File created: C:\Users\user\AppData\Local\Temp\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	File created: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	File created: C:\Users\user\AppData\Roaming\demoWordpad_dbg\steam_api64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	File created: C:\Users\user\AppData\Roaming\demoWordpad_dbg\libssl-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	File created: C:\Users\user\AppData\Roaming\demoWordpad_dbg\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	File created: C:\Users\user\AppData\Roaming\demoWordpad_dbg\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\gqnmaqicmbds	Jump to dropped file
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	File created: C:\Users\user\AppData\Local\Temp\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	File created: C:\Users\user\AppData\Local\Temp\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	File created: C:\Users\user\AppData\Local\Temp\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	File created: C:\Users\user\AppData\Roaming\demoWordpad_dbg\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	File created: C:\Users\user\AppData\Local\Temp\libssl-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	File created: C:\Users\user\AppData\Roaming\demoWordpad_dbg\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	File created: C:\Users\user\AppData\Local\Temp\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	File created: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	File created: C:\Users\user\AppData\Roaming\demoWordpad_dbg\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	File created: C:\Users\user\AppData\Local\Temp\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	File created: C:\Users\user\AppData\Local\Temp\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	File created: C:\Users\user\AppData\Local\Temp\steam_api64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	File created: C:\Users\user\AppData\Roaming\demoWordpad_dbg\Qt5Core.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\tbh	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	File created: C:\Users\user\AppData\Roaming\demoWordpad_dbg\vcruntime140_1.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\gqnmaqicmbds			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\tbh			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\GQNMAQICMBDS
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TBH

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6CF73B97
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 73A317

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gqnmaqicmbds			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tbh			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe

API coverage: 0.1 %

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF4A260 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,	1_2_00007FFDFAF4A260

Source: cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: 4OVYJHCTFA.exe, 00000000.00000002.1663479280.00000000006E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0

Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe

Code function: 1_2_00007FFDFAE91D75 __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FFDFAE91D75

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAE91D75 __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDFAE91D75
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: 1_2_00007FFDFAF934B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFDFAF934B4
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA001D75 __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFDFA001D75
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Code function: 2_2_00007FFDFA196CC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFDFA196CC0

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtCreateFile: Direct from: 0xA200000080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtAllocateVirtualMemory: Direct from: 0x24612F4ABF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtProtectVirtualMemory: Direct from: 0x250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtQuerySystemInformation: Direct from: 0x25700000000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtAllocateVirtualMemory: Direct from: 0x110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtCreateFile: Direct from: 0x7B00000080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtClose: Direct from: 0xA2F3EFE608
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtCreateFile: Direct from: 0x7FFDFAB878EC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtClose: Direct from: 0x24612F4CDB0
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtAllocateVirtualMemory: Direct from: 0x257733ACC30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtQuerySystemInformation: Direct from: 0x7FFD40CB21D3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtProtectVirtualMemory: Direct from: 0x25775296400	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtProtectVirtualMemory: Direct from: 0x25C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtAllocateVirtualMemory: Direct from: 0x7FFDFAF28054	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	NtProtectVirtualMemory: Direct from: 0x7FFE221C26A1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtProtectVirtualMemory: Direct from: 0x24612DAE010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtAllocateVirtualMemory: Direct from: 0x7FFDFAB98054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtAllocateVirtualMemory: Direct from: 0xA0A76ACB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtCreateFile: Direct from: 0x7FFDFAF178EC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtClose: Direct from: 0x25775296E90
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtProtectVirtualMemory: Direct from: 0x3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtAllocateVirtualMemory: Direct from: 0x24612DAEB1E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtQuerySystemInformation: Direct from: 0x24600000000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	NtQuerySystemInformation: Direct from: 0x551494E170	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtAllocateVirtualMemory: Direct from: 0x25773478B0E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	NtClose: Direct from: 0x1F1E
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	NtClose: Direct from: 0x7BF418E198

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5776 base: 2D50000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5776 base: 2F202D8 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5776 base: 2F211E8 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5776 base: 7379C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5776 base: 490000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5796 base: 1E0000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5796 base: 3AA2D8 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5796 base: 3AB1E8 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5796 base: 7379C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5796 base: 400000 value: 00	Jump to behavior

LummaC encrypted strings found

Source: cmd.exe, 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: facilitycoursedw.shop
Source: cmd.exe, 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: doughtdrillyksow.shop
Source: cmd.exe, 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: disappointcredisotw.shop
Source: cmd.exe, 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: bargainnygroandjwk.shop
Source: cmd.exe, 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: injurypiggyoewirog.shop
Source: cmd.exe, 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: leafcalfconflcitw.shop
Source: cmd.exe, 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: computerexcudesp.shop
Source: cmd.exe, 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: publicitycharetew.shop
Source: cmd.exe, 00000003.00000002.1925302371.0000000005C50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: periodicroytewrsn.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 7379C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 490000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 7379C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 400000	Jump to behavior

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Process created: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe "C:\Users\user\AppData\Local\Temp\EASteamProxy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe

Code function: 0_2_0040D72E cpuid

0_2_0040D72E

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	0_2_00401F9D
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: GetLocaleInfoEx,FormatMessageA,	1_2_00007FFDFAF5285C
Source: C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	Code function: ___lc_locale_name_func,GetLocaleInfoEx,	1_2_00007FFDFAF6F4F0

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe

Code function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401626

Source: C:\Users\user\Desktop\4OVYJHCTFA.exe

Code function: 0_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00404FAA

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	11 DLL Side-Loading	311 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	311 Process Injection	LSASS Memory	211 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Abuse Elevation Control Mechanism	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	124 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Install Root Certificate	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
4OVYJHCTFA.exe	71%	ReversingLabs	Win32.Spyware.Lummastealer
4OVYJHCTFA.exe	59%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\gqnmaqicmbds	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Temp\tbh	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Temp\gqnmaqicmbds	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\tbh	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\EASteamProxy.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Qt5Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Qt5Core.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Qt5Network.dll	54%	ReversingLabs	Win64.Trojan.Rugmi
C:\Users\user\AppData\Local\Temp\Qt5Network.dll	8%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\gqnmaqicmbds	79%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Temp\gqnmaqicmbds	78%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\libcrypto-1_1-x64.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\libcrypto-1_1-x64.dll	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\libssl-1_1-x64.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\libssl-1_1-x64.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\msvcp140.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\msvcp140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\msvcp140_1.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\steam_api64.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\steam_api64.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\tbh	79%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Temp\tbh	78%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\vcruntime140.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\vcruntime140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\vcruntime140_1.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\demoWordpad_dbg\Qt5Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\demoWordpad_dbg\Qt5Core.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\demoWordpad_dbg\Qt5Network.dll	54%	ReversingLabs	Win64.Trojan.Rugmi
C:\Users\user\AppData\Roaming\demoWordpad_dbg\Qt5Network.dll	8%	Virustotal		Browse
C:\Users\user\AppData\Roaming\demoWordpad_dbg\libcrypto-1_1-x64.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\demoWordpad_dbg\libcrypto-1_1-x64.dll	1%	Virustotal		Browse
C:\Users\user\AppData\Roaming\demoWordpad_dbg\libssl-1_1-x64.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\demoWordpad_dbg\libssl-1_1-x64.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\demoWordpad_dbg\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\demoWordpad_dbg\msvcp140.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\demoWordpad_dbg\msvcp140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\demoWordpad_dbg\msvcp140_1.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\demoWordpad_dbg\steam_api64.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\demoWordpad_dbg\steam_api64.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\demoWordpad_dbg\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\demoWordpad_dbg\vcruntime140.dll	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://www.symauth.com/cps0(	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://www.vmware.com/0	0%	Virustotal		Browse
http://www.phreedom.org/md5)08:27	1%	Virustotal		Browse
http://dm.origin.com/	0%	Virustotal		Browse
https://github.com/netty/netty/issues/6520.	0%	Avira URL Cloud	safe
http://crl3.digicert.co(m/D	0%	Avira URL Cloud	safe
facilitycoursedw.shop	18%	Virustotal		Browse
http://www.phreedom.org/md5)	1%	Virustotal		Browse
http://dm.origin.com/	0%	Avira URL Cloud	safe
http://www.vmware.com/0	0%	Avira URL Cloud	safe
http://www.phreedom.org/md5)08:27	0%	Avira URL Cloud	safe
http://www.phreedom.org/md5)	0%	Avira URL Cloud	safe
facilitycoursedw.shop	100%	Avira URL Cloud	malware
https://statsigapi.net	0%	Avira URL Cloud	safe
http://www.vmware.com/0/	0%	Avira URL Cloud	safe
http://dm.origin.com/app.httpProxydevUsing	0%	Avira URL Cloud	safe
computerexcudesp.shop	100%	Avira URL Cloud	malware
doughtdrillyksow.shop	100%	Avira URL Cloud	malware
disappointcredisotw.shop	100%	Avira URL Cloud	malware
https://github.com/netty/netty/issues/6520.	0%	Virustotal		Browse
http://dm.origin.com/app.httpProxydevUsing	0%	Virustotal		Browse
computerexcudesp.shop	18%	Virustotal		Browse
http://c0rl.m%L	0%	Avira URL Cloud	safe
http://www.vmware.com/0/	0%	Virustotal		Browse
http://bugreports.qt.io/	0%	Avira URL Cloud	safe
https://store.steampowered.com/app/	0%	Avira URL Cloud	safe
leafcalfconflcitw.shop	100%	Avira URL Cloud	malware
https://ps3.scedev.net/	0%	Avira URL Cloud	safe
disappointcredisotw.shop	18%	Virustotal		Browse
https://statsigapi.net	0%	Virustotal		Browse
http://bugreports.qt.io/	0%	Virustotal		Browse
doughtdrillyksow.shop	18%	Virustotal		Browse
periodicroytewrsn.shop	100%	Avira URL Cloud	malware
https://www.openssl.org/H	0%	Avira URL Cloud	safe
http://www.info-zip.org/	0%	Avira URL Cloud	safe
publicitycharetew.shop	100%	Avira URL Cloud	malware
periodicroytewrsn.shop	0%	Virustotal		Browse
http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca	0%	Avira URL Cloud	safe
https://github.com/netty/netty/issues/6520.s	0%	Avira URL Cloud	safe
https://ps3.scedev.net/	0%	Virustotal		Browse
publicitycharetew.shop	19%	Virustotal		Browse
http://www.info-zip.org/	0%	Virustotal		Browse
bargainnygroandjwk.shop	100%	Avira URL Cloud	malware
injurypiggyoewirog.shop	100%	Avira URL Cloud	malware
https://github.com/netty/netty/issues/6520.s	0%	Virustotal		Browse
http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca	0%	Virustotal		Browse
https://store.steampowered.com/app/User	0%	Avira URL Cloud	safe
leafcalfconflcitw.shop	18%	Virustotal		Browse
https://store.steampowered.com/app/	0%	Virustotal		Browse
https://store.steampowered.com/app/User	0%	Virustotal		Browse
https://www.openssl.org/H	0%	Virustotal		Browse
injurypiggyoewirog.shop	17%	Virustotal		Browse
bargainnygroandjwk.shop	18%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
facilitycoursedw.shop	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
computerexcudesp.shop	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
doughtdrillyksow.shop	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
disappointcredisotw.shop	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
leafcalfconflcitw.shop	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
periodicroytewrsn.shop	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
publicitycharetew.shop	true	19%, Virustotal, Browse Avira URL Cloud: malware	unknown
bargainnygroandjwk.shop	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
injurypiggyoewirog.shop	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.phreedom.org/md5)	4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1661868306.00007FFDFF298000.00000002.00000001.01000000.0000000B.sdmp, EASteamProxy.exe, 00000002.00000002.1693336663.00007FFDFA198000.00000002.00000001.01000000.00000017.sdmp, EASteamProxy.exe, 00000005.00000002.1772708477.00007FFDFB178000.00000002.00000001.01000000.00000017.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://dm.origin.com/	4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.phreedom.org/md5)08:27	4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1661868306.00007FFDFF298000.00000002.00000001.01000000.0000000B.sdmp, EASteamProxy.exe, 00000002.00000002.1693336663.00007FFDFA198000.00000002.00000001.01000000.00000017.sdmp, EASteamProxy.exe, 00000005.00000002.1772708477.00007FFDFB178000.00000002.00000001.01000000.00000017.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.vmware.com/0	EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/netty/netty/issues/6520.	4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl3.digicert.co(m/D	EASteamProxy.exe, 00000001.00000002.1658340322.0000023839710000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692036205.0000024614C50000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000005.00000002.1771379374.00000257752D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://statsigapi.net	4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.vmware.com/0/	EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://dm.origin.com/app.httpProxydevUsing	4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://c0rl.m%L	EASteamProxy.exe, 00000005.00000002.1771379374.00000257752D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://bugreports.qt.io/	4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1661868306.00007FFDFF298000.00000002.00000001.01000000.0000000B.sdmp, EASteamProxy.exe, 00000002.00000002.1693336663.00007FFDFA198000.00000002.00000001.01000000.00000017.sdmp, EASteamProxy.exe, 00000005.00000002.1772708477.00007FFDFB178000.00000002.00000001.01000000.00000017.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://store.steampowered.com/app/	4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ps3.scedev.net/	EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	EASteamProxy.exe, 00000001.00000002.1658471064.000002383996F000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614EB4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.000000000565F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.openssl.org/H	4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002EE5000.00000004.00000020.00020000.00000000.sdmp, 4OVYJHCTFA.exe, 00000000.00000003.1646029435.0000000002F63000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmp, EASteamProxy.exe, 00000001.00000002.1660590275.00007FFDFB28A000.00000002.00000001.01000000.0000000A.sdmp, EASteamProxy.exe, 00000002.00000002.1693777277.00007FFDFA4CA000.00000002.00000001.01000000.00000015.sdmp, EASteamProxy.exe, 00000002.00000002.1693226925.00007FFDFA0A9000.00000002.00000001.01000000.00000018.sdmp, EASteamProxy.exe, 00000005.00000002.1773950262.00007FFDFF279000.00000002.00000001.01000000.00000018.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.info-zip.org/	EASteamProxy.exe, 00000001.00000002.1658471064.0000023839919000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000002.00000002.1692143846.0000024614E5E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1924966060.0000000005617000.00000004.00000800.00020000.00000000.sdmp, EASteamProxy.exe, 00000005.00000002.1771488189.00000257754DF000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca	4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000002.1661868306.00007FFDFF298000.00000002.00000001.01000000.0000000B.sdmp, EASteamProxy.exe, 00000002.00000002.1693336663.00007FFDFA198000.00000002.00000001.01000000.00000017.sdmp, EASteamProxy.exe, 00000005.00000002.1772708477.00007FFDFB178000.00000002.00000001.01000000.00000017.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/netty/netty/issues/6520.s	4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://store.steampowered.com/app/User	4OVYJHCTFA.exe, 00000000.00000003.1646029435.00000000026D6000.00000004.00000020.00020000.00000000.sdmp, EASteamProxy.exe, 00000001.00000000.1649950475.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmp, EASteamProxy.exe, 00000002.00000002.1692951141.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000002.00000000.1657354262.00007FF642825000.00000002.00000001.01000000.00000010.sdmp, EASteamProxy.exe, 00000005.00000002.1772426207.00007FF642825000.00000002.00000001.01000000.00000010.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465836
Start date and time:	2024-07-02 06:45:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	4OVYJHCTFA.exe renamed because original name is a hash value
Original Sample Name:	30772bcce9852eb58cf05a75bcdce2f9.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@16/28@0/0
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 40 Number of non-executed functions: 348
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target EASteamProxy.exe, PID 4888 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:46:25	API Interceptor	2x Sleep call for process: cmd.exe modified
00:46:33	API Interceptor	1x Sleep call for process: explorer.exe modified
05:46:07	Task Scheduler	Run new task: fastProtect_v1 path: C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\msvcp140.dll	webex(3).exe	Get hash	malicious	Unknown	Browse
	webex(3).exe	Get hash	malicious	Unknown	Browse
	Full Video HD (1080p).download.lnk	Get hash	malicious	CopperShrimp	Browse
	bomgar-rep-win64-installer.msi	Get hash	malicious	Unknown	Browse
	Create_Installer_PLC0000037_2025_French_WIN64.exe	Get hash	malicious	Unknown	Browse
	qk9TaBBxh8.exe	Get hash	malicious	LummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	xSO7sbN2j6.exe	Get hash	malicious	Unknown	Browse
	xSO7sbN2j6.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	whisper-faster.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\45f611bb

Download File

Process:	C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe
File Type:	data
Category:	dropped
Size (bytes):	1043838
Entropy (8bit):	7.5353721618189375
Encrypted:	false
SSDEEP:	12288:kgPpb/+oN1Dzy+JaivbOL+ETwL1IcjfMorEC9Q5Jo06P+/IL/S0tYlvZ1ufnCDEQ:9PvSCzxQorEC98K2GtY6O+qoxySE
MD5:	10352C0041C7A195B83A0984C2C13484
SHA1:	E888E65C32924E961C722CFB5DA564A0CDC7B193
SHA-256:	16FACEB7BF9458476F07FB4FAF8522A9C9B11F4EC7448729529CDA8D6E4303D2
SHA-512:	77A670AA1661CC3E752F79D299D252B93D7B40A144CEA89934002BADAC782A6F3DB901125BE3BF507C5A819D1310E5FFBDBB82E605151E6C9854C0FF9B9EE886
Malicious:	false
Reputation:	low
Preview:	.>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>.....A...P.b.x.L.b.X.M.W.u.I.M.J.c...t.K.A.Q.c.S.M.J.c.K...>...>...>...>...>...>...>...>...>...>...>...Q...J.p.W.t.F...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...Q.c._.t.P.e.P.t.>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...i._.w.4.s.r.Q.~.J._.j.W._.t.Q.z.>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>.....!...&.....>...>...>...>...>...>...>...>...>...>..

C:\Users\user\AppData\Local\Temp\4ab519bc

Download File

Process:	C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe
File Type:	data
Category:	dropped
Size (bytes):	1043838
Entropy (8bit):	7.535373134470814
Encrypted:	false
SSDEEP:	12288:cgPpb/+oN1Dzy+JaivbOL+ETwL1IcjfMorEC9Q5Jo06P+/IL/S0tYlvZ1ufnCDEQ:1PvSCzxQorEC98K2GtY6O+qoxySE
MD5:	D2E2C7A5E12F024D76AE3C734491073B
SHA1:	5468A370FD389A9748E1A2E6300DF16A8DBCA78C
SHA-256:	28CCCC0AEC7A8F6288AFA8D5817BE4314E99065CE4F645D1EC36251D467A79D7
SHA-512:	F552E924880290E39FA690B9563826A76521AEBC269A6D28C68047558251C9AA1C7FB3EE6E0C6D2C463462E84184E0CD27A1BE0F5B7831668C23A7B3771BC6D6
Malicious:	false
Reputation:	low
Preview:	.>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>.....A...P.b.x.L.b.X.M.W.u.I.M.J.c...t.K.A.Q.c.S.M.J.c.K...>...>...>...>...>...>...>...>...>...>...>...Q...J.p.W.t.F...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...Q.c._.t.P.e.P.t.>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...i._.w.4.s.r.Q.~.J._.j.W._.t.Q.z.>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>.....!...&.....>...>...>...>...>...>...>...>...>...>..

C:\Users\user\AppData\Local\Temp\EASteamProxy.exe

Download File

Process:	C:\Users\user\Desktop\4OVYJHCTFA.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5644904
Entropy (8bit):	6.473386186229144
Encrypted:	false
SSDEEP:	98304:o/zx+riUDpJowboU+XEsumY2XW6jBYeZ1ER:2x+riUDwUj12X1tY5
MD5:	AD2735F096925010A53450CB4178C89E
SHA1:	C6D65163C6315A642664F4EAEC0FAE9528549BFE
SHA-256:	4E775B5FAFB4E6D89A4694F8694D2B8B540534BD4A52FF42F70095F1C929160E
SHA-512:	1868B22A7C5CBA89545B06F010C09C5418B3D86039099D681EEE9567C47208FDBA3B89C6251CF03C964C58C805280D45BA9C3533125F6BD3E0BC067477E03AB9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...................................p...........!..L.!This program cannot be run in DOS mode....$.......82..\|S..\|S..\|S..u+}.dS..i,..xS..i,..vS..i,..zS..i,..JS..i,..zS...5..~S...5..zS...5..}S..&..~S...:..{S...:..xS......uS......dR...:..FS...:..LS......}S......tS...5..TS..\|S..4V..J....S..J...}S..\|Sy.}S..J...}S..Rich\|S..........................PE..d....\.e.........."....%.47...........$........@..............................W......VV...`.................................................P.O......`V.h.....S.d.....U.h(...pV.....G.T.....................G.(.....G.@............P7.. ...........................text....27......47................. ..`.rdata.......P7......87.............@..@.data........pP..H...TP.............@....pdata..d.....S.......R.............@..@.rsrc...h....`V......jU.............@..@.reloc......pV......pU.............@..B................................................................................................................................

C:\Users\user\AppData\Local\Temp\Qt5Core.dll

Download File

Process:	C:\Users\user\Desktop\4OVYJHCTFA.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6270976
Entropy (8bit):	6.673131193590534
Encrypted:	false
SSDEEP:	98304:cE5jJSnL0VxTOnyJJsv6tWKFdu9Cs/CzYnxqfRgw:cE5NSn0xLJJsv6tWKFdu9CMkexqfRF
MD5:	68E600CB754E04557EF716B9EBC93FE4
SHA1:	8302AB611E787C312B971CE05935FF6E956FAEDE
SHA-256:	8F4C72E3C7DE1AB5D894EC7813F65C5298ECAFC183F31924B44A427433FFCA42
SHA-512:	8BBD7D14B59F01EBA7C46A6E8592C037CAB73BED1EB0762FC278CF7B81082784E88D777A32F71BC2DE128C0186321004BFA4CA68D1BCAA5660694C007219E98E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........*.7.Kfd.Kfd.Kfd.3.d.Kfd.#ge.Kfdx.d.Kfd.#ce.Kfd.#be.Kfd.#ee.Kfd.#be.Kfd.#`e.Kfd.#ge.Kfd.Kgd.Jfdx"be.Kfdx"ce.Kfdx"fe.Kfdx".d.Kfd.K.d.Kfdx"de.KfdRich.Kfd........PE..d...}).a.........." .....r/...0.....P+.......................................``...........`...........................................P..N....X...... `.......Y..-...........0`.\&....K.T...................p.K.(...p.K.............../.0............................text....p/......r/................. ..`.rdata...(.../...(..v/.............@..@.data........0X..V....X.............@....pdata...-....Y......fX.............@..@.qtmimed.....0[.......Z.............@..P.rsrc........ `......._.............@..@.reloc..\&...0`..(...._.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Qt5Network.dll

Download File

Process:	C:\Users\user\Desktop\4OVYJHCTFA.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1389568
Entropy (8bit):	6.403589914757204
Encrypted:	false
SSDEEP:	24576:MO51NG2bq1mhQpCR4SSUVxiKZivaKau3pUlSuMEFR+PoT0lKU:a4hQoRpSUVYKZqPau3pUlNMEePoT0Y
MD5:	6B63CA8C121D546642F9E2793E0862DE
SHA1:	F3301B0AA224FA406EC27F4AB16983811AB3B47B
SHA-256:	E3B7E0392CC48D21850C950AC0799624A9268A3F549CA791687F21ACC46BBDF7
SHA-512:	5EC10A14C7F72C11B1FFA81E1180DF1C63BB740D62BA956EEF06FB1BA3305EEC317F2E148DB1A21063AD1C12226567643FAA70A99B8E16AF7C3CA3377E5A9AC5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 54% Antivirus: Virustotal, Detection: 8%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Z..q.n.".n.".n."...".n."E.{#.n."L.{#.n."L.\|#.n."L.z#.n."L.~#.n."E.~#.n."..~#.n.".n~".j."..z#.n."...#.n."...".n.".n.".n."..}#.n."Rich.n."........................PE..d....).a.........." .....p...........h....................................................`..............................................n...L..@....p.......p..x.......................T...................@...(...@...................H ...........................text....n.......p.................. ..`.rdata..X............t..............@..@.data...8Q.......$..................@....pdata..x....p.......&..............@..@.rsrc........p......................@..@.reloc............... ..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\blackleg.pptx

Download File

Process:	C:\Users\user\Desktop\4OVYJHCTFA.exe
File Type:	data
Category:	dropped
Size (bytes):	20053
Entropy (8bit):	5.810880187439962
Encrypted:	false
SSDEEP:	384:OP5U7/ku599QyFp8hNXDSSouzQ5Jut6avnwlRU44yM/AQwJ:Y5U73QywNzRo/5JuoywlRUqRJ
MD5:	52FAF44080314D7B1649FF4FA2BD4B38
SHA1:	819C0BE129BD3E02D3DB596B657A990BB82142D3
SHA-256:	3F52B33B984DF8E59DBDF6312F7A165437A2B33EE43C80A1E6A4C913C30D959A
SHA-512:	DBF4276D0C18C15FABB2CA79448B510333FF3F378B5195FD9D0D72BDDB3E6ECEF316507D1F01C0AEEE769C30CBC4293FC594BBBFB1C1D067F95940666407ACE2
Malicious:	false
Reputation:	low
Preview:	h.i..NuYV...mb..w...S..v.F..J.yy..\i..kc...x...Ay..VUM.I^s..f.N...k.....k..dxtv...D...G.DoT...n...e..].hNkg...G......H.R.ROO..y..enG..`.i.T.S.P..jKBj...Sq....y..k.h..NV.O.A..rt.VOFr...O...[Xvi.[f_p.l.....g.S.a.Q...s..`.tY.Ep......r.C........KfEL...L....uml...f...Haps^.g.l..q.L.c.LSwIyYST.....I.eOQW.p.^..dDs.cm..aN...d_SqoY.s......]a.NEM.LNBrys..Wd...Zc..Z.x..Nh.U.....q.....C......Rbj.BwMg.w.F...J.....\..X.R..kxK..Vh.D..lq.`..U..rl.J....dE.\^V..k..eG.FD.\..aJ.Bc.kZ....a..c..nx.I]N..u..KNB......FNj.pw.S.ir...l..J..M...a..Ik.H..uc.m.`q..y`..HY..VjlO..n.xa.SaB..^Q.sB..L......\`....e.vS..ET..i.dy.Q....PCBF^O.^.Hs...nq\...HVd..x..wZ.b.G..[EuE..Y..rd._.t....P.h.tF.^.jN.[X....i..lN.T.OAeZ..K..hD.g.jhU.b...whb.I.^U.m...bApA.mI...]T.r..W..q....H......L.Cxssp..V.s....W]...]a..`.Q.Y...tvkWsO..F.T.d.......LY.e.mP.sMqjX.\cI`y...e....Dl..u.C..^..q.mEo....x.....T.aS.KreOk.NJ......[c..H`.\^.l.Y..sRIu..g...u...._.R.B.b.F.H.`fc.N..iB.y..u..Ao`C..eG..K_ID.ChUu._.g...^.O..v.McQ....h..T.D[q.r...BS..SoF..ZL[

C:\Users\user\AppData\Local\Temp\decibel.mp3

Download File

Process:	C:\Users\user\Desktop\4OVYJHCTFA.exe
File Type:	data
Category:	dropped
Size (bytes):	809820
Entropy (8bit):	7.876506989330647
Encrypted:	false
SSDEEP:	24576:QvjixgmybAqRZ0tW0YPxtf+wMHVjcrhziKANUxDk4mkhzW:Femy8qX0tWTf+NHdclgybmkE
MD5:	B60BE8FF2A7F2A1C8A49F6ADC4CCBA97
SHA1:	D4C9CD22A4EFE790D6E6C5FD0CD6385E54A9CA29
SHA-256:	114A4C8F8B4CBC799F2093D44386D57CAC0990719128CD864BAC571C63A02B41
SHA-512:	AF001BC023FDDCE01F1741248785582DAFD859853780AB8058B236E19B068B22A60C2866D9521B1DAC53C7FC59F145C5943891F9B0D04F2E491E5E5EA1939A95
Malicious:	false
Reputation:	low
Preview:	.....M.W..U.ZCvd..B....t..e..EBlU..`....nk..A..li..K...B]Q.r.c....KN.f.Z..idBlc..]uxB...aBN..f..U.g..oNx....c.B]Q..cE.T..Q.E.ZN.KHu..r..o.W.c..WTB...x..oox.E..f...W.ul..cQq..N..xHccN..g]QT.ilW.T..B....].c`W\Hr..uB..r.W........jx..`uru.EKK...Z.cEi.....iN.auE].Kf...u.lc....rf.u.oBWBxoN..`..W.W..]....c....K...K.rBTrorHor.o....ix.KN..Wf.Q.x]..x....E..cclK..lN...TuiZ.EK....`cHNQ..]..Ec.cn...Z.W..TE.K.BH.W..o..HQi.i...c.o.f...fT.N...]......x..WK....Q.r.x...`.ui.....f.]....u.......cc.N...ZKi.]l]..E.KQ.o.....o..iuT.T.H..N...T.....Wf.`urNlo.o..QKr.r..ZQT..ri..x...o..c...i.B.]fE.ZirN.....W]Q..r..]NZ..E.o.ulu.r.H.rlTWiu.Wr.xNW...BZWl.u..N..HK..K.....B.Hl..x.c..`.......Eu]l.Q.]E].....iHx...i..E`.`To.].r...ZBoWBQ.Wc..Hl....Wi.TfKl.Wu.BKN.K.]cQ..H..`i.]..f..lW......ZWBxofE....ZoE.flo.uE.fu....HKK].ilTZof.i..oHfc.o]ci.lH.KK....l..uBQlKl..xol....r..]WBEN.H..r]Q..]K.Qr.Z..rBB]]Nl.fo.`.`f.NK...H.`..].K.o...WWxTc...H.....f.N...c.u..W.c.xK..`.KrWE.H...Q].xr...........BlNZQi.ZQfZ.BZW.rBB..oNKB...Bx.E.TE...

C:\Users\user\AppData\Local\Temp\gqnmaqicmbds

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	318464
Entropy (8bit):	6.789607874172199
Encrypted:	false
SSDEEP:	3072:FoL+wM/T+rZT4cpqEqgPSN3snwrb/rX3iO8gPneJIYdZeqibPb5tYYKWy3O6gC2+:WzP9T4c+oSN3Xb/rwgPnMGYtO6n2+
MD5:	DA6F773F5219CF0740BA0F4971568926
SHA1:	FB42DC4EE2DBBD12237E35BD7CDCFF0FB62A593D
SHA-256:	FD6D3F8F3DEF8236A0C8482739058B0C3CF0C203A875AE42E8BA1FCB975360E6
SHA-512:	EE2175CC08B3B49CFFA60C429AF578E82BE6CFA4404F525A760D4D931C3F12FE208EF3B0D1E3725F4DC28F846422435FB0CEEB60413402A1FB264CA3E89638E4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79% Antivirus: Virustotal, Detection: 78%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....9rO.........................................@.......................................@.....................................x............................0..<Q...................................................................................text...'........................... ..`.rdata..[*.......,..................@..@.data...............................@....reloc..<Q...0...R...~..............@..Bqtam................................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\libcrypto-1_1-x64.dll

Download File

Process:	C:\Users\user\Desktop\4OVYJHCTFA.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2849280
Entropy (8bit):	5.898395689897465
Encrypted:	false
SSDEEP:	49152:KlOh5PuX2I9Rkf5gnQ7duzGuqFCtLQ2IqNPz38JQ41CPwDv3uFfJ:Q2Irkn2Iqt38C41CPwDv3uFfJ
MD5:	28DEA3E780552EB5C53B3B9B1F556628
SHA1:	55DCCD5B30CE0363E8EBDFEB1CCA38D1289748B8
SHA-256:	52415829D85C06DF8724A3D3D00C98F12BEABF5D6F3CBAD919EC8000841A86E8
SHA-512:	19DFE5F71901E43EA34D257F693AE1A36433DBDBCD7C9440D9B0F9EEA24DE65C4A8FE332F7B88144E1A719A6BA791C2048B4DD3E5B1ED0FDD4C813603AD35112
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OKkQ.%8Q.%8Q.%8XV.8C.%8.F$9S.%8.F 9Z.%8.F!9Y.%8.F&9R.%8EE$9Z.%8Q.$8..%8.G&9P.%8.G!9.,%8.G%9P.%8.G.8P.%8.G'9P.%8RichQ.%8................PE..d...._.c.........." .................q.......................................0,...........`.........................................`.&..h...j+.@.....+.\|.....).t.............+.pN...=$.8............................=$..............`+..............................text...g........................... ..`.rdata..{....0......................@..@.data...aw... )......(.............@....pdata........)......&).............@..@.idata..."...`+..$.................@..@.00cfg........+.......*.............@..@.rsrc...\|.....+.......+.............@..@.reloc...q....+..r....+.............@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\libssl-1_1-x64.dll

Download File

Process:	C:\Users\user\Desktop\4OVYJHCTFA.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	685056
Entropy (8bit):	5.49393422013168
Encrypted:	false
SSDEEP:	12288:PcPPRr7K55yAAKDNkk1+cFc+CmRkS9/+wDe1rlXiE4D9u3AG3UQjA5WU2lvz:2N43+cFcmYhXixo7708U2lvz
MD5:	4AD03043A32E9A1EF64115FC1ACE5787
SHA1:	352E0E3A628C8626CFF7EED348221E889F6A25C4
SHA-256:	A0E43CBC4A2D8D39F225ABD91980001B7B2B5001E8B2B8292537AE39B17B85D1
SHA-512:	EDFAE3660A5F19A9DEDA0375EFBA7261D211A74F1D8B6BF1A8440FED4619C4B747ACA8301D221FD91230E7AF1DAB73123707CC6EDA90E53EB8B6B80872689BA6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5,5.qM[TqM[TqM[Tx5.T}M[T#%ZUsM[Te&ZUsM[T#%^UzM[T#%_UyM[T#%XUrM[T.$ZUrM[TqMZT.L[T.$_U]M[T.$[UpM[T.$.TpM[T.$YUpM[TRichqM[T........PE..d....`.c.........." .....0...J.......%....................................................`..............................................N..(5..........s.......DL..............\.......8............................................ ..(............................text............0.................. ..`.rdata...&...@...(...4..............@..@.data...!M...p...D...\..............@....pdata...U.......V..................@..@.idata...V... ...X..................@..@.00cfg...............N..............@..@.rsrc...s............P..............@..@.reloc..@............X..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\msvcp140.dll

Download File

Process:	C:\Users\user\Desktop\4OVYJHCTFA.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	578384
Entropy (8bit):	6.524580849411757
Encrypted:	false
SSDEEP:	12288:RBSNvy11qsslnxU/1ceqHiNHlOp/2M+UHHZpDLO+r2VhQEKZm+jWodEEVAdm:RBSDOFQEKZm+jWodEE2dm
MD5:	1BA6D1CF0508775096F9E121A24E5863
SHA1:	DF552810D779476610DA3C8B956CC921ED6C91AE
SHA-256:	74892D9B4028C05DEBAF0B9B5D9DC6D22F7956FA7D7EEE00C681318C26792823
SHA-512:	9887D9F5838AA1555EA87968E014EDFE2F7747F138F1B551D1F609BC1D5D8214A5FDAB0D76FCAC98864C1DA5EB81405CA373B2A30CB12203C011D89EA6D069AF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: webex(3).exe, Detection: malicious, Browse Filename: webex(3).exe, Detection: malicious, Browse Filename: Full Video HD (1080p).download.lnk, Detection: malicious, Browse Filename: bomgar-rep-win64-installer.msi, Detection: malicious, Browse Filename: Create_Installer_PLC0000037_2025_French_WIN64.exe, Detection: malicious, Browse Filename: qk9TaBBxh8.exe, Detection: malicious, Browse Filename: xSO7sbN2j6.exe, Detection: malicious, Browse Filename: xSO7sbN2j6.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, Detection: malicious, Browse Filename: whisper-faster.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f..f..f.....d..o.A.p..f........c.....n.....b...........g....-.g.....g..Richf..........................PE..d................." ...$.F...V......`1....................................................`A........................................PB..h.......,................9......PO......8...p...p...........................0...@............`...............................text....E.......F.................. ..`.rdata.......`.......J..............@..@.data....8...@......................@....pdata...9.......:...<..............@..@.rsrc................v..............@..@.reloc..8............z..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\msvcp140_1.dll

Download File

Process:	C:\Users\user\Desktop\4OVYJHCTFA.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35704
Entropy (8bit):	6.591016227549893
Encrypted:	false
SSDEEP:	384:z1vZLMtUYqOoKFYpWcm5gW/ki0pSt+eB+Hj+R9zUkUTRtHRN7SoHR9zui5TJ:zpCtzqOjKYWi0QKHji9zSRtnx9zJTJ
MD5:	69D96E09A54FBC5CF92A0E084AB33856
SHA1:	B4629D51B5C4D8D78CCB3370B40A850F735B8949
SHA-256:	A3A1199DE32BBBC8318EC33E2E1CE556247D012851E4B367FE853A51E74CE4EE
SHA-512:	2087827137C473CDBEC87789361ED34FAD88C9FE80EF86B54E72AEA891D91AF50B17B7A603F9AE2060B3089CE9966FAD6D7FBE22DEE980C07ED491A75503F2CF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x. c<.N0<.N0<.N0..O1>.N05..08.N0..J1;.N0..M1>.N0<.O0..N0..O19.N0..K1(.N0..N1=.N0..0=.N0..L1=.N0Rich<.N0........PE..d...E.b..........." ...$.....&.......................................................<....`A.........................................?..L...<A..x....p.......`.......<..xO...........4..p...........................`3..@............0..8............................text............................... ..`.rdata..2....0......................@..@.data........P......................@....pdata.......`.......2..............@..@.rsrc........p.......6..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\steam_api64.dll

Download File

Process:	C:\Users\user\Desktop\4OVYJHCTFA.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	298384
Entropy (8bit):	6.4905956879024
Encrypted:	false
SSDEEP:	3072:504VEQ2u/niy9UVLCe9ZqdrP+VXvv+sJYB2RHKBi65lhTbCc+hnvvEyP7yq+uei1:QZu/i874ZcrMv2cRh7yqO2CPLHxYq8/B
MD5:	6B4AB6E60364C55F18A56A39021B74A6
SHA1:	39CAC2889D8CA497EE0D8434FC9F6966F18FA336
SHA-256:	1DB3FD414039D3E5815A5721925DD2E0A3A9F2549603C6CAB7C49B84966A1AF3
SHA-512:	C08DE8C6E331D13DFE868AB340E41552FC49123A9F782A5A63B95795D5D979E68B5A6AB171153978679C0791DC3E3809C883471A05864041CE60B240CCDD4C21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@.......................................VLV......`...%.bZf........R...%j..6../N..'...%.]1B3...+..6..'..6...wFA.}l?...K..L.MN.t.....f.sD&f......x.I...K.mP..P..\G.3.b..X...6.e.>L................................................................PE..d....%.b.........." .....`..........P.........@;..........................................`.........................................`7..........P............`...#...`...-......T.......T.......................(...0...8............p...............................text...._.......`.................. ..`.rdata.......p.......d..............@..@.data........0......................@....pdata...#...`...$...*..............@..@_RDATA...............N..............@..@.rsrc................P..............@..@.reloc..T............X..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tbh

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	318464
Entropy (8bit):	6.789607874172199
Encrypted:	false
SSDEEP:	3072:FoL+wM/T+rZT4cpqEqgPSN3snwrb/rX3iO8gPneJIYdZeqibPb5tYYKWy3O6gC2+:WzP9T4c+oSN3Xb/rwgPnMGYtO6n2+
MD5:	DA6F773F5219CF0740BA0F4971568926
SHA1:	FB42DC4EE2DBBD12237E35BD7CDCFF0FB62A593D
SHA-256:	FD6D3F8F3DEF8236A0C8482739058B0C3CF0C203A875AE42E8BA1FCB975360E6
SHA-512:	EE2175CC08B3B49CFFA60C429AF578E82BE6CFA4404F525A760D4D931C3F12FE208EF3B0D1E3725F4DC28F846422435FB0CEEB60413402A1FB264CA3E89638E4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79% Antivirus: Virustotal, Detection: 78%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....9rO.........................................@.......................................@.....................................x............................0..<Q...................................................................................text...'........................... ..`.rdata..[*.......,..................@..@.data...............................@....reloc..<Q...0...R...~..............@..Bqtam................................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vcruntime140.dll

Download File

Process:	C:\Users\user\Desktop\4OVYJHCTFA.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109440
Entropy (8bit):	6.642252418996898
Encrypted:	false
SSDEEP:	1536:BcghDMWyjXZZIzpdbJhKm6Kuzu8fsecbq8uOFQr+zMtY+zA:BVHyQNdbJAKuzRsecbq8uOFvyU
MD5:	49C96CECDA5C6C660A107D378FDFC3D4
SHA1:	00149B7A66723E3F0310F139489FE172F818CA8E
SHA-256:	69320F278D90EFAAEB67E2A1B55E5B0543883125834C812C8D9C39676E0494FC
SHA-512:	E09E072F3095379B0C921D41D6E64F4F1CD78400594A2317CFB5E5DCA03DEDB5A8239ED89905C9E967D1ACB376B0585A35ADDF6648422C7DDB472CE38B1BA60D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{n...=...=...=l..<...=...=...=...=...=...<...=...<...=...<...=...<...=...=...=...<...=Rich...=........PE..d.....K..........." ...$.....`............................................................`A........................................`C..4....K...............p..\|....\...O...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata..\|....p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vcruntime140_1.dll

Download File

Process:	C:\Users\user\Desktop\4OVYJHCTFA.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49560
Entropy (8bit):	6.6649899041961875
Encrypted:	false
SSDEEP:	768:a0Q4HUcGJZekJSam1BbuBSYcCZbiLzlSHji9z4GwZHji9znwT:afnDex5izbiLzlE+z4Gwl+zwT
MD5:	CF0A1C4776FFE23ADA5E570FC36E39FE
SHA1:	2050FADECC11550AD9BDE0B542BCF87E19D37F1A
SHA-256:	6FD366A691ED68430BCD0A3DE3D8D19A0CB2102952BFC140BBEF4354ED082C47
SHA-512:	D95CD98D22CA048D0FC5BCA551C9DB13D6FA705F6AF120BBBB621CF2B30284BFDC7320D0A819BB26DAB1E0A46253CC311A370BED4EF72ECB60C69791ED720168
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V...V...V......T.......T..._.D.]...V...e.......S.......Q.......M.......W.....(.W.......W...RichV...........PE..d...}.4..........." ...$.<...8.......A..............................................e4....`A........................................0m.......m..x....................r...O......D....c..p...........................pb..@............P..h............................text...@:.......<.................. ..`.rdata..."...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\EASteamProxy.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5644904
Entropy (8bit):	6.473386186229144
Encrypted:	false
SSDEEP:	98304:o/zx+riUDpJowboU+XEsumY2XW6jBYeZ1ER:2x+riUDwUj12X1tY5
MD5:	AD2735F096925010A53450CB4178C89E
SHA1:	C6D65163C6315A642664F4EAEC0FAE9528549BFE
SHA-256:	4E775B5FAFB4E6D89A4694F8694D2B8B540534BD4A52FF42F70095F1C929160E
SHA-512:	1868B22A7C5CBA89545B06F010C09C5418B3D86039099D681EEE9567C47208FDBA3B89C6251CF03C964C58C805280D45BA9C3533125F6BD3E0BC067477E03AB9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...................................p...........!..L.!This program cannot be run in DOS mode....$.......82..\|S..\|S..\|S..u+}.dS..i,..xS..i,..vS..i,..zS..i,..JS..i,..zS...5..~S...5..zS...5..}S..&..~S...:..{S...:..xS......uS......dR...:..FS...:..LS......}S......tS...5..TS..\|S..4V..J....S..J...}S..\|Sy.}S..J...}S..Rich\|S..........................PE..d....\.e.........."....%.47...........$........@..............................W......VV...`.................................................P.O......`V.h.....S.d.....U.h(...pV.....G.T.....................G.(.....G.@............P7.. ...........................text....27......47................. ..`.rdata.......P7......87.............@..@.data........pP..H...TP.............@....pdata..d.....S.......R.............@..@.rsrc...h....`V......jU.............@..@.reloc......pV......pU.............@..B................................................................................................................................

C:\Users\user\AppData\Roaming\demoWordpad_dbg\Qt5Core.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\EASteamProxy.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6270976
Entropy (8bit):	6.673131193590534
Encrypted:	false
SSDEEP:	98304:cE5jJSnL0VxTOnyJJsv6tWKFdu9Cs/CzYnxqfRgw:cE5NSn0xLJJsv6tWKFdu9CMkexqfRF
MD5:	68E600CB754E04557EF716B9EBC93FE4
SHA1:	8302AB611E787C312B971CE05935FF6E956FAEDE
SHA-256:	8F4C72E3C7DE1AB5D894EC7813F65C5298ECAFC183F31924B44A427433FFCA42
SHA-512:	8BBD7D14B59F01EBA7C46A6E8592C037CAB73BED1EB0762FC278CF7B81082784E88D777A32F71BC2DE128C0186321004BFA4CA68D1BCAA5660694C007219E98E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........*.7.Kfd.Kfd.Kfd.3.d.Kfd.#ge.Kfdx.d.Kfd.#ce.Kfd.#be.Kfd.#ee.Kfd.#be.Kfd.#`e.Kfd.#ge.Kfd.Kgd.Jfdx"be.Kfdx"ce.Kfdx"fe.Kfdx".d.Kfd.K.d.Kfdx"de.KfdRich.Kfd........PE..d...}).a.........." .....r/...0.....P+.......................................``...........`...........................................P..N....X...... `.......Y..-...........0`.\&....K.T...................p.K.(...p.K.............../.0............................text....p/......r/................. ..`.rdata...(.../...(..v/.............@..@.data........0X..V....X.............@....pdata...-....Y......fX.............@..@.qtmimed.....0[.......Z.............@..P.rsrc........ `......._.............@..@.reloc..\&...0`..(...._.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\demoWordpad_dbg\Qt5Network.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\EASteamProxy.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1389568
Entropy (8bit):	6.403589914757204
Encrypted:	false
SSDEEP:	24576:MO51NG2bq1mhQpCR4SSUVxiKZivaKau3pUlSuMEFR+PoT0lKU:a4hQoRpSUVYKZqPau3pUlNMEePoT0Y
MD5:	6B63CA8C121D546642F9E2793E0862DE
SHA1:	F3301B0AA224FA406EC27F4AB16983811AB3B47B
SHA-256:	E3B7E0392CC48D21850C950AC0799624A9268A3F549CA791687F21ACC46BBDF7
SHA-512:	5EC10A14C7F72C11B1FFA81E1180DF1C63BB740D62BA956EEF06FB1BA3305EEC317F2E148DB1A21063AD1C12226567643FAA70A99B8E16AF7C3CA3377E5A9AC5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 54% Antivirus: Virustotal, Detection: 8%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Z..q.n.".n.".n."...".n."E.{#.n."L.{#.n."L.\|#.n."L.z#.n."L.~#.n."E.~#.n."..~#.n.".n~".j."..z#.n."...#.n."...".n.".n.".n."..}#.n."Rich.n."........................PE..d....).a.........." .....p...........h....................................................`..............................................n...L..@....p.......p..x.......................T...................@...(...@...................H ...........................text....n.......p.................. ..`.rdata..X............t..............@..@.data...8Q.......$..................@....pdata..x....p.......&..............@..@.rsrc........p......................@..@.reloc............... ..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\demoWordpad_dbg\blackleg.pptx

Download File

Process:	C:\Users\user\AppData\Local\Temp\EASteamProxy.exe
File Type:	data
Category:	dropped
Size (bytes):	20053
Entropy (8bit):	5.810880187439962
Encrypted:	false
SSDEEP:	384:OP5U7/ku599QyFp8hNXDSSouzQ5Jut6avnwlRU44yM/AQwJ:Y5U73QywNzRo/5JuoywlRUqRJ
MD5:	52FAF44080314D7B1649FF4FA2BD4B38
SHA1:	819C0BE129BD3E02D3DB596B657A990BB82142D3
SHA-256:	3F52B33B984DF8E59DBDF6312F7A165437A2B33EE43C80A1E6A4C913C30D959A
SHA-512:	DBF4276D0C18C15FABB2CA79448B510333FF3F378B5195FD9D0D72BDDB3E6ECEF316507D1F01C0AEEE769C30CBC4293FC594BBBFB1C1D067F95940666407ACE2
Malicious:	false
Preview:	h.i..NuYV...mb..w...S..v.F..J.yy..\i..kc...x...Ay..VUM.I^s..f.N...k.....k..dxtv...D...G.DoT...n...e..].hNkg...G......H.R.ROO..y..enG..`.i.T.S.P..jKBj...Sq....y..k.h..NV.O.A..rt.VOFr...O...[Xvi.[f_p.l.....g.S.a.Q...s..`.tY.Ep......r.C........KfEL...L....uml...f...Haps^.g.l..q.L.c.LSwIyYST.....I.eOQW.p.^..dDs.cm..aN...d_SqoY.s......]a.NEM.LNBrys..Wd...Zc..Z.x..Nh.U.....q.....C......Rbj.BwMg.w.F...J.....\..X.R..kxK..Vh.D..lq.`..U..rl.J....dE.\^V..k..eG.FD.\..aJ.Bc.kZ....a..c..nx.I]N..u..KNB......FNj.pw.S.ir...l..J..M...a..Ik.H..uc.m.`q..y`..HY..VjlO..n.xa.SaB..^Q.sB..L......\`....e.vS..ET..i.dy.Q....PCBF^O.^.Hs...nq\...HVd..x..wZ.b.G..[EuE..Y..rd._.t....P.h.tF.^.jN.[X....i..lN.T.OAeZ..K..hD.g.jhU.b...whb.I.^U.m...bApA.mI...]T.r..W..q....H......L.Cxssp..V.s....W]...]a..`.Q.Y...tvkWsO..F.T.d.......LY.e.mP.sMqjX.\cI`y...e....Dl..u.C..^..q.mEo....x.....T.aS.KreOk.NJ......[c..H`.\^.l.Y..sRIu..g...u...._.R.B.b.F.H.`fc.N..iB.y..u..Ao`C..eG..K_ID.ChUu._.g...^.O..v.McQ....h..T.D[q.r...BS..SoF..ZL[

C:\Users\user\AppData\Roaming\demoWordpad_dbg\decibel.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\EASteamProxy.exe
File Type:	data
Category:	dropped
Size (bytes):	809820
Entropy (8bit):	7.876506989330647
Encrypted:	false
SSDEEP:	24576:QvjixgmybAqRZ0tW0YPxtf+wMHVjcrhziKANUxDk4mkhzW:Femy8qX0tWTf+NHdclgybmkE
MD5:	B60BE8FF2A7F2A1C8A49F6ADC4CCBA97
SHA1:	D4C9CD22A4EFE790D6E6C5FD0CD6385E54A9CA29
SHA-256:	114A4C8F8B4CBC799F2093D44386D57CAC0990719128CD864BAC571C63A02B41
SHA-512:	AF001BC023FDDCE01F1741248785582DAFD859853780AB8058B236E19B068B22A60C2866D9521B1DAC53C7FC59F145C5943891F9B0D04F2E491E5E5EA1939A95
Malicious:	false
Preview:	.....M.W..U.ZCvd..B....t..e..EBlU..`....nk..A..li..K...B]Q.r.c....KN.f.Z..idBlc..]uxB...aBN..f..U.g..oNx....c.B]Q..cE.T..Q.E.ZN.KHu..r..o.W.c..WTB...x..oox.E..f...W.ul..cQq..N..xHccN..g]QT.ilW.T..B....].c`W\Hr..uB..r.W........jx..`uru.EKK...Z.cEi.....iN.auE].Kf...u.lc....rf.u.oBWBxoN..`..W.W..]....c....K...K.rBTrorHor.o....ix.KN..Wf.Q.x]..x....E..cclK..lN...TuiZ.EK....`cHNQ..]..Ec.cn...Z.W..TE.K.BH.W..o..HQi.i...c.o.f...fT.N...]......x..WK....Q.r.x...`.ui.....f.]....u.......cc.N...ZKi.]l]..E.KQ.o.....o..iuT.T.H..N...T.....Wf.`urNlo.o..QKr.r..ZQT..ri..x...o..c...i.B.]fE.ZirN.....W]Q..r..]NZ..E.o.ulu.r.H.rlTWiu.Wr.xNW...BZWl.u..N..HK..K.....B.Hl..x.c..`.......Eu]l.Q.]E].....iHx...i..E`.`To.].r...ZBoWBQ.Wc..Hl....Wi.TfKl.Wu.BKN.K.]cQ..H..`i.]..f..lW......ZWBxofE....ZoE.flo.uE.fu....HKK].ilTZof.i..oHfc.o]ci.lH.KK....l..uBQlKl..xol....r..]WBEN.H..r]Q..]K.Qr.Z..rBB]]Nl.fo.`.`f.NK...H.`..].K.o...WWxTc...H.....f.N...c.u..W.c.xK..`.KrWE.H...Q].xr...........BlNZQi.ZQfZ.BZW.rBB..oNKB...Bx.E.TE...

C:\Users\user\AppData\Roaming\demoWordpad_dbg\libcrypto-1_1-x64.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\EASteamProxy.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2849280
Entropy (8bit):	5.898395689897465
Encrypted:	false
SSDEEP:	49152:KlOh5PuX2I9Rkf5gnQ7duzGuqFCtLQ2IqNPz38JQ41CPwDv3uFfJ:Q2Irkn2Iqt38C41CPwDv3uFfJ
MD5:	28DEA3E780552EB5C53B3B9B1F556628
SHA1:	55DCCD5B30CE0363E8EBDFEB1CCA38D1289748B8
SHA-256:	52415829D85C06DF8724A3D3D00C98F12BEABF5D6F3CBAD919EC8000841A86E8
SHA-512:	19DFE5F71901E43EA34D257F693AE1A36433DBDBCD7C9440D9B0F9EEA24DE65C4A8FE332F7B88144E1A719A6BA791C2048B4DD3E5B1ED0FDD4C813603AD35112
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OKkQ.%8Q.%8Q.%8XV.8C.%8.F$9S.%8.F 9Z.%8.F!9Y.%8.F&9R.%8EE$9Z.%8Q.$8..%8.G&9P.%8.G!9.,%8.G%9P.%8.G.8P.%8.G'9P.%8RichQ.%8................PE..d...._.c.........." .................q.......................................0,...........`.........................................`.&..h...j+.@.....+.\|.....).t.............+.pN...=$.8............................=$..............`+..............................text...g........................... ..`.rdata..{....0......................@..@.data...aw... )......(.............@....pdata........)......&).............@..@.idata..."...`+..$.................@..@.00cfg........+.......*.............@..@.rsrc...\|.....+.......+.............@..@.reloc...q....+..r....+.............@..B........................................................................................................................................................

C:\Users\user\AppData\Roaming\demoWordpad_dbg\libssl-1_1-x64.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\EASteamProxy.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	685056
Entropy (8bit):	5.49393422013168
Encrypted:	false
SSDEEP:	12288:PcPPRr7K55yAAKDNkk1+cFc+CmRkS9/+wDe1rlXiE4D9u3AG3UQjA5WU2lvz:2N43+cFcmYhXixo7708U2lvz
MD5:	4AD03043A32E9A1EF64115FC1ACE5787
SHA1:	352E0E3A628C8626CFF7EED348221E889F6A25C4
SHA-256:	A0E43CBC4A2D8D39F225ABD91980001B7B2B5001E8B2B8292537AE39B17B85D1
SHA-512:	EDFAE3660A5F19A9DEDA0375EFBA7261D211A74F1D8B6BF1A8440FED4619C4B747ACA8301D221FD91230E7AF1DAB73123707CC6EDA90E53EB8B6B80872689BA6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5,5.qM[TqM[TqM[Tx5.T}M[T#%ZUsM[Te&ZUsM[T#%^UzM[T#%_UyM[T#%XUrM[T.$ZUrM[TqMZT.L[T.$_U]M[T.$[UpM[T.$.TpM[T.$YUpM[TRichqM[T........PE..d....`.c.........." .....0...J.......%....................................................`..............................................N..(5..........s.......DL..............\.......8............................................ ..(............................text............0.................. ..`.rdata...&...@...(...4..............@..@.data...!M...p...D...\..............@....pdata...U.......V..................@..@.idata...V... ...X..................@..@.00cfg...............N..............@..@.rsrc...s............P..............@..@.reloc..@............X..............@..B................................................................................................................................................................

C:\Users\user\AppData\Roaming\demoWordpad_dbg\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\EASteamProxy.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	578384
Entropy (8bit):	6.524580849411757
Encrypted:	false
SSDEEP:	12288:RBSNvy11qsslnxU/1ceqHiNHlOp/2M+UHHZpDLO+r2VhQEKZm+jWodEEVAdm:RBSDOFQEKZm+jWodEE2dm
MD5:	1BA6D1CF0508775096F9E121A24E5863
SHA1:	DF552810D779476610DA3C8B956CC921ED6C91AE
SHA-256:	74892D9B4028C05DEBAF0B9B5D9DC6D22F7956FA7D7EEE00C681318C26792823
SHA-512:	9887D9F5838AA1555EA87968E014EDFE2F7747F138F1B551D1F609BC1D5D8214A5FDAB0D76FCAC98864C1DA5EB81405CA373B2A30CB12203C011D89EA6D069AF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f..f..f.....d..o.A.p..f........c.....n.....b...........g....-.g.....g..Richf..........................PE..d................." ...$.F...V......`1....................................................`A........................................PB..h.......,................9......PO......8...p...p...........................0...@............`...............................text....E.......F.................. ..`.rdata.......`.......J..............@..@.data....8...@......................@....pdata...9.......:...<..............@..@.rsrc................v..............@..@.reloc..8............z..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\demoWordpad_dbg\msvcp140_1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\EASteamProxy.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35704
Entropy (8bit):	6.591016227549893
Encrypted:	false
SSDEEP:	384:z1vZLMtUYqOoKFYpWcm5gW/ki0pSt+eB+Hj+R9zUkUTRtHRN7SoHR9zui5TJ:zpCtzqOjKYWi0QKHji9zSRtnx9zJTJ
MD5:	69D96E09A54FBC5CF92A0E084AB33856
SHA1:	B4629D51B5C4D8D78CCB3370B40A850F735B8949
SHA-256:	A3A1199DE32BBBC8318EC33E2E1CE556247D012851E4B367FE853A51E74CE4EE
SHA-512:	2087827137C473CDBEC87789361ED34FAD88C9FE80EF86B54E72AEA891D91AF50B17B7A603F9AE2060B3089CE9966FAD6D7FBE22DEE980C07ED491A75503F2CF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x. c<.N0<.N0<.N0..O1>.N05..08.N0..J1;.N0..M1>.N0<.O0..N0..O19.N0..K1(.N0..N1=.N0..0=.N0..L1=.N0Rich<.N0........PE..d...E.b..........." ...$.....&.......................................................<....`A.........................................?..L...<A..x....p.......`.......<..xO...........4..p...........................`3..@............0..8............................text............................... ..`.rdata..2....0......................@..@.data........P......................@....pdata.......`.......2..............@..@.rsrc........p.......6..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\demoWordpad_dbg\steam_api64.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\EASteamProxy.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	298384
Entropy (8bit):	6.4905956879024
Encrypted:	false
SSDEEP:	3072:504VEQ2u/niy9UVLCe9ZqdrP+VXvv+sJYB2RHKBi65lhTbCc+hnvvEyP7yq+uei1:QZu/i874ZcrMv2cRh7yqO2CPLHxYq8/B
MD5:	6B4AB6E60364C55F18A56A39021B74A6
SHA1:	39CAC2889D8CA497EE0D8434FC9F6966F18FA336
SHA-256:	1DB3FD414039D3E5815A5721925DD2E0A3A9F2549603C6CAB7C49B84966A1AF3
SHA-512:	C08DE8C6E331D13DFE868AB340E41552FC49123A9F782A5A63B95795D5D979E68B5A6AB171153978679C0791DC3E3809C883471A05864041CE60B240CCDD4C21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@.......................................VLV......`...%.bZf........R...%j..6../N..'...%.]1B3...+..6..'..6...wFA.}l?...K..L.MN.t.....f.sD&f......x.I...K.mP..P..\G.3.b..X...6.e.>L................................................................PE..d....%.b.........." .....`..........P.........@;..........................................`.........................................`7..........P............`...#...`...-......T.......T.......................(...0...8............p...............................text...._.......`.................. ..`.rdata.......p.......d..............@..@.data........0......................@....pdata...#...`...$...*..............@..@_RDATA...............N..............@..@.rsrc................P..............@..@.reloc..T............X..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Roaming\demoWordpad_dbg\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\EASteamProxy.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109440
Entropy (8bit):	6.642252418996898
Encrypted:	false
SSDEEP:	1536:BcghDMWyjXZZIzpdbJhKm6Kuzu8fsecbq8uOFQr+zMtY+zA:BVHyQNdbJAKuzRsecbq8uOFvyU
MD5:	49C96CECDA5C6C660A107D378FDFC3D4
SHA1:	00149B7A66723E3F0310F139489FE172F818CA8E
SHA-256:	69320F278D90EFAAEB67E2A1B55E5B0543883125834C812C8D9C39676E0494FC
SHA-512:	E09E072F3095379B0C921D41D6E64F4F1CD78400594A2317CFB5E5DCA03DEDB5A8239ED89905C9E967D1ACB376B0585A35ADDF6648422C7DDB472CE38B1BA60D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{n...=...=...=l..<...=...=...=...=...=...<...=...<...=...<...=...<...=...=...=...<...=Rich...=........PE..d.....K..........." ...$.....`............................................................`A........................................`C..4....K...............p..\|....\...O...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata..\|....p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\demoWordpad_dbg\vcruntime140_1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\EASteamProxy.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49560
Entropy (8bit):	6.6649899041961875
Encrypted:	false
SSDEEP:	768:a0Q4HUcGJZekJSam1BbuBSYcCZbiLzlSHji9z4GwZHji9znwT:afnDex5izbiLzlE+z4Gwl+zwT
MD5:	CF0A1C4776FFE23ADA5E570FC36E39FE
SHA1:	2050FADECC11550AD9BDE0B542BCF87E19D37F1A
SHA-256:	6FD366A691ED68430BCD0A3DE3D8D19A0CB2102952BFC140BBEF4354ED082C47
SHA-512:	D95CD98D22CA048D0FC5BCA551C9DB13D6FA705F6AF120BBBB621CF2B30284BFDC7320D0A819BB26DAB1E0A46253CC311A370BED4EF72ECB60C69791ED720168
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V...V...V......T.......T..._.D.]...V...e.......S.......Q.......M.......W.....(.W.......W...RichV...........PE..d...}.4..........." ...$.<...8.......A..............................................e4....`A........................................0m.......m..x....................r...O......D....c..p...........................pb..@............P..h............................text...@:.......<.................. ..`.rdata..."...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.992385327226218
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4OVYJHCTFA.exe
File size:	6'198'600 bytes
MD5:	30772bcce9852eb58cf05a75bcdce2f9
SHA1:	b43da7a9785fb47cc1174bb4a896866fbb1a0df0
SHA256:	584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc
SHA512:	a816a2f40e75925214e19b35e507e1a35b4d9e5775b71e1abfa23d75e4d21d2293080be6598b5060b1d5045d5da180ee263fb395f16619719ec515e0f31b6675
SSDEEP:	98304:+pYdpXlLQCWYPzgXWx4qMO3X81hMTuJDdoi37BtYaCCKuZ5qM3g3b9LSsSuIAERN:+pGdbhgXWxRMO3XsmuxddCdoU3J7SuIR
TLSH:	8A56335273C818F4CEB0EA729F05D75C46FBFB852601AE43A35B2EA81DC35A4651B1EC
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................0.......3.......................................P.............................

File Icon


Icon Hash:	d292fcd8f2f2fe1c

Static PE Info

General

Entrypoint:	0x411def
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5a014d7eeb4c2042897567e1288a095

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00414C50h
push 00411F80h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00413184h]
pop ecx
or dword ptr [00419924h], FFFFFFFFh
or dword ptr [00419928h], FFFFFFFFh
call dword ptr [00413188h]
mov ecx, dword ptr [0041791Ch]
mov dword ptr [eax], ecx
call dword ptr [0041318Ch]
mov ecx, dword ptr [00417918h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00413190h]
mov eax, dword ptr [eax]
mov dword ptr [00419920h], eax
call 00007FDFB4FDBDB2h
cmp dword ptr [00417710h], ebx
jne 00007FDFB4FDBC9Eh
push 00411F78h
call dword ptr [00413194h]
pop ecx
call 00007FDFB4FDBD84h
push 00417048h
push 00417044h
call 00007FDFB4FDBD6Fh
mov eax, dword ptr [00417914h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00417910h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041319Ch]
push 00417040h
push 00417000h
call 00007FDFB4FDBD3Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x18d04	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x310	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11317	0x11400	797279c5ab1a163aed1f2a528f9fe3ce	False	0.6174988677536232	data	6.576987441854239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x30ea	0x3200	1359639b02bcb8f0a8743e6ead1c0030	False	0.43828125	data	5.549434098115495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x292c	0x800	9415c9c8dea3245d6d73c23393e27d8e	False	0.431640625	data	3.6583182363171756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x18d04	0x18e00	9dee09854e79aa987e5336a4defda540	False	0.2433358197236181	data	5.382874846103129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a1f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.6781914893617021
RT_ICON	0x1a658	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia	0.47068480300187615
RT_ICON	0x1b700	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia	0.41161825726141077
RT_ICON	0x1dca8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Russian	Russia	0.3213863958431743
RT_ICON	0x21ed0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Russian	Russia	0.1865609842659411
RT_GROUP_ICON	0x326f8	0x4c	data	Russian	Russia	0.7763157894736842
RT_VERSION	0x32744	0x350	data	English	United States	0.47523584905660377
RT_MANIFEST	0x32a94	0x270	ASCII text, with very long lines (624), with no line terminators	English	United States	0.5144230769230769

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
USER32.dll	CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
GDI32.dll	GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
SHELL32.dll	SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
ole32.dll	CoInitialize, CreateStreamOnHGlobal, CoCreateInstance
OLEAUT32.dll	VariantClear, OleLoadPicture, SysAllocString
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 06:46:15.894356966 CEST	53	50084	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	00:45:56
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\4OVYJHCTFA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\4OVYJHCTFA.exe"
Imagebase:	0x400000
File size:	6'198'600 bytes
MD5 hash:	30772BCCE9852EB58CF05A75BCDCE2F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:45:58
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Local\Temp\EASteamProxy.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\EASteamProxy.exe"
Imagebase:	0x7ff66a080000
File size:	5'644'904 bytes
MD5 hash:	AD2735F096925010A53450CB4178C89E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:45:59
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe
Imagebase:	0x7ff6424b0000
File size:	5'644'904 bytes
MD5 hash:	AD2735F096925010A53450CB4178C89E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:45:59
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:45:59
Start date:	02/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:46:07
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe
Imagebase:	0x7ff6424b0000
File size:	5'644'904 bytes
MD5 hash:	AD2735F096925010A53450CB4178C89E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:46:07
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:46:07
Start date:	02/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:46:19
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x650000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:46:25
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x650000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.9%
Total number of Nodes:	1473
Total number of Limit Nodes:	21

Executed Functions

Function 00404FAA Relevance: 251.9, APIs: 103, Strings: 40, Instructions: 1671keyboardsynchronizationwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C

Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT ref: 00402ADC
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT ref: 00402AF7
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT ref: 00402AFF
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT ref: 00402B6F

Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD

_wtol.MSVCRT(-00000002,00000000,?,00000000), ref: 0040509F
??3@YAXPAX@Z.MSVCRT ref: 004050F1
??3@YAXPAX@Z.MSVCRT ref: 00405102
??3@YAXPAX@Z.MSVCRT ref: 0040510A
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
_wtol.MSVCRT(-00000002,?,00000000), ref: 00405217
??2@YAPAXI@Z.MSVCRT ref: 0040538F

Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT ref: 00404E85
Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT ref: 00404EAB
Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC

Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
Part of subcall function 00402844: memcmp.MSVCRT ref: 004028E4
Part of subcall function 00402844: memcmp.MSVCRT ref: 00402921
Part of subcall function 00402844: memmove.MSVCRT ref: 00402953

??3@YAXPAX@Z.MSVCRT ref: 00405453
??3@YAXPAX@Z.MSVCRT ref: 0040545B
??3@YAXPAX@Z.MSVCRT ref: 00405463
??3@YAXPAX@Z.MSVCRT ref: 004054DD
??3@YAXPAX@Z.MSVCRT ref: 004054E5
??3@YAXPAX@Z.MSVCRT ref: 004054ED
??3@YAXPAX@Z.MSVCRT ref: 00405509
??3@YAXPAX@Z.MSVCRT ref: 00405511
??3@YAXPAX@Z.MSVCRT ref: 00405519

Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT ref: 00403347

??3@YAXPAX@Z.MSVCRT ref: 00405559
??3@YAXPAX@Z.MSVCRT ref: 00405561
??3@YAXPAX@Z.MSVCRT ref: 00405569

Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6

wsprintfW.USER32 ref: 00405595
_wtol.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 004057DE
??3@YAXPAX@Z.MSVCRT ref: 0040587B
??3@YAXPAX@Z.MSVCRT ref: 00405883
??3@YAXPAX@Z.MSVCRT ref: 0040588B
??3@YAXPAX@Z.MSVCRT ref: 00405913
??3@YAXPAX@Z.MSVCRT ref: 00405938
??3@YAXPAX@Z.MSVCRT ref: 004059AA
??3@YAXPAX@Z.MSVCRT ref: 004059B2
??3@YAXPAX@Z.MSVCRT ref: 004059BA
CoInitialize.OLE32(00000000), ref: 004059E9
??3@YAXPAX@Z.MSVCRT ref: 00405A30
??3@YAXPAX@Z.MSVCRT ref: 00405A38
??3@YAXPAX@Z.MSVCRT ref: 00405A40
GetKeyState.USER32(00000010), ref: 00405AA1
??3@YAXPAX@Z.MSVCRT ref: 00405BCD
??3@YAXPAX@Z.MSVCRT ref: 00405BDB
??3@YAXPAX@Z.MSVCRT ref: 00405BE3
??3@YAXPAX@Z.MSVCRT ref: 00405C16
??3@YAXPAX@Z.MSVCRT ref: 00405C1E
??3@YAXPAX@Z.MSVCRT ref: 00405C26
??3@YAXPAX@Z.MSVCRT ref: 00405C2E
memset.MSVCRT ref: 004060AE
ShellExecuteExW.SHELL32(?), ref: 0040617E
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
??3@YAXPAX@Z.MSVCRT ref: 004061D4
??3@YAXPAX@Z.MSVCRT ref: 004061DC
??3@YAXPAX@Z.MSVCRT ref: 004061E4
??3@YAXPAX@Z.MSVCRT ref: 004061EA
??3@YAXPAX@Z.MSVCRT ref: 004061FD
??3@YAXPAX@Z.MSVCRT ref: 00406205
??3@YAXPAX@Z.MSVCRT ref: 00406222
??3@YAXPAX@Z.MSVCRT ref: 0040622A
??3@YAXPAX@Z.MSVCRT ref: 00406232
??3@YAXPAX@Z.MSVCRT ref: 0040623A
??3@YAXPAX@Z.MSVCRT ref: 00406242
??3@YAXPAX@Z.MSVCRT ref: 0040624A
??3@YAXPAX@Z.MSVCRT ref: 00406252
??3@YAXPAX@Z.MSVCRT ref: 0040626E
??3@YAXPAX@Z.MSVCRT ref: 00406276
??3@YAXPAX@Z.MSVCRT ref: 00405BEB

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

??3@YAXPAX@Z.MSVCRT ref: 00405C4A
??3@YAXPAX@Z.MSVCRT ref: 00405C52
??3@YAXPAX@Z.MSVCRT ref: 00405C5A
??3@YAXPAX@Z.MSVCRT ref: 00405C62
??3@YAXPAX@Z.MSVCRT ref: 00405C94
??3@YAXPAX@Z.MSVCRT ref: 00405CD4
??3@YAXPAX@Z.MSVCRT ref: 00405D41
??3@YAXPAX@Z.MSVCRT ref: 00405D49
??3@YAXPAX@Z.MSVCRT ref: 00405D51
??3@YAXPAX@Z.MSVCRT ref: 00405D59
??3@YAXPAX@Z.MSVCRT ref: 00405E20
??3@YAXPAX@Z.MSVCRT ref: 00405E28
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
??3@YAXPAX@Z.MSVCRT ref: 00405EEC
??3@YAXPAX@Z.MSVCRT ref: 00405EF4
_wtol.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00417788), ref: 00405F65
??3@YAXPAX@Z.MSVCRT ref: 00406294
??3@YAXPAX@Z.MSVCRT ref: 0040629C
??3@YAXPAX@Z.MSVCRT ref: 004062A4
??3@YAXPAX@Z.MSVCRT ref: 004062AA
??3@YAXPAX@Z.MSVCRT ref: 004062B2
??3@YAXPAX@Z.MSVCRT ref: 004062BA
??3@YAXPAX@Z.MSVCRT ref: 004062C2
??3@YAXPAX@Z.MSVCRT ref: 004062CA
??3@YAXPAX@Z.MSVCRT ref: 004062D2
??3@YAXPAX@Z.MSVCRT ref: 004062F1
??3@YAXPAX@Z.MSVCRT ref: 004062F9
??3@YAXPAX@Z.MSVCRT ref: 00406301
??3@YAXPAX@Z.MSVCRT ref: 00406307
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
??3@YAXPAX@Z.MSVCRT ref: 0040636D
??3@YAXPAX@Z.MSVCRT ref: 004063E6
??3@YAXPAX@Z.MSVCRT ref: 0040643D
??3@YAXPAX@Z.MSVCRT ref: 00406445
??3@YAXPAX@Z.MSVCRT ref: 0040644D
??3@YAXPAX@Z.MSVCRT ref: 00406455
??3@YAXPAX@Z.MSVCRT ref: 0040646A
??3@YAXPAX@Z.MSVCRT ref: 0040647B
??3@YAXPAX@Z.MSVCRT ref: 00406483
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C

Strings

htS, xrefs: 00405330, 0040534A, 0040535A, 00405377
del, xrefs: 00405F9A
InstallPath, xrefs: 004059F3
hidcon, xrefs: 00405E5E
ExecuteFile, xrefs: 00405A61, 00405B47, 00405B55
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406495
shc, xrefs: 00405F7A
setup.exe, xrefs: 00405DE5, 00405DEA, 00405E45
amd64, xrefs: 00405FE4
forcenowait, xrefs: 00405F25
FinishMessage, xrefs: 00406399
XpA, xrefs: 00405581
RunProgram, xrefs: 00405A66, 00405B6B, 00405B79
4AA, xrefs: 0040504C
7-Zip SFX, xrefs: 00406490
MiscFlags, xrefs: 0040573F
HelpText, xrefs: 0040595E
GUIMode, xrefs: 004056FF
SelfDelete, xrefs: 0040577C, 0040640B
x86, xrefs: 00405FBE
sfxversion, xrefs: 004050D6
SetEnvironment, xrefs: 0040586E, 0040591F
7zSfxString%d, xrefs: 0040558F
sfxconfig, xrefs: 0040527C, 00405488
BeginPrompt, xrefs: 00405A71
;!@InstallEnd@!, xrefs: 00405431
IA, xrefs: 004055D2, 004058FB
Delete, xrefs: 00406352
OverwriteMode, xrefs: 004056BB
@DA, xrefs: 00405699
7ZipSfx.%03x, xrefs: 00405C77
GUIFlags, xrefs: 0040571F
x64, xrefs: 00405FF7
4DA, xrefs: 00406034
;!@Install@!UTF-8!, xrefs: 00405436
Shortcut, xrefs: 0040632A
AutoInstall, xrefs: 00405AC1, 00405B1C, 00405ECC
i386, xrefs: 00405FD1
nowait, xrefs: 00405F03
ExecuteParameters, xrefs: 0040605D

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$htS$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
API String ID: 154539431-1542993362
Opcode ID: 3447839d119719d05016a7f05a564b7be075a38f3dc1eabf80374ede3987d6c4
Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
Opcode Fuzzy Hash: 3447839d119719d05016a7f05a564b7be075a38f3dc1eabf80374ede3987d6c4
Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D

Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
Opcode Fuzzy Hash: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58

Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
SetLastError.KERNEL32(00000010), ref: 0040303D

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E

Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
SendMessageW.USER32(00008001,00000000,?), ref: 004011FF

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D

Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00411E1C
__p__fmode.MSVCRT ref: 00411E31
__p__commode.MSVCRT ref: 00411E3F
__setusermatherr.MSVCRT ref: 00411E6B
_initterm.MSVCRT ref: 00411E81
__getmainargs.MSVCRT ref: 00411EA4
_initterm.MSVCRT ref: 00411EB4
GetStartupInfoA.KERNEL32(?), ref: 00411EF3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00411F17
exit.KERNELBASE ref: 00411F27
_XcptFilter.MSVCRT ref: 00411F39

Strings

HpA, xrefs: 00411E9C, 00411E9F

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: HpA
API String ID: 801014965-2938899866
Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58

Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
DispatchMessageW.USER32(?), ref: 00401B89
KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

Strings

Static, xrefs: 00401B5A

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9

Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 0040B1C5
memmove.MSVCRT ref: 0040B289
??3@YAXPAX@Z.MSVCRT ref: 0040B298

Strings

, xrefs: 0040B22D

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-3916222277
Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D

Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
??3@YAXPAX@Z.MSVCRT ref: 0040349D

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT ref: 00401171

memcpy.MSVCRT ref: 0040342F
??3@YAXPAX@Z.MSVCRT ref: 0040346C
??3@YAXPAX@Z.MSVCRT ref: 004034B2

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD

Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT ref: 0040208F
Part of subcall function 00401F9D: _wtol.MSVCRT(?), ref: 0040212A
Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
wsprintfW.USER32 ref: 004044A7

Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT ref: 00402F71

#17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533

Strings

7zSfxFolder%02d, xrefs: 004044A1
IA, xrefs: 0040447B

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d$IA
API String ID: 3387708999-1317665167
Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58

Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT ref: 00408F0F
??2@YAPAXI@Z.MSVCRT ref: 00408F59

Strings

IA, xrefs: 00409225
IA, xrefs: 00409391

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??2@
String ID: IA$IA
API String ID: 1033339047-1400641299
Opcode ID: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
Opcode Fuzzy Hash: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44

Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT(?,?,?,?,00417680), ref: 00410D0D

Strings

\KA, xrefs: 00410CE2
4KA, xrefs: 00410CF0
HKA, xrefs: 00410CE9
$KA, xrefs: 00410CF7

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: free
String ID: $KA$4KA$HKA$\KA
API String ID: 1294909896-3316857779
Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C

Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004096D0
??2@YAPAXI@Z.MSVCRT ref: 0040986E
??2@YAPAXI@Z.MSVCRT ref: 00409941

Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT ref: 00409C3B

Strings

HIA, xrefs: 0040978B

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: HIA
API String ID: 3431946709-2712174624
Opcode ID: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
Opcode Fuzzy Hash: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54

Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
memcmp.MSVCRT ref: 004028E4
memcmp.MSVCRT ref: 00402921
memmove.MSVCRT ref: 00402953

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55

Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E

Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89

Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT ref: 00404A5A
??2@YAPAXI@Z.MSVCRT ref: 00404ADC

Strings

ExecuteFile, xrefs: 00404A48

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??2@
String ID: ExecuteFile
API String ID: 1033339047-323923146
Opcode ID: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
Opcode Fuzzy Hash: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D

Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040ADD6
memmove.MSVCRT ref: 0040ADF0
??3@YAXPAX@Z.MSVCRT ref: 0040AE00

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
Opcode Fuzzy Hash: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A

Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E

Strings

@, xrefs: 00402471

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D

Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT ref: 0040AE00

??3@YAXPAX@Z.MSVCRT ref: 0040CAF2
??3@YAXPAX@Z.MSVCRT ref: 0040CC4A

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@$??2@ExceptionThrowmemmove
String ID:
API String ID: 4269121280-0
Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99

Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A634
??3@YAXPAX@Z.MSVCRT ref: 0040A729

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B

Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040114B
??3@YAXPAX@Z.MSVCRT ref: 00401171

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
Opcode Fuzzy Hash: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754

Function 004022B0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 004022C0
??3@YAXPAX@Z.MSVCRT ref: 004022E4

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
Instruction ID: 09ebe67ff45b08f81c36141d9c2dc2e417a159b47c448e0a3757dda97e47d19e
Opcode Fuzzy Hash: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
Instruction Fuzzy Hash: 8CF030351046529FC330DF69C584853F7E4EB59715721887FE1D6D36A2C674A880CB64

Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64

Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040ED05
_CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID:
API String ID: 3773818493-0
Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9

Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040E745
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4

Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A7E3

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A

Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59

Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D985: FindCloseChangeNotification.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ChangeCloseCreateFileFindNotification
String ID:
API String ID: 727422849-0
Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94

Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54

Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406552

Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60

Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CC5E

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD

Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54

Function 0040D985 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698

Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02

Function 0040D89F Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040D91A

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 8955cc1b29c93d01701bbb2481471dd0eaf8a49c35f18cc8a7d41221c9f85a6f
Instruction ID: 1ceb60bf2594cd826c4dcd58ac8a3e75a9726935558582f6c117c88f0dd7e0c4
Opcode Fuzzy Hash: 8955cc1b29c93d01701bbb2481471dd0eaf8a49c35f18cc8a7d41221c9f85a6f
Instruction Fuzzy Hash: 4A219372A042858FCF30FF91D98096B77A5AF50358320853FE093732C1DA38AD49D75A

Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.MSVCRT(?), ref: 0040F446

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59

Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00402F71

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
Opcode Fuzzy Hash: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299

Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509

Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09

Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT(?), ref: 0040F400

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction Fuzzy Hash:

Non-executed Functions

Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT(00404F9B,00000000,00417794), ref: 004034E5
SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
??3@YAXPAX@Z.MSVCRT ref: 004035F9
??3@YAXPAX@Z.MSVCRT ref: 00403601
??3@YAXPAX@Z.MSVCRT ref: 00403609
??3@YAXPAX@Z.MSVCRT ref: 00403611
??3@YAXPAX@Z.MSVCRT ref: 00403619
??3@YAXPAX@Z.MSVCRT ref: 00403621
??3@YAXPAX@Z.MSVCRT ref: 00403629
_wtol.MSVCRT(?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,?), ref: 0040367F
CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
??3@YAXPAX@Z.MSVCRT ref: 004037B8
??3@YAXPAX@Z.MSVCRT ref: 004037C0
??3@YAXPAX@Z.MSVCRT ref: 004037C8
??3@YAXPAX@Z.MSVCRT ref: 004037D0
??3@YAXPAX@Z.MSVCRT ref: 004037D8
??3@YAXPAX@Z.MSVCRT ref: 004037E0
??3@YAXPAX@Z.MSVCRT ref: 004037E8
??3@YAXPAX@Z.MSVCRT ref: 004037EE
??3@YAXPAX@Z.MSVCRT ref: 004037F6

Strings

.lnk, xrefs: 004036FF

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18

Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
wsprintfW.USER32 ref: 00401FFD
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
GetLastError.KERNEL32 ref: 00402017
??2@YAPAXI@Z.MSVCRT ref: 00402032
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
GetLastError.KERNEL32 ref: 0040204C
lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
??3@YAXPAX@Z.MSVCRT ref: 00402071
??3@YAXPAX@Z.MSVCRT ref: 0040208F
SetLastError.KERNEL32(00000000), ref: 00402098
lstrlenA.KERNEL32(00413FD0), ref: 004020CC
??2@YAPAXI@Z.MSVCRT ref: 004020E7
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
_wtol.MSVCRT(?), ref: 0040212A
MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

Strings

XpA, xrefs: 00401FB4
7zSfxString%d, xrefs: 00401FF7
\3A, xrefs: 00401FDB

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d$XpA$\3A
API String ID: 2117570002-3108448011
Opcode ID: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
Opcode Fuzzy Hash: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18

Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
LockResource.KERNEL32(00000000), ref: 00401C41
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
GetProcAddress.KERNEL32(00000000), ref: 00401C76
wsprintfW.USER32 ref: 00401C95
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
GetProcAddress.KERNEL32(00000000), ref: 00401CAD

Strings

SetProcessPreferredUILanguages, xrefs: 00401C58
SetThreadPreferredUILanguages, xrefs: 00401CA4
%04X%c%04X%c, xrefs: 00401C8F
kernel32, xrefs: 00401C5D, 00401C62, 00401CA9

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8

Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 0040779A
GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
??2@YAPAXI@Z.MSVCRT ref: 00407817
lstrcpyW.KERNEL32(00000000,?), ref: 0040782D
lstrcpyW.KERNEL32(-00000002,00402A50), ref: 0040783E
??3@YAXPAX@Z.MSVCRT ref: 00407847
LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
Opcode Fuzzy Hash: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4

Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
??3@YAXPAX@Z.MSVCRT ref: 00402C6E
??3@YAXPAX@Z.MSVCRT ref: 00402C79

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C

Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
GetWindow.USER32(?,00000005), ref: 00406D8F
GetWindow.USER32(00000000,00000002), ref: 00406DA5

Strings

SetWindowTheme, xrefs: 00406D70
\EA, xrefs: 00406D98
uxtheme, xrefs: 00406D5E

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$\EA$uxtheme
API String ID: 324724604-1613512829
Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC

Function 0041022D Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84

Function 0041206B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0

Function 00411F91 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0

Function 0040D72E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50

Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
??3@YAXPAX@Z.MSVCRT ref: 00404C37
CloseHandle.KERNEL32(004177C4), ref: 00404C40
SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
??3@YAXPAX@Z.MSVCRT ref: 00404C72
??3@YAXPAX@Z.MSVCRT ref: 00404C7E
??3@YAXPAX@Z.MSVCRT ref: 00404C84
??3@YAXPAX@Z.MSVCRT ref: 00404CB2

Strings

:Repeat, xrefs: 00404B92
" goto Repeat, xrefs: 00404BE0
7ZSfx%03x.cmd, xrefs: 00404B58
if exist ", xrefs: 00404BC7
open, xrefs: 00404C63
", xrefs: 00404BB9, 00404BBE, 00404C02
del ", xrefs: 00404B9F, 00404BA4, 00404BED

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58

Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

_wtol.MSVCRT(00000000), ref: 004047DC
_wtol.MSVCRT(00000000), ref: 004047F8

Strings

|wA, xrefs: 0040464B
ExtractDialogWidth, xrefs: 004047BE
WarningTitle, xrefs: 00404697
ExtractPathWidth, xrefs: 004047E5
ExtractPathTitle, xrefs: 00404801
CancelPrompt, xrefs: 00404831
ExtractDialogText, xrefs: 004047AD
OverwriteMode, xrefs: 00404721
ExtractPathText, xrefs: 00404819
GUIFlags, xrefs: 0040473E, 00404743, 0040475F
Progress, xrefs: 004046C7
ExtractTitle, xrefs: 004046AF
Title, xrefs: 00404611
ExtractCancelText, xrefs: 004047A1
MiscFlags, xrefs: 00404771, 00404776, 00404792
ErrorTitle, xrefs: 0040467F
GUIMode, xrefs: 004046F4

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
API String ID: 2725485552-3187639848
Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D

Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
GetWindowLongW.USER32(?,000000F0), ref: 00402DF3

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT ref: 00402E20
GetParent.USER32(?), ref: 00402E2E
LoadLibraryA.KERNEL32(riched20), ref: 00402E42
GetMenu.USER32(?), ref: 00402E55
SetThreadLocale.KERNEL32(00000419), ref: 00402E62
CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
DestroyWindow.USER32(?), ref: 00402EA3
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
GetSysColor.USER32(0000000F), ref: 00402EBC
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
??3@YAXPAX@Z.MSVCRT ref: 00402EFA
??3@YAXPAX@Z.MSVCRT ref: 00402F02

Strings

STATIC, xrefs: 00402DDD
riched20, xrefs: 00402E3D
RichEdit20W, xrefs: 00402E8C
{\rtf, xrefs: 00402E09

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 1731037045-2281146334
Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68

Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401CD4
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
GetObjectW.GDI32(?,00000018,?), ref: 00401D28
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
CreateCompatibleDC.GDI32(?), ref: 00401D4B
CreateCompatibleDC.GDI32(?), ref: 00401D52
SelectObject.GDI32(00000000,?), ref: 00401D60
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
SelectObject.GDI32(00000000,00000000), ref: 00401D76
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
SelectObject.GDI32(00000000,?), ref: 00401DB3
SelectObject.GDI32(00000000,?), ref: 00401DB9
DeleteDC.GDI32(00000000), ref: 00401DC2
DeleteDC.GDI32(00000000), ref: 00401DC5
ReleaseDC.USER32(00000000,?), ref: 00401DCC
ReleaseDC.USER32(00000000,?), ref: 00401DDB
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64

Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401E05
lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
GetMenu.USER32(?), ref: 00401E44

Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
memcpy.MSVCRT ref: 00401E83
CoInitialize.OLE32(00000000), ref: 00401E8C
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
GlobalFree.KERNEL32(00000000), ref: 00401ECD

Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC

GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
GlobalFree.KERNEL32(00000000), ref: 00401F3A

Strings

STATIC, xrefs: 00401E13
IMAGES, xrefs: 00401E4E

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68

Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetDlgItem.USER32(?,000004B8), ref: 0040816A
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
GetDlgItem.USER32(?,000004B5), ref: 004081C0
GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
GetDlgItem.USER32(?,000004B5), ref: 004081D5
SetWindowLongW.USER32(00000000), ref: 004081D8
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
GetDlgItem.USER32(?,000004B4), ref: 0040821A
SetFocus.USER32(00000000), ref: 0040821D
SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
GetDlgItem.USER32(?,00000002), ref: 00408294
IsWindow.USER32(00000000), ref: 00408297
GetDlgItem.USER32(?,00000002), ref: 004082A7
EnableWindow.USER32(00000000), ref: 004082AA
GetDlgItem.USER32(?,000004B5), ref: 004082BE
ShowWindow.USER32(00000000), ref: 004082C1

Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142

Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT ref: 00407C53

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID:
API String ID: 855516470-0
Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C

Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 004030F6
??3@YAXPAX@Z.MSVCRT ref: 004030FE
strncmp.MSVCRT(0040414C,{\rtf,00000005,00000000,00000000,hAA,00000000), ref: 004031F1
??3@YAXPAX@Z.MSVCRT ref: 00403255
lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
??3@YAXPAX@Z.MSVCRT ref: 00403347

Strings

SetEnvironment, xrefs: 0040326B
MiscFlags, xrefs: 004032C0
hAA, xrefs: 0040309E
{\rtf, xrefs: 004031D6, 004031EB
GUIFlags, xrefs: 004032B2

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@$lstrcmpstrncmp
String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
API String ID: 2881732429-172299233
Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59

Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00406A69
GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
GetDlgItem.USER32(?,000004B4), ref: 00406AA5
GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
GetSystemMetrics.USER32(00000010), ref: 00406B0B
GetSystemMetrics.USER32(00000011), ref: 00406B11
GetSystemMetrics.USER32(00000008), ref: 00406B18
GetSystemMetrics.USER32(00000007), ref: 00406B1F
GetParent.USER32(?), ref: 00406B43
GetClientRect.USER32(00000000,?), ref: 00406B55
ClientToScreen.USER32(?,?), ref: 00406B68
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
GetClientRect.USER32(?,?), ref: 00406C55
ClientToScreen.USER32(?,?), ref: 00406B71

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

GetSystemMetrics.USER32(00000008), ref: 00406CD6
GetSystemMetrics.USER32(00000007), ref: 00406CDD

Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64

Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
LoadIconW.USER32(00000000), ref: 00407D33
GetSystemMetrics.USER32(00000032), ref: 00407D43
GetSystemMetrics.USER32(00000031), ref: 00407D48
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
LoadImageW.USER32(00000000), ref: 00407D54
SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
GetWindow.USER32(?,00000005), ref: 00407E76
GetWindow.USER32(?,00000005), ref: 00407E92
GetWindow.USER32(?,00000005), ref: 00407EAA
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
LoadIconW.USER32(00000000), ref: 00407F0D
GetDlgItem.USER32(?,000004B1), ref: 00407F28
SendMessageW.USER32(00000000), ref: 00407F2F

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 1889686859-0
Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF

Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00406F45
GetWindowLongW.USER32(00000000), ref: 00406F4C
DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
GetSystemMetrics.USER32(00000031), ref: 00406F91
GetSystemMetrics.USER32(00000032), ref: 00406F98
GetWindowDC.USER32(?), ref: 00406FAA
GetWindowRect.USER32(?,?), ref: 00406FB7
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
ReleaseDC.USER32(?,00000000), ref: 00406FF3

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64

Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040678E
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
GetDlgItem.USER32(?,000004B4), ref: 004067AB
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
GetDlgItem.USER32(?,?), ref: 004067CC
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
GetDlgItem.USER32(?,?), ref: 004067DD
SetFocus.USER32(00000000,?,000004B4,74DF0E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28

Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040C603

Strings

IA, xrefs: 0040C65E
IA, xrefs: 0040C4C6
IA, xrefs: 0040C4D9
IA, xrefs: 0040C74D
IA, xrefs: 0040C66E
IA, xrefs: 0040C4AF

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@
String ID: IA$IA$IA$IA$IA$IA
API String ID: 613200358-3743982587
Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58

Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00408479

Strings

SetEnvironment, xrefs: 004083BC
ErrorTitle, xrefs: 00408511
WarningTitle, xrefs: 0040853A
HelpText, xrefs: 00408598
BeginPrompt, xrefs: 004084A4, 004084A9
FinishMessage, xrefs: 00408417, 00408433

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@
String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
API String ID: 613200358-994561823
Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E

Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00406DD1
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
GetDC.USER32(00000000), ref: 00406DFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
ReleaseDC.USER32(00000000,?), ref: 00406E24
GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65

Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040696E
GetSystemMetrics.USER32(0000000B), ref: 0040698A
GetSystemMetrics.USER32(0000003D), ref: 00406993
GetSystemMetrics.USER32(0000003E), ref: 0040699B
SelectObject.GDI32(?,?), ref: 004069B8
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
SelectObject.GDI32(?,?), ref: 004069F9
ReleaseDC.USER32(?,?), ref: 00406A08

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40

Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
GetDlgItem.USER32(?,000004B8), ref: 00407B8B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
wsprintfW.USER32 ref: 00407BBB
??3@YAXPAX@Z.MSVCRT ref: 00407C53

Strings

%d%%, xrefs: 00407BB5

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59

Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4

Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT ref: 00404156
??3@YAXPAX@Z.MSVCRT ref: 0040415E
??3@YAXPAX@Z.MSVCRT ref: 0040416D
??3@YAXPAX@Z.MSVCRT ref: 00404175

Strings

hAA, xrefs: 00404091, 0040409B, 004040A2, 004040B0

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@$CharUpper$lstrlen
String ID: hAA
API String ID: 2587799592-1362906312
Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658

Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00404D3E
??3@YAXPAX@Z.MSVCRT ref: 00404DA0
??3@YAXPAX@Z.MSVCRT ref: 00404DB8

Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT ref: 0040349D

Strings

03A, xrefs: 00404CCF
;!@Install@!UTF-8!, xrefs: 00404D59
;!@InstallEnd@!, xrefs: 00404D73

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-2279431206
Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98

Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 00407579
KillTimer.USER32(?,00000001), ref: 0040758A
SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
SuspendThread.KERNEL32(00000280), ref: 004075CD
ResumeThread.KERNEL32(00000280), ref: 004075EA
EndDialog.USER32(?,00000000), ref: 0040760C

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D

Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00404E85

Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT ref: 004043B6

??3@YAXPAX@Z.MSVCRT ref: 00404EAB
wsprintfA.USER32 ref: 00404EBC

Strings

:Language:%u!, xrefs: 00404EB6
;!@Install@!UTF-8!, xrefs: 00404E4A
;!@InstallEnd@!, xrefs: 00404E59

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-1550708412
Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799

Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 004038C6
??3@YAXPAX@Z.MSVCRT ref: 00403904
??3@YAXPAX@Z.MSVCRT ref: 0040392A
??3@YAXPAX@Z.MSVCRT ref: 00403932

Strings

%%T\, xrefs: 004038A6
%%T/, xrefs: 004038E4

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98

Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00403981
??3@YAXPAX@Z.MSVCRT ref: 004039BF
??3@YAXPAX@Z.MSVCRT ref: 004039E5
??3@YAXPAX@Z.MSVCRT ref: 004039ED

Strings

%%S\, xrefs: 00403961
%%S/, xrefs: 0040399F

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98

Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00403A3C
??3@YAXPAX@Z.MSVCRT ref: 00403A7A
??3@YAXPAX@Z.MSVCRT ref: 00403AA0
??3@YAXPAX@Z.MSVCRT ref: 00403AA8

Strings

%%M/, xrefs: 00403A5A
%%M\, xrefs: 00403A1C

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58

Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE

Strings

xJA, xrefs: 0040E493
$JA, xrefs: 0040E4B6
4JA, xrefs: 0040E4AF
DJA, xrefs: 0040E4A8
TJA, xrefs: 0040E4A1
hJA, xrefs: 0040E49A

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ExceptionThrow
String ID: $JA$4JA$DJA$TJA$hJA$xJA
API String ID: 432778473-803145960
Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C

Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT ref: 0040BA4B

??3@YAXPAX@Z.MSVCRT ref: 0040C20D

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT ref: 0040AE00

??2@YAPAXI@Z.MSVCRT ref: 0040C245

Strings

IA, xrefs: 0040C11B
IA, xrefs: 0040C12D
IA, xrefs: 0040C0EC

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: IA$IA$IA
API String ID: 4294387087-924693538
Opcode ID: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
Opcode Fuzzy Hash: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54

Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
??2@YAPAXI@Z.MSVCRT ref: 0040E864
memcpy.MSVCRT ref: 0040E88D
??3@YAXPAX@Z.MSVCRT ref: 0040E898

Strings

IA, xrefs: 0040E818, 0040E841

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID: IA
API String ID: 3462485524-3293647318
Opcode ID: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
Opcode Fuzzy Hash: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401029
wsprintfW.USER32 ref: 00401049
lstrcatW.KERNEL32(?,?), ref: 0040105C
ExitProcess.KERNEL32 ref: 00401084

Strings

0x%p, xrefs: 00401043

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA

Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9

GetSystemMetrics.USER32(00000007), ref: 00407A51
GetSystemMetrics.USER32(00000007), ref: 00407A62
??3@YAXPAX@Z.MSVCRT ref: 00407B29

Strings

100%% , xrefs: 00407A81, 00407A88, 00407AE1

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99

Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407A12

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

GetDlgItem.USER32(?,000004B3), ref: 004079C6

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT ref: 004079E4

Strings

(%u%s), xrefs: 00407A0C

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: TextWindow$ItemLength$??3@wsprintf
String ID: (%u%s)
API String ID: 3595513934-2496177969
Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68

Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
GetProcAddress.KERNEL32(00000000), ref: 00402211

Strings

GetNativeSystemInfo, xrefs: 00402200
kernel32, xrefs: 00402205

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 2574300362-3846845290
Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE

Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
GetProcAddress.KERNEL32(00000000), ref: 0040219F

Strings

Wow64RevertWow64FsRedirection, xrefs: 0040218E
kernel32, xrefs: 00402193

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C

Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
GetProcAddress.KERNEL32(00000000), ref: 004021D1

Strings

Wow64DisableWow64FsRedirection, xrefs: 004021C0
kernel32, xrefs: 004021C5

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC

Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00402B6F

Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760

??3@YAXPAX@Z.MSVCRT ref: 00402ADC
??3@YAXPAX@Z.MSVCRT ref: 00402AF7
??3@YAXPAX@Z.MSVCRT ref: 00402AFF

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658

Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
wsprintfW.USER32 ref: 00403FFB
GetFileAttributesW.KERNEL32(?), ref: 00404016

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88

Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: CharUpper
String ID:
API String ID: 9403516-0
Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64

Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
GetDlgItem.USER32(?,000004B7), ref: 00408020
SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
String ID:
API String ID: 2538916108-0
Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54

Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
GetSystemMetrics.USER32(00000031), ref: 0040683A
CreateFontIndirectW.GDI32(?), ref: 00406849
DeleteObject.GDI32(00000000), ref: 00406878

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54

Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040749F
SHBrowseForFolderW.SHELL32(?), ref: 004074B8
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
SHGetMalloc.SHELL32(00000000), ref: 004074FE

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID:
API String ID: 1557639607-0
Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75

Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
??3@YAXPAX@Z.MSVCRT ref: 00402801

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT ref: 00401171

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
??3@YAXPAX@Z.MSVCRT ref: 00402839

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID:
API String ID: 612612615-0
Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8

Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT ref: 00403AFD
??3@YAXPAX@Z.MSVCRT ref: 00403B05
SetWindowTextW.USER32(?,?), ref: 00403B12
??3@YAXPAX@Z.MSVCRT ref: 00403B1D

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98

Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407045
CreateFontIndirectW.GDI32(?), ref: 0040705B
GetDlgItem.USER32(?,000004B5), ref: 0040706F
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19

Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401BA8
GetWindowRect.USER32(?,?), ref: 00401BC1
ScreenToClient.USER32(00000000,?), ref: 00401BCF
ScreenToClient.USER32(00000000,?), ref: 00401BD6

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61

Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT([G@,GUIFlags,00000000,00403CF4,00000000,0041734C,0040475B,00000000), ref: 00403C89

Strings

[G@, xrefs: 00403C64, 00403C88
GUIFlags, xrefs: 00403C68

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$[G@
API String ID: 2131799477-2126219683
Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D

Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52

Strings

?O@, xrefs: 00402F23

Memory Dump Source

Source File: 00000000.00000002.1663225834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1663211425.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663253028.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663276406.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663293158.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4OVYJHCTFA.jbxd

Similarity

API ID: EnvironmentVariable
String ID: ?O@
API String ID: 1431749950-3511380453
Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

Analysis Process: EASteamProxy.exePID: 4888, Parent PID: 5316COMMON

Non-executed Functions

Function 00007FFDFAE9125D Relevance: 63.2, APIs: 35, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAEBC8E0: OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64(?,00007FFDFAEB76D8), ref: 00007FFDFAEBC901
Part of subcall function 00007FFDFAEBC8E0: OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64(?,00007FFDFAEB76D8), ref: 00007FFDFAEBC917
Part of subcall function 00007FFDFAEBC8E0: X509_free.LIBCRYPTO-1_1-X64(?,00007FFDFAEB76D8), ref: 00007FFDFAEBC924

BIO_pop.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB76F4
BIO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7701
BIO_free_all.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7712
BIO_free_all.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB771B
BUF_MEM_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7727
OPENSSL_sk_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7733
OPENSSL_sk_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB773F
OPENSSL_sk_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB774B
OPENSSL_sk_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7757
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB779A
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB77C7
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB77E0
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7805
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB781E
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7837
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7850
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7863
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7876
SCT_LIST_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7882
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB789B
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB78B4
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB78CD
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB78E6
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB790B
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7924
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB793D
EVP_MD_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7949
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB795C
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB796F
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7982
ASYNC_WAIT_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB79B5
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB79CE
OPENSSL_sk_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB79DA
CRYPTO_THREAD_lock_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB79E6
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB79FB

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEB778D, 00007FFDFAEB77BA, 00007FFDFAEB77D3, 00007FFDFAEB77F8, 00007FFDFAEB7811, 00007FFDFAEB782A, 00007FFDFAEB7843, 00007FFDFAEB788E, 00007FFDFAEB78A7, 00007FFDFAEB78C0, 00007FFDFAEB78D9, 00007FFDFAEB78FE, 00007FFDFAEB791D, 00007FFDFAEB7930, 00007FFDFAEB79C1, 00007FFDFAEB79F1

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$L_sk_pop_free$L_sk_free$O_free_allX_free$D_lock_freeM_freeO_popT_freeX509_free
String ID: ssl\ssl_lib.c
API String ID: 2505111139-1984206432
Opcode ID: 5edb233c093858804dae48b48acc5f475168033ea7718e4b02de9740581d141b
Instruction ID: eb69dcf404300908d64929bcdb6f1890dbce5810e33959a45ed0663235c39c30
Opcode Fuzzy Hash: 5edb233c093858804dae48b48acc5f475168033ea7718e4b02de9740581d141b
Instruction Fuzzy Hash: CA812261B5968750EB48FF21D471AB82761EFC4B88F5400B2DD2E4B2DEDE2EE151C350

Function 00007FFDFAEAFAA0 Relevance: 57.1, APIs: 22, Strings: 10, Instructions: 1070stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAEAFB09
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAEAFB48
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAFC17
CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAFCB5
CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0572
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0591
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB05B3
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAEB0734
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB07C8
OPENSSL_sk_new_null.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB07D9
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB07F8
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB080F
OPENSSL_sk_value.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0825
OPENSSL_sk_push.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0830
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0842
OPENSSL_sk_push.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0861
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0885
OPENSSL_sk_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB08A9
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB08E8
OPENSSL_sk_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB08F0

Strings

DEFAULT, xrefs: 00007FFDFAEB0727
ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FFDFAEAFC49, 00007FFDFAEAFC56
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FFDFAEAFC42
ssl\ssl_ciph.c, xrefs: 00007FFDFAEAFBF8, 00007FFDFAEAFCAA, 00007FFDFAEB055C, 00007FFDFAEB0584, 00007FFDFAEB05A3, 00007FFDFAEB07BE, 00007FFDFAEB07F1, 00007FFDFAEB0878, 00007FFDFAEB08E1
SUITEB128C2, xrefs: 00007FFDFAEAFB3E
SUITEB128, xrefs: 00007FFDFAEAFB73
SUITEB128ONLY, xrefs: 00007FFDFAEAFB00
ALL:!COMPLEMENTOFDEFAULT:!eNULL, xrefs: 00007FFDFAEB0758
ECDHE-ECDSA-AES128-GCM-SHA256, xrefs: 00007FFDFAEAFC5F
SUITEB192, xrefs: 00007FFDFAEAFBA6

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$strncmp$L_sk_freeL_sk_numL_sk_pushO_mallocR_put_error$L_sk_new_nullL_sk_value
String ID: ALL:!COMPLEMENTOFDEFAULT:!eNULL$DEFAULT$ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192$ssl\ssl_ciph.c
API String ID: 3367745429-2885208142
Opcode ID: 4b47e89f05c2e57473f2cca69518c8e1aa18fa6a9eb4aa7d97ba280c1e87154c
Instruction ID: 2742082f734d5159a81a152be1e8d13faf6ced4db38f1d2005bacbf67634e8ec
Opcode Fuzzy Hash: 4b47e89f05c2e57473f2cca69518c8e1aa18fa6a9eb4aa7d97ba280c1e87154c
Instruction Fuzzy Hash: E2A27D62B09B4681EB5CDB05D464AB927A0FB54BC4F288076DE6E477D8DF3EE941C340

Function 00007FFDFAE91E7E Relevance: 56.4, APIs: 30, Strings: 2, Instructions: 380COMMON

Download Yara Rule

APIs

COMP_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF2211
COMP_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF2226
EVP_CIPHER_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF2320
EVP_CIPHER_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF21BF

Part of subcall function 00007FFDFAE91D39: EVP_MD_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBEA4C
Part of subcall function 00007FFDFAE91D39: EVP_MD_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBEA58
Part of subcall function 00007FFDFAE91D39: EVP_DigestInit_ex.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBEA73

EVP_MD_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF2302
EVP_CIPHER_CTX_reset.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF23F7
EVP_CIPHER_key_length.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF2417
EVP_CIPHER_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF2429

Strings

x, xrefs: 00007FFDFAEF21D0
ssl\t1_enc.c, xrefs: 00007FFDFAEF2700

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: X_new$X_free$DigestInit_exR_flagsR_key_lengthX_reset
String ID: ssl\t1_enc.c$x
API String ID: 2151083367-3308336201
Opcode ID: 9ac3c8daaeefe3e3544ba6915bf0183429b6919892cddb03836d8b752e6843cd
Instruction ID: 3dbdc6cab3f0d113d89dfa1b377d9c9d7ebc2aa2a8d9845d5b040ad6fc3969cd
Opcode Fuzzy Hash: 9ac3c8daaeefe3e3544ba6915bf0183429b6919892cddb03836d8b752e6843cd
Instruction Fuzzy Hash: 07F1BD72B0968285EB68EB16D460BB937A0EB84B88F144075DE6E4B7DDDF3EE505C700

Function 00007FFDFAEED9C0 Relevance: 53.2, APIs: 27, Strings: 3, Instructions: 730COMMON

Download Yara Rule

APIs

OPENSSL_sk_free.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,?,?,?,?,?,00007FFDFAEEEDAC), ref: 00007FFDFAEEDA65
OPENSSL_sk_free.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,?,?,?,?,?,00007FFDFAEEEDAC), ref: 00007FFDFAEEDA6E
CRYPTO_free.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,?,?,?,?,?,00007FFDFAEEEDAC), ref: 00007FFDFAEEDA83
CRYPTO_free.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,?,?,?,?,?,00007FFDFAEEEDAC), ref: 00007FFDFAEEDA98
memcmp.VCRUNTIME140 ref: 00007FFDFAEEDCAB
OPENSSL_sk_num.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,?,?,?,?,?,00007FFDFAEEEDAC), ref: 00007FFDFAEEDD74
OPENSSL_sk_value.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,?,?,?,?,?,00007FFDFAEEEDAC), ref: 00007FFDFAEEDD86
OPENSSL_sk_num.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,?,?,?,?,?,00007FFDFAEEEDAC), ref: 00007FFDFAEEDDE2

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFDFAEED9E4, 00007FFDFAEEE637
P, xrefs: 00007FFDFAEED9F5
@, xrefs: 00007FFDFAEEE094

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_sk_freeL_sk_numO_free$L_sk_valuememcmp
String ID: @$P$ssl\statem\statem_srvr.c
API String ID: 1579232405-2773259132
Opcode ID: 1e1eebd072479c53277eb78f88deb6ddcaddd566dd79290bc76449fe5b28a1f0
Instruction ID: 0989a03129173fdb5e7551e78f5eca08f5b2b2a673e57ded17cc44c7626b05c9
Opcode Fuzzy Hash: 1e1eebd072479c53277eb78f88deb6ddcaddd566dd79290bc76449fe5b28a1f0
Instruction Fuzzy Hash: 3E729332B0878185EB68AF11D4A0BB927A1FB84B88F154175DE6E477C8DF7EE984C740

Function 00007FFDFAE9FEA0 Relevance: 46.3, APIs: 18, Strings: 8, Instructions: 787COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA02D8
EVP_CIPHER_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA02E0
EVP_MD_CTX_md.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA04B9
EVP_MD_size.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA04C1
CRYPTO_memcmp.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA053A

Strings

ssl\record\ssl3_record.c, xrefs: 00007FFDFAEA035D, 00007FFDFAEA0BB8, 00007FFDFAEA0C60
POST , xrefs: 00007FFDFAEA0B47
@, xrefs: 00007FFDFAEA069A
PUT , xrefs: 00007FFDFAEA0B84
, xrefs: 00007FFDFAEA0440
CONNE, xrefs: 00007FFDFAEA0B98
GET , xrefs: 00007FFDFAEA0B24
HEAD , xrefs: 00007FFDFAEA0B65

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: D_sizeO_memcmpR_flagsX_cipherX_md
String ID: $@$CONNE$GET $HEAD $POST $PUT $ssl\record\ssl3_record.c
API String ID: 2456506815-2560565758
Opcode ID: e7706c2f1669ebe68dd85e4002c5695d0f899efbdcd1ef2bc961e3bfae9fe9c4
Instruction ID: 4935ac17dbf02824060198c946c0a5b5e44a9d06263ec05c7b87d89a99cdf7f8
Opcode Fuzzy Hash: e7706c2f1669ebe68dd85e4002c5695d0f899efbdcd1ef2bc961e3bfae9fe9c4
Instruction Fuzzy Hash: 1D72B3B2B0864386F768AE11D464BBA27A0FB44B88F144175DA6E4F6DCCF7EE585C700

Function 00007FFDFAE91924 Relevance: 44.0, APIs: 19, Strings: 6, Instructions: 207COMMON

Download Yara Rule

APIs

OBJ_nid2sn.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0D71
OBJ_nid2sn.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0DB7
EVP_get_digestbyname.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0DBF
EVP_MD_size.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0DDE
EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0E41
EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0E61
ENGINE_finish.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0E75
EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0EB3
EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0ED3
ENGINE_finish.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0EE7
EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0F28
EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0F48
ENGINE_finish.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0F5C
EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0F88
EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0FA8
ENGINE_finish.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0FBC
EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0FE8
EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB1008
ENGINE_finish.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB101C

Strings

`, xrefs: 00007FFDFAEB0DFD
gost2001, xrefs: 00007FFDFAEB0F1A
gost2012_256, xrefs: 00007FFDFAEB0F7A
gost2012_512, xrefs: 00007FFDFAEB0FDA
gost-mac, xrefs: 00007FFDFAEB0E29
gost-mac-12, xrefs: 00007FFDFAEB0EA5

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: E_finishY_asn1_find_strY_asn1_get0_info$J_nid2sn$D_sizeP_get_digestbyname
String ID: `$gost-mac$gost-mac-12$gost2001$gost2012_256$gost2012_512
API String ID: 910905907-344903700
Opcode ID: 5fedafdb049cfe5a68230e956647f7fdb2efb14dfadca6c3d4315fec8435463b
Instruction ID: 52abdcc5bc1d11e88599489686ef0b50a0e06a15ed72f7a329e145df3b63ad64
Opcode Fuzzy Hash: 5fedafdb049cfe5a68230e956647f7fdb2efb14dfadca6c3d4315fec8435463b
Instruction Fuzzy Hash: 01A13032B046518AF728AF24E861AA937A0EF4879CF450276F96E47ADDDF3DE540C740

Function 00007FFDFAEFBDF0 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFDFAEFBE31
BN_dup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBE86
BN_dup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBEA7
BN_dup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBEC8
BN_dup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBEE9
BN_dup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBF06
BN_dup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBF23
BN_dup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBF40
BN_dup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBF5D
CRYPTO_strdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBF92
CRYPTO_strdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBFC7
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBFFC
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC015
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC02E
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC03A
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC046
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC052
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC05E
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC06A
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC076
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC082
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC08E
memset.VCRUNTIME140 ref: 00007FFDFAEFC0A0

Strings

ssl\tls_srp.c, xrefs: 00007FFDFAEFBF8B, 00007FFDFAEFBFC0, 00007FFDFAEFBFE7, 00007FFDFAEFC008, 00007FFDFAEFC021

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: N_dupN_free$O_freeO_strdupmemset$R_put_error
String ID: ssl\tls_srp.c
API String ID: 945879394-1545769946
Opcode ID: 249567f10675a8dddb28611a2c939c80c9f015c988d40df76b81d63f0a085f6c
Instruction ID: 882612c9b5720b7cc56adc7769fd555d37f586c40ada2153819c6dec40db1902
Opcode Fuzzy Hash: 249567f10675a8dddb28611a2c939c80c9f015c988d40df76b81d63f0a085f6c
Instruction Fuzzy Hash: 8A714226B0AAC285EB5DFF25D460BB823A0EF44B48F480575DA6E4B3DDDF2EE4508750

Function 00007FFDFAE91BFE Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 211COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB4A9D
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB4AEF
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB4B14

Strings

ssl3-sha1, xrefs: 00007FFDFAEB4CDF
ssl\ssl_lib.c, xrefs: 00007FFDFAEB4A93, 00007FFDFAEB4ADF, 00007FFDFAEB4AFF, 00007FFDFAEB4B3E, 00007FFDFAEB4B9E, 00007FFDFAEB4BC4, 00007FFDFAEB4D53
ssl3-md5, xrefs: 00007FFDFAEB4CB7
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256, xrefs: 00007FFDFAEB4C45
ALL:!COMPLEMENTOFDEFAULT:!eNULL, xrefs: 00007FFDFAEB4C77

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: ALL:!COMPLEMENTOFDEFAULT:!eNULL$TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256$ssl3-md5$ssl3-sha1$ssl\ssl_lib.c
API String ID: 1767461275-1893717465
Opcode ID: 116dd82f45b5296ac063b7c3dedc55f03cc8161c4ff069e7672b642118ad5e3a
Instruction ID: b1e06c0e04a989f41dab9cb305279900c594023d25c4bd8f27630b7b26aea486
Opcode Fuzzy Hash: 116dd82f45b5296ac063b7c3dedc55f03cc8161c4ff069e7672b642118ad5e3a
Instruction Fuzzy Hash: A0A15E31B0978281FB59EF25E464BA827A4EF44788F440175DA6E4B3CAEF7EE544C350

Function 00007FFDFAEF8F30 Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 333COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF9309
HMAC_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF9311

Strings

ssl\t1_lib.c, xrefs: 00007FFDFAEF91AD, 00007FFDFAEF9214, 00007FFDFAEF9253, 00007FFDFAEF92DC

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: X_free
String ID: ssl\t1_lib.c
API String ID: 2268491255-1168734446
Opcode ID: 3697b52030e16ce225c467ee97aeab05674fcb31bf04c97b82d471639227b917
Instruction ID: 8196174898201de47a19baa9b39a22adea3c9d8e8845afe87270c23f78ec4e30
Opcode Fuzzy Hash: 3697b52030e16ce225c467ee97aeab05674fcb31bf04c97b82d471639227b917
Instruction Fuzzy Hash: 84D18066B096C286FB6CAA5694A0BBD6390FB45B88F400075DEAF477CDDF3EE5408700

Function 00007FFDFAEBCB20 Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 325COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBCB6F
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBCBBF

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBCB54, 00007FFDFAEBCBA0, 00007FFDFAEBCBD9, 00007FFDFAEBCC3B, 00007FFDFAEBCC6E, 00007FFDFAEBCCB6, 00007FFDFAEBCCED, 00007FFDFAEBCD19, 00007FFDFAEBCD4E, 00007FFDFAEBCE7F, 00007FFDFAEBCFA1, 00007FFDFAEBCFEB, 00007FFDFAEBD01A

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: ssl\ssl_lib.c
API String ID: 1767461275-1984206432
Opcode ID: 2440ca413dc9564f10d471aed1ebdb51538584fd0bc9527e3cd9d027185fb81a
Instruction ID: ff78c17da9bdfc983720a827e02b29958bb1089703317619ab1b494724b59bf1
Opcode Fuzzy Hash: 2440ca413dc9564f10d471aed1ebdb51538584fd0bc9527e3cd9d027185fb81a
Instruction Fuzzy Hash: 60D10822B4D58282F768BB15E424ABA66A1EFC87D8F004176EA6E077DDDF3ED5418700

Function 00007FFDFAE91F05 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 328COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE71F3
X509_get0_pubkey.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE7253
BIO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE76BE
EVP_MD_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE76D8
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE76E9

Strings

ssl\statem\statem_lib.c, xrefs: 00007FFDFAEE7200, 00007FFDFAEE7231, 00007FFDFAEE7482, 00007FFDFAEE74C9, 00007FFDFAEE7653, 00007FFDFAEE7685, 00007FFDFAEE76A1

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$X509_get0_pubkeyX_freeX_new
String ID: ssl\statem\statem_lib.c
API String ID: 1476775391-846902345
Opcode ID: ed6dd363b397eafcb157ddb144b2340ca766b280490701081492be6878bb05db
Instruction ID: 39fadea5bb9670ab4e8db671e1fbbb9cfd881f7b489db0976a2f832689b246c9
Opcode Fuzzy Hash: ed6dd363b397eafcb157ddb144b2340ca766b280490701081492be6878bb05db
Instruction Fuzzy Hash: A0E1B032B0868285EB68AB15D4A0BBD77B0EB84B88F054071DE6E077D9DF3EE955C740

Function 00007FFDFAE91D8E Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

BN_copy.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC2A9
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC2BA
BN_dup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC2CB
BN_copy.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC2EB
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC2FC
BN_dup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC30D
BN_copy.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC32D
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC33E
BN_dup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC34F
BN_copy.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC377
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC388
BN_dup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC396
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC3C5
CRYPTO_strdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC3DA

Strings

ssl\tls_srp.c, xrefs: 00007FFDFAEFC3BE, 00007FFDFAEFC3D0

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: N_copyN_dupN_free$O_freeO_strdup
String ID: ssl\tls_srp.c
API String ID: 3726006556-1545769946
Opcode ID: c88c27156513676a6b080e170020ade8c729ce80db3ae918430029ba427a8b99
Instruction ID: a36da4dfd621da61237f9acae55b9390a5da3bad25f09373fde8da72aaa64050
Opcode Fuzzy Hash: c88c27156513676a6b080e170020ade8c729ce80db3ae918430029ba427a8b99
Instruction Fuzzy Hash: 83414321B4EAC180EB98BE51E0A0ABD23D0EF84BC8F1855F5DD6F0B6CDDE6EA4414751

Function 00007FFDFAEC3290 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

CRYPTO_free_ex_data.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC32CF
OPENSSL_cleanse.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC32DD
OPENSSL_cleanse.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC32EE
X509_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC32FA
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC330D
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC3326
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC333F
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC3358
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC3371
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC338A
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC33A3
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC33BC
CRYPTO_THREAD_lock_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC33C8
CRYPTO_clear_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC33E2

Strings

ssl\ssl_sess.c, xrefs: 00007FFDFAEC3319, 00007FFDFAEC3332, 00007FFDFAEC334B, 00007FFDFAEC3364, 00007FFDFAEC337D, 00007FFDFAEC3396, 00007FFDFAEC33AF, 00007FFDFAEC33D3

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$L_cleanse$D_lock_freeL_sk_pop_freeO_clear_freeO_free_ex_dataX509_free
String ID: ssl\ssl_sess.c
API String ID: 4155952050-3038452671
Opcode ID: e742dd07ee9f90f3b61f484d87642b308009f4e7cded6c223b73e0a217fd3342
Instruction ID: 1b7a4e7223f485f1772a974dedcec4f9a6077726fd5aef78a71ec45f19fa1a09
Opcode Fuzzy Hash: e742dd07ee9f90f3b61f484d87642b308009f4e7cded6c223b73e0a217fd3342
Instruction Fuzzy Hash: 4C318F21B4968391EB48BB25D474AF81761EFC4B98F5001B2EC2E4B2DECE2ED106C720

Function 00007FFDFAEE8CC0 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 351COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1-X64(?,?,?,?,ssl\statem\statem_srvr.c,?,?,?,00007FFDFAEEC7B7), ref: 00007FFDFAEE8D50
CRYPTO_free.LIBCRYPTO-1_1-X64(?,?,?,?,ssl\statem\statem_srvr.c,?,?,?,00007FFDFAEEC7B7), ref: 00007FFDFAEE8DFD
EVP_CIPHER_CTX_free.LIBCRYPTO-1_1-X64(?,?,?,?,ssl\statem\statem_srvr.c,?,?,?,00007FFDFAEEC7B7), ref: 00007FFDFAEE8E05
HMAC_CTX_free.LIBCRYPTO-1_1-X64(?,?,?,?,ssl\statem\statem_srvr.c,?,?,?,00007FFDFAEEC7B7), ref: 00007FFDFAEE8E0D
CRYPTO_free.LIBCRYPTO-1_1-X64(?,?,?,?,ssl\statem\statem_srvr.c,?,?,?,00007FFDFAEEC7B7), ref: 00007FFDFAEE8F38
EVP_CIPHER_CTX_free.LIBCRYPTO-1_1-X64(?,?,?,?,ssl\statem\statem_srvr.c,?,?,?,00007FFDFAEEC7B7), ref: 00007FFDFAEE8F40
HMAC_CTX_free.LIBCRYPTO-1_1-X64(?,?,?,?,ssl\statem\statem_srvr.c,?,?,?,00007FFDFAEEC7B7), ref: 00007FFDFAEE8F48
RAND_bytes.LIBCRYPTO-1_1-X64(?,?,?,?,ssl\statem\statem_srvr.c,?,?,?,00007FFDFAEEC7B7), ref: 00007FFDFAEE8FC1
EVP_sha256.LIBCRYPTO-1_1-X64(?,?,?,?,ssl\statem\statem_srvr.c,?,?,?,00007FFDFAEEC7B7), ref: 00007FFDFAEE8FF9

Part of subcall function 00007FFDFAE910CD: BUF_MEM_grow.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE97FF3
Part of subcall function 00007FFDFAE910CD: memcpy.VCRUNTIME140 ref: 00007FFDFAE98025

EVP_EncryptUpdate.LIBCRYPTO-1_1-X64(?,?,?,?,ssl\statem\statem_srvr.c,?,?,?,00007FFDFAEEC7B7), ref: 00007FFDFAEE90CC
EVP_EncryptFinal.LIBCRYPTO-1_1-X64(?,?,?,?,ssl\statem\statem_srvr.c,?,?,?,00007FFDFAEEC7B7), ref: 00007FFDFAEE9110
HMAC_Update.LIBCRYPTO-1_1-X64(?,?,?,?,ssl\statem\statem_srvr.c,?,?,?,00007FFDFAEEC7B7), ref: 00007FFDFAEE9186
HMAC_Final.LIBCRYPTO-1_1-X64(?,?,?,?,ssl\statem\statem_srvr.c,?,?,?,00007FFDFAEEC7B7), ref: 00007FFDFAEE91AF

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFDFAEE8CC4, 00007FFDFAEE8D3D, 00007FFDFAEE9248

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: X_free$EncryptFinalO_freeUpdate$D_bytesM_growO_mallocP_sha256memcpy
String ID: ssl\statem\statem_srvr.c
API String ID: 1480902132-322006118
Opcode ID: fa522f07f465f1580acf7f09d6ae284259715a3d0108a0255bc8f0b61941dfec
Instruction ID: 18bde3e3ed6f76330bb3978262122b3a948d7b8cd54f6936fdabcf21ef30b6a4
Opcode Fuzzy Hash: fa522f07f465f1580acf7f09d6ae284259715a3d0108a0255bc8f0b61941dfec
Instruction Fuzzy Hash: A3E1A521B0C64285FB68AB66E460ABD67A1EF49788F014171DE2E57BCDDF3EE905C700

Function 00007FFDFAEAECC0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 182COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_run_once.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAED1D
OPENSSL_sk_find.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAED40
OPENSSL_sk_value.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAED4E
EVP_CIPHER_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAEE82
EVP_get_cipherbyname.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAEEE1
EVP_get_cipherbyname.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAEEFE
EVP_get_cipherbyname.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAEF1E
EVP_get_cipherbyname.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAEF3B
EVP_get_cipherbyname.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAEF5B

Strings

RC4-HMAC-MD5, xrefs: 00007FFDFAEAEEDA
AES-256-CBC-HMAC-SHA256, xrefs: 00007FFDFAEAEF54
AES-256-CBC-HMAC-SHA1, xrefs: 00007FFDFAEAEF17
AES-128-CBC-HMAC-SHA1, xrefs: 00007FFDFAEAEEF7
AES-128-CBC-HMAC-SHA256, xrefs: 00007FFDFAEAEF34

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: P_get_cipherbyname$D_run_onceL_sk_findL_sk_valueR_flags
String ID: AES-128-CBC-HMAC-SHA1$AES-128-CBC-HMAC-SHA256$AES-256-CBC-HMAC-SHA1$AES-256-CBC-HMAC-SHA256$RC4-HMAC-MD5
API String ID: 4011776655-741925770
Opcode ID: eb0d91b5fb40831347f66fe92ce631b7898624dd5398130cd173c8957681ed1b
Instruction ID: 2ad3993c4a4b1f7d502ac609d5bde9b04c1487df74bac995fea4fdb71b3617b2
Opcode Fuzzy Hash: eb0d91b5fb40831347f66fe92ce631b7898624dd5398130cd173c8957681ed1b
Instruction Fuzzy Hash: 0D817CB1B0975286EF78BB209460A7832A0FF54B54F5445B1DAAE4A3CCDF3EE841C600

Function 00007FFDFAE91E83 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_iv_length.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA2327
memcpy.VCRUNTIME140 ref: 00007FFDFAEA274B

Strings

M, xrefs: 00007FFDFAEA270A
ssl\record\ssl3_record_tls13.c, xrefs: 00007FFDFAEA22A3, 00007FFDFAEA26EA, 00007FFDFAEA2717

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: X_iv_lengthmemcpy
String ID: M$ssl\record\ssl3_record_tls13.c
API String ID: 544732426-532796129
Opcode ID: c388a2bb4ed44af1b668d365b9782c5a2d057b86c18e89b49bd560b2a6c2c6fb
Instruction ID: 441f7cebd0d948de39020558b157c0e75d4650b4460ddd1bb4681e86c87dbac9
Opcode Fuzzy Hash: c388a2bb4ed44af1b668d365b9782c5a2d057b86c18e89b49bd560b2a6c2c6fb
Instruction Fuzzy Hash: 18E10562B08A8286EB28EB25D020BBD37A1FB48748F044175DE5E5BBDDDF3AD455D700

Function 00007FFDFAEA5B40 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5B72
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5B8C
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5BAC
CRYPTO_clear_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5BD3
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5BF3
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5C13
EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5C26
EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5C39

Part of subcall function 00007FFDFAE92135: BIO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA4870
Part of subcall function 00007FFDFAE92135: EVP_MD_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA4895

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5C61
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5C81
memset.VCRUNTIME140 ref: 00007FFDFAEA5C95
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5CC6

Strings

ssl\s3_lib.c, xrefs: 00007FFDFAEA5B5E, 00007FFDFAEA5B98, 00007FFDFAEA5BB8, 00007FFDFAEA5BDF, 00007FFDFAEA5BFF, 00007FFDFAEA5C4D, 00007FFDFAEA5C6D, 00007FFDFAEA5CB3

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$Y_free$L_sk_pop_freeO_clear_freeX_freememset
String ID: ssl\s3_lib.c
API String ID: 2797447013-3639828702
Opcode ID: 1e67df353ba92c745a1a280bdd9da04f98d921e1cccbedfd2955011169719d20
Instruction ID: c763e75f5485eea79cde836a6c2a7a4d81e11f171b81e6ab1cd08e6ca027ea0c
Opcode Fuzzy Hash: 1e67df353ba92c745a1a280bdd9da04f98d921e1cccbedfd2955011169719d20
Instruction Fuzzy Hash: E5416F21B55A8690EB54FF26D4A0BA82361EFC5F88F584172DD1E4F3A9DE2AD1478310

Function 00007FFDFAE9EB00 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 271COMMON

Download Yara Rule

APIs

EVP_MD_CTX_md.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9EBD1
EVP_MD_size.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9EBD9

Strings

ssl\record\ssl3_record.c, xrefs: 00007FFDFAE9EB6C, 00007FFDFAE9EC16, 00007FFDFAE9EC94, 00007FFDFAE9EED4, 00007FFDFAE9EF13, 00007FFDFAE9EF72

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: D_sizeX_md
String ID: ssl\record\ssl3_record.c
API String ID: 3984586431-2781342121
Opcode ID: 0cd424a9d91b9b495cbeb4094bdc5b2b9c1e0eb3d9e38e95268a1d7c37e5aa69
Instruction ID: 8b1174239c167e78c9223e5eebc01f26c8322dcec44ffe6df70c34d142b7c76f
Opcode Fuzzy Hash: 0cd424a9d91b9b495cbeb4094bdc5b2b9c1e0eb3d9e38e95268a1d7c37e5aa69
Instruction Fuzzy Hash: 19D18232B0878285E764AF21E460BA93790FB88B88F444172DB9E4B6DDDF3EE545C710

Function 00007FFDFAE91F0A Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF2932
memcpy.VCRUNTIME140 ref: 00007FFDFAEF2959
memcpy.VCRUNTIME140 ref: 00007FFDFAEF29D4
memcmp.VCRUNTIME140 ref: 00007FFDFAEF29E9
memcmp.VCRUNTIME140 ref: 00007FFDFAEF2A06
memcmp.VCRUNTIME140 ref: 00007FFDFAEF2A4A
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF2B02
CRYPTO_clear_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF2B1C

Strings

client finished, xrefs: 00007FFDFAEF29DF
ssl\t1_enc.c, xrefs: 00007FFDFAEF2928, 00007FFDFAEF2AF1, 00007FFDFAEF2B0F
extended master secret, xrefs: 00007FFDFAEF2A40
server finished, xrefs: 00007FFDFAEF29FC

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: memcmp$memcpy$O_clear_freeO_mallocR_put_error
String ID: client finished$extended master secret$server finished$ssl\t1_enc.c
API String ID: 1314788138-3981829697
Opcode ID: 4c6acf68c20ad061fd17c56f5ee50e380281f9ee2b2dce8a25de1851053de22b
Instruction ID: f5744825942a0fc081f3b1b0e5390865f033536429bd870cc41b4e739c838dee
Opcode Fuzzy Hash: 4c6acf68c20ad061fd17c56f5ee50e380281f9ee2b2dce8a25de1851053de22b
Instruction Fuzzy Hash: F261C022B08BC181E7649F11E960AB9B7A0EB94BD4F548172EE9E0779DDF3DE581C700

Function 00007FFDFAE91B04 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAD491
CRYPTO_mem_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAD4A1
OPENSSL_sk_find.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAD4D1
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAD4EA
CRYPTO_mem_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAD4F4
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAD518
OPENSSL_sk_push.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAD541
CRYPTO_mem_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAD54F
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAD576
CRYPTO_mem_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAD580
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAD5C6

Strings

ssl\ssl_ciph.c, xrefs: 00007FFDFAEAD485, 00007FFDFAEAD4E0, 00007FFDFAEAD4F9, 00007FFDFAEAD56C, 00007FFDFAEAD592, 00007FFDFAEAD5A7

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_mem_ctrl$O_freeR_put_error$L_sk_findL_sk_pushO_malloc
String ID: ssl\ssl_ciph.c
API String ID: 951782134-1912280922
Opcode ID: 73f78fdb839dffbc961a10df852ef025998d25833a5d68eabdcde7f59737b2ee
Instruction ID: 77ee5de770eb79ec76f45a2e418d0fdc626ec4307e9194f9ba66a06e39ebcfa8
Opcode Fuzzy Hash: 73f78fdb839dffbc961a10df852ef025998d25833a5d68eabdcde7f59737b2ee
Instruction Fuzzy Hash: 9541C761B0C64282FB1CBB11E460B795751EF81B98F4441B4EA6E0F7DEDF2EE9418700

Function 00007FFDFAEA7450 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA748B
EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA74B0
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA74E2
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA74FC
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA751C
CRYPTO_clear_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA7543
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA7563
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA7583

Part of subcall function 00007FFDFAE92135: BIO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA4870
Part of subcall function 00007FFDFAE92135: EVP_MD_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA4895

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA75AB
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA75CB
CRYPTO_clear_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA75F1

Strings

ssl\s3_lib.c, xrefs: 00007FFDFAEA74BC, 00007FFDFAEA7508, 00007FFDFAEA7528, 00007FFDFAEA754F, 00007FFDFAEA756F, 00007FFDFAEA7597, 00007FFDFAEA75B7, 00007FFDFAEA75DF

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$O_clear_freeY_free$L_sk_pop_freeX_free
String ID: ssl\s3_lib.c
API String ID: 3257691201-3639828702
Opcode ID: afa32d74d89683db9288191efd2548669b60a1d743f3b7ba9fd018d60101a2f7
Instruction ID: b6be585a38c1bf62e54d80f25f281c5fea8ba8be2268d8535da087b4372795f4
Opcode Fuzzy Hash: afa32d74d89683db9288191efd2548669b60a1d743f3b7ba9fd018d60101a2f7
Instruction Fuzzy Hash: CC414F25B45A8290EB44FF25D4A4BA82361EFC5F88F588172DE5E4F3A9CE3AD147C311

Function 00007FFDFAE918BB Relevance: 21.0, APIs: 11, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBD13
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBD2C
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBD38
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBD44
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBD50
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBD5C
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBD68
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBD74
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBD80
BN_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFBD8C
memset.VCRUNTIME140 ref: 00007FFDFAEFBD9E

Strings

ssl\tls_srp.c, xrefs: 00007FFDFAEFBD06, 00007FFDFAEFBD1F

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: N_free$O_free$memset
String ID: ssl\tls_srp.c
API String ID: 2671087460-1545769946
Opcode ID: 3ac7033c75199dce533fcf73768b14092e515f2b65d8a715aa597904dc4def8e
Instruction ID: 501484b779a7c6580a963551490559f77f17b8853cf0f74d0f21922b4439b94a
Opcode Fuzzy Hash: 3ac7033c75199dce533fcf73768b14092e515f2b65d8a715aa597904dc4def8e
Instruction Fuzzy Hash: 7D11F161F095C281EB48FF21C8A57F82750EF84B4CF4444B2D92E4B2DEDE2EE4828791

Function 00007FFDFAE91357 Relevance: 19.8, APIs: 10, Strings: 1, Instructions: 534COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FFDFAEDF011
memcmp.VCRUNTIME140 ref: 00007FFDFAEDF21E
EVP_CIPHER_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDF255
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDF2C3
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDF353
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDF868

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFDFAEDEFA4, 00007FFDFAEDF281, 00007FFDFAEDF760

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$memcmp$X_free
String ID: ssl\statem\statem_clnt.c
API String ID: 2968887233-1578583260
Opcode ID: 7504a84d42159ad1e027961f38a0f7d60ff6239c6ea1bac0f2d26c717709b8c6
Instruction ID: 5b0a9ee922f550cbf9a8a21d75492bc8d76cbe9ef229950604cc1cfa19f633b3
Opcode Fuzzy Hash: 7504a84d42159ad1e027961f38a0f7d60ff6239c6ea1bac0f2d26c717709b8c6
Instruction Fuzzy Hash: 49327F32B08A8286EB68EF11D460BFD27A1EB44B98F044175DE6E5B7D8DF3ED5818710

Function 00007FFDFAE91861 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 473COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED4106
CRYPTO_strndup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED411E
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED4153
OPENSSL_cleanse.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED41E8
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFAED42FF
memcpy.VCRUNTIME140 ref: 00007FFDFAED43B7
OPENSSL_cleanse.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED448B
OPENSSL_cleanse.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED44A4

Strings

d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h, xrefs: 00007FFDFAED40FF, 00007FFDFAED4111
ssl\statem\extensions_srvr.c, xrefs: 00007FFDFAED3FF0, 00007FFDFAED41ED, 00007FFDFAED447D, 00007FFDFAED4743

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_cleanse$O_free$O_strndup_time64memcpy
String ID: d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h$ssl\statem\extensions_srvr.c
API String ID: 1975566379-2103770359
Opcode ID: 16f6004f5a967cf3b88ce441f31b7daf401cc48bf45c09d45ab7e0535cd71ea7
Instruction ID: 5d9d9e9012b2acb630ce96aa171ce2e12ca026782c30cd2166fed47361fb64d6
Opcode Fuzzy Hash: 16f6004f5a967cf3b88ce441f31b7daf401cc48bf45c09d45ab7e0535cd71ea7
Instruction Fuzzy Hash: 2722C272B0878181EB58AB25E420AAD77A1FB94798F044135EEAE17BDCDF7DE544CB00

Function 00007FFDFAE91028 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 331COMMON

Download Yara Rule

APIs

EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDD9A1
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDDA79
EVP_MD_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDDEC5

Strings

y, xrefs: 00007FFDFAEDDE82
d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h, xrefs: 00007FFDFAEDDA97, 00007FFDFAEDDAA7
ssl\statem\statem_clnt.c, xrefs: 00007FFDFAEDD9AD, 00007FFDFAEDDA50, 00007FFDFAEDDAD1, 00007FFDFAEDDAF2

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeX_freeY_free
String ID: d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h$ssl\statem\statem_clnt.c$y
API String ID: 392469334-833031642
Opcode ID: 4d66bef3ea72c85f3f613bdc1671326adce6890a9edcc4b89d5b5d38e6cffe52
Instruction ID: 5641517a7e131e2b8b683889712d1aa63546bea082134335002e7605cbb2e5ed
Opcode Fuzzy Hash: 4d66bef3ea72c85f3f613bdc1671326adce6890a9edcc4b89d5b5d38e6cffe52
Instruction Fuzzy Hash: 39E1A032B0968285FB28AB12D4A0BBD2B61EB45B98F144171DE6E17BDDDF3EE145C700

Function 00007FFDFAE9191F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB6FDF

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEB6FCF, 00007FFDFAEB7151

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: ssl\ssl_lib.c
API String ID: 1767461275-1984206432
Opcode ID: 24d63c7a09e9d7fa21b137e5851fae9ea8a00152c5120eb9eb5ff83f728f42e1
Instruction ID: 1225b0a9588c7d62f8ffc0ae24d846e7f0c85cf9c8378977483d57b1498f3b97
Opcode Fuzzy Hash: 24d63c7a09e9d7fa21b137e5851fae9ea8a00152c5120eb9eb5ff83f728f42e1
Instruction Fuzzy Hash: 06D13A32B05B8286EB98EF25D560BAD77A0FB44B84F044076DB6E87799DF39E460C710

Function 00007FFDFAE9101E Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAEDB110: OPENSSL_cleanse.LIBCRYPTO-1_1-X64(?,?,00000000,?,?,?,00007FFDFAEDC09E), ref: 00007FFDFAEDB376
Part of subcall function 00007FFDFAEDB110: OPENSSL_cleanse.LIBCRYPTO-1_1-X64(?,?,00000000,?,?,?,00007FFDFAEDC09E), ref: 00007FFDFAEDB385
Part of subcall function 00007FFDFAEDB110: CRYPTO_clear_free.LIBCRYPTO-1_1-X64(?,?,00000000,?,?,?,00007FFDFAEDC09E), ref: 00007FFDFAEDB399
Part of subcall function 00007FFDFAEDB110: CRYPTO_clear_free.LIBCRYPTO-1_1-X64(?,?,00000000,?,?,?,00007FFDFAEDC09E), ref: 00007FFDFAEDB3AD

EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDC12D
BN_num_bits.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDC195
BN_bn2bin.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDC1D7
EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDC1E4
CRYPTO_clear_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDC446
CRYPTO_clear_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDC485

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFDFAEDC076

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_clear_free$L_cleanseY_free$N_bn2binN_num_bits
String ID: ssl\statem\statem_clnt.c
API String ID: 1003888974-1578583260
Opcode ID: b12cd205d4517f9aee25c3d5286acd058a855cf17efb19c18665af6d5c37bc79
Instruction ID: c756be0cc1f0edc3feee0ee6fcfbba3d4b7e574858c24697c92e69e3c61d2633
Opcode Fuzzy Hash: b12cd205d4517f9aee25c3d5286acd058a855cf17efb19c18665af6d5c37bc79
Instruction Fuzzy Hash: 58B1837274878281EB68AA16D460FBD6691EFC5BC8F140175DE6E0BBD9CF3EE5428700

Function 00007FFDFAF7BF18 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 224COMMON

Download Yara Rule

APIs

iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7BF8C
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7BFB9
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF7BFC3
btowc.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFDFAF7BFCF
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7BFFB
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7C029
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7C13D
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7C166

Strings

0, xrefs: 00007FFDFAF7BFF2
0, xrefs: 00007FFDFAF7BFE2

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: iswdigit$btowclocaleconv
String ID: 0$0
API String ID: 240710166-203156872
Opcode ID: 52bdcd1661f66ded3ac41b0560a82f7fbd8de7ce2f43cda58b4434ea0c2f6ef7
Instruction ID: a3e8e5ead6465f6aa756780da8455c8efd8d2070e2d7316ba815c095dfc28a21
Opcode Fuzzy Hash: 52bdcd1661f66ded3ac41b0560a82f7fbd8de7ce2f43cda58b4434ea0c2f6ef7
Instruction Fuzzy Hash: 80812C72B0854686E7298F25E820AB972A1FF54B58F444235EFAB8B1D8DF7CE845C740

Function 00007FFDFAEADCB0 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

COMP_zlib.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADCBF
CRYPTO_mem_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADCCC
OPENSSL_sk_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADCD8
COMP_get_type.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADCE7
CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADD11
COMP_get_name.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADD2B
OPENSSL_sk_push.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADD3E
OPENSSL_sk_sort.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADD4A
CRYPTO_mem_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADD59

Strings

ssl\ssl_ciph.c, xrefs: 00007FFDFAEADD05

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_mem_ctrl$L_sk_newL_sk_pushL_sk_sortO_mallocP_get_nameP_get_typeP_zlib
String ID: ssl\ssl_ciph.c
API String ID: 680475741-1912280922
Opcode ID: 00a709598abc3dbc8b167d8f08de1020a043dcbee0bf2adc1bcec8d4f1fd0657
Instruction ID: 3901229c5f9c9d2b925bc5d478dbfad58166508804ce82b1f87b850681a2ad7a
Opcode Fuzzy Hash: 00a709598abc3dbc8b167d8f08de1020a043dcbee0bf2adc1bcec8d4f1fd0657
Instruction Fuzzy Hash: D7114C60F0964285FB1CBB21E8B5BB46790EF80794F4401B5E86E0B3EADE2EE5508681

Function 00007FFDFAEE2CE0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 314COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_free.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,?,00007FFDFAEE2AB3), ref: 00007FFDFAEE2D80
EVP_MD_CTX_free.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,?,00007FFDFAEE2AB3), ref: 00007FFDFAEE2D89
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE2D9B
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE2DAD
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE2DBE
memset.VCRUNTIME140(?,?,?,?,?,?,00007FFDFAEE2AB3), ref: 00007FFDFAEE2E35
memcpy.VCRUNTIME140 ref: 00007FFDFAEE2FBA

Strings

ssl\statem\statem_dtls.c, xrefs: 00007FFDFAEE2D1F, 00007FFDFAEE300E, 00007FFDFAEE30C3, 00007FFDFAEE3116

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$X_free$memcpymemset
String ID: ssl\statem\statem_dtls.c
API String ID: 1378287987-3166991913
Opcode ID: f445add2b1eb33bd3fe05b0f9f447db21f1f7262491b7a64c6eaca6a53f28001
Instruction ID: 72a0dcfe16618b1161b46223cbb24fac99a0def178da2403290b56c7c854142f
Opcode Fuzzy Hash: f445add2b1eb33bd3fe05b0f9f447db21f1f7262491b7a64c6eaca6a53f28001
Instruction Fuzzy Hash: 43E1A03270878296EB58AB21D5A07BC37A1FB44788F014075EEAE47BD9CF39D951C700

Function 00007FFDFAF7AAFC Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FFDFAF7AB7E
memchr.VCRUNTIME140 ref: 00007FFDFAF7ABC9
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF7ABE4
memchr.VCRUNTIME140 ref: 00007FFDFAF7AC1F
memchr.VCRUNTIME140 ref: 00007FFDFAF7AC67
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7AD82
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7ADAA

Strings

0, xrefs: 00007FFDFAF7AC0E
0123456789abcdefABCDEF, xrefs: 00007FFDFAF7AB6B, 00007FFDFAF7AB8E, 00007FFDFAF7ABD8, 00007FFDFAF7AC2C

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: memchr$isdigit$localeconv
String ID: 0$0123456789abcdefABCDEF
API String ID: 1981154758-1185640306
Opcode ID: 8ae361ee34485312f7ed44fd03fb5f0ccfe73079ac5dddc4462ade262d27c05a
Instruction ID: f31da24207e76ee671867368e8084eb6afcd9f756d33ad8540a3b312140078ca
Opcode Fuzzy Hash: 8ae361ee34485312f7ed44fd03fb5f0ccfe73079ac5dddc4462ade262d27c05a
Instruction Fuzzy Hash: 9F918E62B1C19647E7299B14F820A797B91FF48B58F455270EEAE4B7C9DE3CE806C700

Function 00007FFDFAEB5F20 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB5F52
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB5FA9
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB5FFD

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEB5F48, 00007FFDFAEB5F95, 00007FFDFAEB5FED, 00007FFDFAEB60A4

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error$O_free
String ID: ssl\ssl_lib.c
API String ID: 3616133153-1984206432
Opcode ID: 532cd12498fd03616bd901348f418b4e8458b3033326a11b32aa42c9f19b8344
Instruction ID: 66e68864c13f9b8aa28872249235b64add925ade3c5712a3b644d92490f7b3b8
Opcode Fuzzy Hash: 532cd12498fd03616bd901348f418b4e8458b3033326a11b32aa42c9f19b8344
Instruction Fuzzy Hash: 8B515D72B08B8281D754EF21D864BAD73A4FB84B98F184175DA6E4B6DDDF39D081CB20

Function 00007FFDFAE91F9B Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 412COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9A72D
BIO_clear_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9AA1B
BIO_set_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9AA28
BIO_snprintf.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9AAE1
ERR_add_error_data.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9AAF7

Strings

SSL alert number , xrefs: 00007FFDFAE9AAF0
ssl\record\rec_layer_d1.c, xrefs: 00007FFDFAE9A64C, 00007FFDFAE9A6C4

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_clear_flagsO_freeO_set_flagsO_snprintfR_add_error_data
String ID: SSL alert number $ssl\record\rec_layer_d1.c
API String ID: 3064126697-3956337041
Opcode ID: 29e788401107d9e35ae8dc392b5687aa24359adc80497b301e1e8de4e71edaae
Instruction ID: 566cbb6ca58b267b6043149448625890990fe0a89ddd2a5407436a3b87630008
Opcode Fuzzy Hash: 29e788401107d9e35ae8dc392b5687aa24359adc80497b301e1e8de4e71edaae
Instruction Fuzzy Hash: 90128131B1878285FB68AE159424BB936A0EF48B8CF084175DE6F4B6CDDF7EE4428710

Function 00007FFDFAE918CF Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 280COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDD08D
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDD0BE
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDD27D
CRYPTO_memdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDD2A8

Strings

d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h, xrefs: 00007FFDFAEDD26F, 00007FFDFAEDD29B
ssl\statem\statem_clnt.c, xrefs: 00007FFDFAEDCFAF, 00007FFDFAEDD35B, 00007FFDFAEDD37D, 00007FFDFAEDD3A1, 00007FFDFAEDD435

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$O_memdup
String ID: d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h$ssl\statem\statem_clnt.c
API String ID: 3545228654-745417862
Opcode ID: 66bc2bddb1fcd3dbd1650a32e5c16ce5d56ad715c1ec08aba2c6dcd29723987e
Instruction ID: 43769e2ca435e9b5f8dfd738c53ad9193565514b8a298dfcbec54704410c10f9
Opcode Fuzzy Hash: 66bc2bddb1fcd3dbd1650a32e5c16ce5d56ad715c1ec08aba2c6dcd29723987e
Instruction Fuzzy Hash: 76D1CF32B09B8185EB14AF15D8A4AAD3BA4FB48B88F044175DE9E177D9DF3DE185C700

Function 00007FFDFAEDACD0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 198COMMON

Download Yara Rule

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFDFAEDACD6, 00007FFDFAEDAD39, 00007FFDFAEDAD72
, xrefs: 00007FFDFAEDAEF9

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID:
String ID: $ssl\statem\statem_clnt.c
API String ID: 0-2524742744
Opcode ID: 33ab287a56cff6720fc0ca7f2cb2133c91dbbf44ca4fafe6b7f467acf659f39f
Instruction ID: ddbbb7fcbee3e274d5d04a32f30040dc7043fc621c16df7ab2d8b2735bc54fd3
Opcode Fuzzy Hash: 33ab287a56cff6720fc0ca7f2cb2133c91dbbf44ca4fafe6b7f467acf659f39f
Instruction Fuzzy Hash: 7981837171978246FB68BB12E420BBA6351EF89B88F0441B1ED6F4B7D9DF2ED6018740

Function 00007FFDFAE91EAB Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 170COMMON

Download Yara Rule

APIs

CRYPTO_memcmp.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED4D57
memchr.VCRUNTIME140 ref: 00007FFDFAED4DB8
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED4DEC
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED4E09
CRYPTO_strndup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED4E21

Strings

d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h, xrefs: 00007FFDFAED4DF3, 00007FFDFAED4E14
k, xrefs: 00007FFDFAED4E96
ssl\statem\extensions_srvr.c, xrefs: 00007FFDFAED4DA0, 00007FFDFAED4DBD, 00007FFDFAED4E6C, 00007FFDFAED4E9E

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$O_memcmpO_strndupmemchr
String ID: d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h$k$ssl\statem\extensions_srvr.c
API String ID: 2294304191-516398497
Opcode ID: f75c2c1646a25b7841c98e0bf32e140a8c7c52b88c918a0b5158868fdc92c0b7
Instruction ID: a869b146b0d5d642f0a70b96b1c3ab9d0ef065c4181f27e6b734e13bc5d4ef7d
Opcode Fuzzy Hash: f75c2c1646a25b7841c98e0bf32e140a8c7c52b88c918a0b5158868fdc92c0b7
Instruction Fuzzy Hash: 7A71F572B0878185E7649F14E060BB9B7A0EB94794F444271EAAE4BBD9CF7DE584C700

Function 00007FFDFAE91C08 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9FC28
EVP_CIPHER_CTX_block_size.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9FC53
memset.VCRUNTIME140 ref: 00007FFDFAE9FC84
EVP_Cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9FCC8
EVP_MD_CTX_md.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9FCD9
EVP_MD_CTX_md.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9FCEA
EVP_MD_size.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9FCF2

Strings

ssl\record\ssl3_record.c, xrefs: 00007FFDFAE9FD08

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: X_md$CipherD_sizeX_block_sizeX_ciphermemset
String ID: ssl\record\ssl3_record.c
API String ID: 2928813329-2781342121
Opcode ID: 7abcd8ff719602abba5b10afc4b62d310e6eaf3f45a0eeca8adc8384b43295b1
Instruction ID: f707c7f4e00e2d8e7969f50bbb7eb3cb1d3cdb99e7cb960b7e7290a249484e46
Opcode Fuzzy Hash: 7abcd8ff719602abba5b10afc4b62d310e6eaf3f45a0eeca8adc8384b43295b1
Instruction Fuzzy Hash: E151D522B1879142EB6CAA16D530AF96791FB48B9CF148171DE2F07BD9DF3EE461C210

Function 00007FFDFAE99F50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE99FB0
memset.VCRUNTIME140 ref: 00007FFDFAE9A07F
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9A09D
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9A0AE

Strings

ssl\record\rec_layer_d1.c, xrefs: 00007FFDFAE99FA2

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$O_mallocmemset
String ID: ssl\record\rec_layer_d1.c
API String ID: 1168073369-2186836241
Opcode ID: 02d36a59e7670e264aa46eded7a7d42e82f3dcd1fade487887414fa4f036995c
Instruction ID: 450f4a6918d374eba553b15e40cae21517613a71d0aaa5e8da1583832ded071e
Opcode Fuzzy Hash: 02d36a59e7670e264aa46eded7a7d42e82f3dcd1fade487887414fa4f036995c
Instruction Fuzzy Hash: E9519722B08B8181E718EB35E4106BD6351FF89BC8F144674DE9E5779ADF3EE1918700

Function 00007FFDFAE91005 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE992FA
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE99310
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE99355
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9936B
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE993B5
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE993CB
memset.VCRUNTIME140 ref: 00007FFDFAE993FE

Strings

ssl\record\rec_layer_d1.c, xrefs: 00007FFDFAE992E9, 00007FFDFAE99303, 00007FFDFAE99344, 00007FFDFAE9935E, 00007FFDFAE993A4, 00007FFDFAE993BE

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$memset
String ID: ssl\record\rec_layer_d1.c
API String ID: 286756525-2186836241
Opcode ID: b425b08140aee5bf30ae498e7143dc5d3e84e5d420d1ea2aabb9f70b2a97e298
Instruction ID: e6acbede5a4a3c27aecd462de66082855a7109b027223d27621177607e70f989
Opcode Fuzzy Hash: b425b08140aee5bf30ae498e7143dc5d3e84e5d420d1ea2aabb9f70b2a97e298
Instruction Fuzzy Hash: 99410B21715B4284EF58FB26D4609AC6760EF88BCCF585075EA1E4B7DEDE2EE5428340

Function 00007FFDFAEADBC0 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CRYPTO_mem_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADBDC
OPENSSL_sk_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADBE8
COMP_get_type.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADBF7
CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADC21
OPENSSL_sk_push.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADC4E
OPENSSL_sk_sort.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADC5A
CRYPTO_mem_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADC69

Strings

ssl\ssl_ciph.c, xrefs: 00007FFDFAEADC15

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_mem_ctrl$L_sk_newL_sk_pushL_sk_sortO_mallocP_get_type
String ID: ssl\ssl_ciph.c
API String ID: 2525466407-1912280922
Opcode ID: 4371c9c41a08f7a2144dbef6ce007325232d6982c657f3cc59c1098b3ca025ed
Instruction ID: f50c3add271b0c1656c462a60c25a4b1ea94712ef7e06c396570e2c97f8502ac
Opcode Fuzzy Hash: 4371c9c41a08f7a2144dbef6ce007325232d6982c657f3cc59c1098b3ca025ed
Instruction Fuzzy Hash: 40117060F0D74280FF0CBB11E8B5BB46390EF40794F4401B5E86E4B3DADE6EE9508281

Function 00007FFDFAE91B18 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFDFAECA9FF
OPENSSL_cleanse.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECAB3C
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECAB79
CRYPTO_memdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECAB91
OPENSSL_cleanse.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECABEF
CRYPTO_memcmp.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECAD77

Strings

ssl\statem\extensions_clnt.c, xrefs: 00007FFDFAECA9B8, 00007FFDFAECAA98, 00007FFDFAECAACC, 00007FFDFAECAB52, 00007FFDFAECABCA

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_cleanse$O_freeO_memcmpO_memdupmemset
String ID: ssl\statem\extensions_clnt.c
API String ID: 780863833-2462086076
Opcode ID: 10651ad7857e592a3f38df1cc2c68346cea94c2a27079ddc6dfcfc0f5d92b2d6
Instruction ID: 313341efb532395e99a07b2e405f9266dc601f9ce25316fa2cfd3b2487856761
Opcode Fuzzy Hash: 10651ad7857e592a3f38df1cc2c68346cea94c2a27079ddc6dfcfc0f5d92b2d6
Instruction Fuzzy Hash: 66E1B531B1878186E768AB11F460BBA67A2FB84788F150174EA6E477DDDF3ED541CB00

Function 00007FFDFAEEFD80 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

EVP_PKEY_get0_RSA.LIBCRYPTO-1_1-X64(?,?,?,?,00007FFDFAEF14EA), ref: 00007FFDFAEEFDB7

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFDFAEEFDCF, 00007FFDFAEEFEAE, 00007FFDFAEEFEDF

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: Y_get0_
String ID: ssl\statem\statem_srvr.c
API String ID: 2256133966-322006118
Opcode ID: 45c2ed52e1b767dcc348bc426c92b2578aa6aa2b989577805965bc8aabbc6b24
Instruction ID: 320f8dc02b800cd814e770a1a771029cb425a395872fd64c4bf6e89cdb901637
Opcode Fuzzy Hash: 45c2ed52e1b767dcc348bc426c92b2578aa6aa2b989577805965bc8aabbc6b24
Instruction Fuzzy Hash: 0BA1483271868146E7289B25E460BBE7BA0FB85784F404274EA9E47BDADF3ED545CB00

Function 00007FFDFAE912E4 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 235COMMON

Download Yara Rule

APIs

EVP_MD_size.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEEC475
RAND_bytes.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEEC52F
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFAEEC600
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEEC642
CRYPTO_memdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEEC665

Strings

resumption, xrefs: 00007FFDFAEEC557
ssl\statem\statem_srvr.c, xrefs: 00007FFDFAEEC425, 00007FFDFAEEC486

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: D_bytesD_sizeO_freeO_memdup_time64
String ID: resumption$ssl\statem\statem_srvr.c
API String ID: 2587329016-3401190468
Opcode ID: 6e6347d3ba832de7fbd912073e435511f9bec064bbd7e6112c3d29ca12704b8d
Instruction ID: f15c90577e8c43d0b34ab334a7804ba745c5059935990ade891e589f8d70027e
Opcode Fuzzy Hash: 6e6347d3ba832de7fbd912073e435511f9bec064bbd7e6112c3d29ca12704b8d
Instruction Fuzzy Hash: 8EB1813270878181EB54EB25E8A4BBA67A0EB85B98F041075EE9E4B7D9CF7ED441C740

Function 00007FFDFAE91870 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBDA6A
d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h, xrefs: 00007FFDFAEBDC59, 00007FFDFAEBDC90

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID:
String ID: d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h$ssl\ssl_lib.c
API String ID: 0-2912197248
Opcode ID: ebb80c32936c1df559eb4227c756c2152f13fc120461624f546ddc26ec9f032b
Instruction ID: 8223a7a5e457d76c6711f9c59aa5ca9c1cf8b64a44b8b18cf798a039a0990eed
Opcode Fuzzy Hash: ebb80c32936c1df559eb4227c756c2152f13fc120461624f546ddc26ec9f032b
Instruction Fuzzy Hash: 7961B032B08B8185EB68DB15E494BAA77A0FB85BD4F184271DEAE0B7D9DF3DD0418700

Function 00007FFDFAE91C2B Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

key expansion, xrefs: 00007FFDFAEF3262
ssl\t1_enc.c, xrefs: 00007FFDFAEF30D7, 00007FFDFAEF3194
, xrefs: 00007FFDFAEF3269
, xrefs: 00007FFDFAEF3254

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID:
String ID: $ $key expansion$ssl\t1_enc.c
API String ID: 0-333110023
Opcode ID: d252ead8b047694e4a7947077c44e6a927beac5ec3c3650357a43c17a1fa44a9
Instruction ID: 3fe1b9c534629c63b440a9bae49a57e16a12edf072d5b4a059511efa85ceb08e
Opcode Fuzzy Hash: d252ead8b047694e4a7947077c44e6a927beac5ec3c3650357a43c17a1fa44a9
Instruction Fuzzy Hash: FD715B32708B8196EBA8DB15E4907ED77A4FB89B94F044136DA9D07798CF39D199CB00

Function 00007FFDFAEEFA70 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 128COMMON

Download Yara Rule

Strings

d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h, xrefs: 00007FFDFAEEFB43, 00007FFDFAEEFB62
ssl\statem\statem_srvr.c, xrefs: 00007FFDFAEEFBD7, 00007FFDFAEEFC9C

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID:
String ID: d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h$ssl\statem\statem_srvr.c
API String ID: 0-1632109628
Opcode ID: 69a63a0ac3fe21c6f055803899149fd6e4774754d2e1a16d9993910c49450105
Instruction ID: 682f43fbb55cc49ddb1287a015d36831eacd17f07ef31e5ab150a7d8ec784d3a
Opcode Fuzzy Hash: 69a63a0ac3fe21c6f055803899149fd6e4774754d2e1a16d9993910c49450105
Instruction Fuzzy Hash: 0F51C632B08A8181F7649B11E4A0BED7760FB88B98F554171EE6E07BD8DF3DE9958700

Function 00007FFDFAECFDC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

CRYPTO_memdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECFE06
CRYPTO_memdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECFE76
CRYPTO_memdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECFE96
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECFEFA
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECFF10
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECFF39

Strings

ssl\statem\extensions_cust.c, xrefs: 00007FFDFAECFDF5, 00007FFDFAECFE64, 00007FFDFAECFE7F, 00007FFDFAECFEED, 00007FFDFAECFF03, 00007FFDFAECFF32

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_memdup
String ID: ssl\statem\extensions_cust.c
API String ID: 3962629258-1564674317
Opcode ID: 8f342893ae8e81a81e81b97d1b648c6142cc820d86c46e8c49ec0962cee7018b
Instruction ID: d658f7a9982b3e22d8be3aed116dec238fec3ee9e7bfa904fa8ebde6b21a27e9
Opcode Fuzzy Hash: 8f342893ae8e81a81e81b97d1b648c6142cc820d86c46e8c49ec0962cee7018b
Instruction Fuzzy Hash: 3741AF32B09B8281EB58EB06F4609E963A1FF44B94F064172EE6E47799EF7DD451C310

Function 00007FFDFAE91DAC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

CONF_parse_list.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF773F
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF7793
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF78B6

Strings

ssl\t1_lib.c, xrefs: 00007FFDFAEF7776, 00007FFDFAEF77AF, 00007FFDFAEF77C3, 00007FFDFAEF7852, 00007FFDFAEF78AC

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: F_parse_listO_freeR_put_error
String ID: ssl\t1_lib.c
API String ID: 3984800049-1168734446
Opcode ID: 8fc7343f385c576be8305919d2925868684c09c64c55477cddc6fd1c0f4219ad
Instruction ID: ca81f090781e9f0186050787eb58a63cf7869bcea7da07677261cf749f14c20f
Opcode Fuzzy Hash: 8fc7343f385c576be8305919d2925868684c09c64c55477cddc6fd1c0f4219ad
Instruction Fuzzy Hash: F8417F36B196E282E728AB11E820BB97761EF44784F414175E96E07BCCEF3EE515C740

Function 00007FFDFAE91ABE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

CONF_parse_list.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF838F
CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF83DA
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF8402

Strings

ssl\t1_lib.c, xrefs: 00007FFDFAEF83B1, 00007FFDFAEF83E7, 00007FFDFAEF8419

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: F_parse_listO_mallocR_put_error
String ID: ssl\t1_lib.c
API String ID: 3458554092-1168734446
Opcode ID: 254f645a80149d2b2221dd3d7bde9de3c36a8582b8c3e5d84e45f053d7abafba
Instruction ID: cf6cbf16c46a287c685898d4779fb10f1ae8565311e0dd4d423ae1672b694a31
Opcode Fuzzy Hash: 254f645a80149d2b2221dd3d7bde9de3c36a8582b8c3e5d84e45f053d7abafba
Instruction Fuzzy Hash: 92315C327197C285E768AB21E420BEA7365EB84B84F444175DEAE47BC9DF3DE105DB00

Function 00007FFDFAEABD80 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEABD9F
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEABDC7
CRYPTO_THREAD_lock_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEABE08
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEABE34
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEABE49

Strings

ssl\ssl_cert.c, xrefs: 00007FFDFAEABD98, 00007FFDFAEABDAC, 00007FFDFAEABE19, 00007FFDFAEABE3F
B, xrefs: 00007FFDFAEABE20

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error$D_lock_newO_freeO_zalloc
String ID: B$ssl\ssl_cert.c
API String ID: 3411496311-2639909426
Opcode ID: b6623c6043d71d5281d46f04e20221648af74f21a27dd7a8a9fa4c418cb7b763
Instruction ID: 6064acccf41b06650bab82a8b9149b8b4bc85c136ce2d387de24fc3383cd5aa9
Opcode Fuzzy Hash: b6623c6043d71d5281d46f04e20221648af74f21a27dd7a8a9fa4c418cb7b763
Instruction Fuzzy Hash: DE11B176B4524282E714EF20E460BE93790EF44718F484575D96D0B3C9EFBEE686C710

Function 00007FFDFAF7C610 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF7C6AE
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7C89B
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7C8C4

Strings

0, xrefs: 00007FFDFAF7C6DD
0123456789abcdefABCDEF, xrefs: 00007FFDFAF7C681, 00007FFDFAF7C6E3
0, xrefs: 00007FFDFAF7C678

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: iswdigit$localeconv
String ID: 0$0$0123456789abcdefABCDEF
API String ID: 2634821343-613610638
Opcode ID: a522400d06cd758ec35368aa348746e03708fc0af53c45bc8d8619b85cdc813e
Instruction ID: 5d9af8e965c5f3578506ba9a87c3bfa19ce2fb73e856b5b27c9169e039ddd565
Opcode Fuzzy Hash: a522400d06cd758ec35368aa348746e03708fc0af53c45bc8d8619b85cdc813e
Instruction Fuzzy Hash: 28811762F0815646EB694F15E860A7976A0FF44B64F049271EF9E4F6C8EF3CE852C640

Function 00007FFDFAE91FB9 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

CRYPTO_clear_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF16D1

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFDFAEF1474

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_clear_free
String ID: ssl\statem\statem_srvr.c
API String ID: 2011826501-322006118
Opcode ID: 6aa94781d6181a230077dd5957392ff0d2bd331eb44f36c20571aa89343fe8ab
Instruction ID: 708da3e89ea97fa7f2984730073ae73adb8a8668a2fb8bc933f161c58234a232
Opcode Fuzzy Hash: 6aa94781d6181a230077dd5957392ff0d2bd331eb44f36c20571aa89343fe8ab
Instruction Fuzzy Hash: 6161E132B086C681E768AB16D464BB92791EF84BD8F194171DF6E0B7D9CF3EE5418700

Function 00007FFDFAE91A0A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

ssl\s3_enc.c, xrefs: 00007FFDFAEA50FA, 00007FFDFAEA51AF

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID:
String ID: ssl\s3_enc.c
API String ID: 0-1240879137
Opcode ID: 91bd872870b35348ee8b489b68da4f78c4731ee10fbe6b1131e90001bcff076e
Instruction ID: 95702e5479978a2c9fe6c51da947b155b67f6ebb4154816571fa0b3d869d5c5d
Opcode Fuzzy Hash: 91bd872870b35348ee8b489b68da4f78c4731ee10fbe6b1131e90001bcff076e
Instruction Fuzzy Hash: B351CE32708B8186EB98DB15E0907AD77A4FB89B84F144132DF9E477A8DF39D0A5CB00

Function 00007FFDFAE91E6A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE98BB7
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE98BE0

Strings

ssl\packet.c, xrefs: 00007FFDFAE98BA9, 00007FFDFAE98BC5, 00007FFDFAE98C7E
b, xrefs: 00007FFDFAE98BCC

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_zallocR_put_error
String ID: b$ssl\packet.c
API String ID: 2718799170-3318296912
Opcode ID: b9d855087e3fbc6452671e12a06eee8b4fb073a8366137ffa55fe2e40872f299
Instruction ID: fd722181aad3be022405accbd3e8721bd6b5dc7ca6f078fb288d920e02cbfd50
Opcode Fuzzy Hash: b9d855087e3fbc6452671e12a06eee8b4fb073a8366137ffa55fe2e40872f299
Instruction Fuzzy Hash: 2751C172B09B4181DF58DB15D56076863A1EB48BE8F208675CA3E473E8EF3EE455C340

Function 00007FFDFAF4A260 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FFDFAF4A305
FindClose.KERNEL32 ref: 00007FFDFAF4A356
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF4A36B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFAF4A3C9

Strings

., xrefs: 00007FFDFAF4A332
., xrefs: 00007FFDFAF4A320

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Find$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
String ID: .$.
API String ID: 1484651601-3769392785
Opcode ID: 8470aea20536752b167f57700993fcdce4b2a3b718cf60346d1db86132df4577
Instruction ID: 9b1373a518d73740d561a0e5b826096474495a3f75903e20b48468ec53802047
Opcode Fuzzy Hash: 8470aea20536752b167f57700993fcdce4b2a3b718cf60346d1db86132df4577
Instruction Fuzzy Hash: 6F41A122B2864285EB24AF65E864A796360EF857B4F504371FEBD0B6D8EF7CD1858700

Function 00007FFDFAE922DE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF7576
CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF7598
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF75C0
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF7680

Strings

ssl\t1_lib.c, xrefs: 00007FFDFAEF7559, 00007FFDFAEF7591, 00007FFDFAEF75A5, 00007FFDFAEF7633, 00007FFDFAEF7676

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error$O_freeO_malloc
String ID: ssl\t1_lib.c
API String ID: 3400298158-1168734446
Opcode ID: c6ee990bb0312684376e6f1f482b7aab148978af807c2495252d0deb1efe1494
Instruction ID: c14be2a1f56f92946836be7a5750f74a656cf8f54de583cd7151fd85393bd46e
Opcode Fuzzy Hash: c6ee990bb0312684376e6f1f482b7aab148978af807c2495252d0deb1efe1494
Instruction Fuzzy Hash: 1431BF36B1869292E718EB11A820AAAB761FB44790F414171EE6E07BCCEF7EE115C740

Function 00007FFDFAEF02A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

BN_bin2bn.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF0308
BN_ucmp.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF0337
BN_is_zero.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF034B
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF0376
CRYPTO_strdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF038B

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFDFAEF035F, 00007FFDFAEF0409

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: N_bin2bnN_is_zeroN_ucmpO_freeO_strdup
String ID: ssl\statem\statem_srvr.c
API String ID: 3996552382-322006118
Opcode ID: 7e054756b0302a0af811ab39540a351a9f7cc99403f3a9b0353d686e7ccda3eb
Instruction ID: 02afeb745c7568772425a741ffcea94c42e12df120800f8d427b2ba9a53c2ff2
Opcode Fuzzy Hash: 7e054756b0302a0af811ab39540a351a9f7cc99403f3a9b0353d686e7ccda3eb
Instruction Fuzzy Hash: EC412A3270868282EB64AF15E460FBD27A1EB84B98F040271DE6E4B7D8DF3DD5818700

Function 00007FFDFAE91D52 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

BN_num_bits.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFCAC7
CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFCAEE
BN_bn2bin.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFCB25
BN_clear_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFCB52
BN_clear_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFCB5A

Strings

ssl\tls_srp.c, xrefs: 00007FFDFAEFCACF

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: N_clear_free$N_bn2binN_num_bitsO_malloc
String ID: ssl\tls_srp.c
API String ID: 49705458-1545769946
Opcode ID: d50c05e30aea65e99963d14d28187bcf42c22f7dce9259dfaaa155cecea2f73d
Instruction ID: 6c1fab324c311778f963fb9bb873da6192336047daea3424685d564a55ca1829
Opcode Fuzzy Hash: d50c05e30aea65e99963d14d28187bcf42c22f7dce9259dfaaa155cecea2f73d
Instruction Fuzzy Hash: F131C526B0C78281EB54BB12A450AB967A1EF89BC8F044071EE6E4BBCDDE3DE1018740

Function 00007FFDFAEA6CA5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA6CC0
CRYPTO_strdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA6D3A
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA6D6A
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA6D99

Strings

, xrefs: 00007FFDFAEA6CB3
ssl\s3_lib.c, xrefs: 00007FFDFAEA6CAC, 00007FFDFAEA6D30, 00007FFDFAEA6D5C, 00007FFDFAEA6D89

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error$O_freeO_strdup
String ID: $ssl\s3_lib.c
API String ID: 3510034342-3426649805
Opcode ID: fdf483d45495702a87c9f0c10ff31a53cfbba4e33acdc9ce161b883bf9c9a639
Instruction ID: 7ae7a9f6dc70347fd69b7ee643a916d5870976d61661de0689b131158ac6f5fc
Opcode Fuzzy Hash: fdf483d45495702a87c9f0c10ff31a53cfbba4e33acdc9ce161b883bf9c9a639
Instruction Fuzzy Hash: F22123A1B2958245FB28AB24E060B7D76A0FF41B88F544178DB6E4AACEDF2FD5418700

Function 00007FFDFAEAC9F0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

i2d_X509_NAME.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEACA17
i2d_X509_NAME.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEACA27
memcmp.VCRUNTIME140 ref: 00007FFDFAEACA4C
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEACA6A
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEACA81

Strings

ssl\ssl_cert.c, xrefs: 00007FFDFAEACA60, 00007FFDFAEACA74

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeX509_i2d_$memcmp
String ID: ssl\ssl_cert.c
API String ID: 1487052844-188639428
Opcode ID: 904bcfde2227a8512e01879b27a2615e9448049806d6615ec1b761877f674281
Instruction ID: aeb119a17aa5ce1a162109865f257fda57ea18a34536fd903baa64e1a530078c
Opcode Fuzzy Hash: 904bcfde2227a8512e01879b27a2615e9448049806d6615ec1b761877f674281
Instruction Fuzzy Hash: 7801C462B4864685EB18F719E4A09B95762DFC97D0F289071EA6F4B7CDDE3FD8004700

Function 00007FFDFAEE1310 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE1330
EVP_MD_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE1339
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE134F
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE1365
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE137A

Strings

ssl\statem\statem_dtls.c, xrefs: 00007FFDFAEE1342, 00007FFDFAEE1358, 00007FFDFAEE1370

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$X_free
String ID: ssl\statem\statem_dtls.c
API String ID: 306345296-3166991913
Opcode ID: c475e113628ec1fc288a1a400fa2db63fb4f8da2a259eb009dc85a049bbb4465
Instruction ID: b3eb5529d3984b19276c411f22ce5c3a44df106c25971ff05cffeb31d5fea48b
Opcode Fuzzy Hash: c475e113628ec1fc288a1a400fa2db63fb4f8da2a259eb009dc85a049bbb4465
Instruction Fuzzy Hash: 29F0F611F4510254FB08B711E470A7C2721DF84B94F4001B0ED2E0B6DECE2FD5928740

Function 00007FFDFAEC2D10 Relevance: 9.1, APIs: 6, Instructions: 137COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_write_lock.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC2D47
OPENSSL_LH_insert.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC2D53
OPENSSL_LH_retrieve.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC2DC2
OPENSSL_LH_retrieve.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC2E73
OPENSSL_LH_delete.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC2E8A
CRYPTO_THREAD_unlock.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC2F0B

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: H_retrieve$D_unlockD_write_lockH_deleteH_insert
String ID:
API String ID: 2043303102-0
Opcode ID: 2758d08b43b1ca721d614cfa34f2149ae6d9323f779a59fb86a3dc2655531680
Instruction ID: 8495f0c2426be36daa851c8fc9ce8a8bf5c6223683a1af8f5ae268997cf926cd
Opcode Fuzzy Hash: 2758d08b43b1ca721d614cfa34f2149ae6d9323f779a59fb86a3dc2655531680
Instruction Fuzzy Hash: 4F519E32B0878282EB5DFF259560FB96395EB88BC4F054071EE2E57BD9DE3AE4508740

Function 00007FFDFAE96C80 Relevance: 9.1, APIs: 6, Instructions: 92COMMON

Download Yara Rule

APIs

BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE96CB9
BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE96CFF
BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE96D4B
BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE96D76
BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE96DA7
BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE96DDF

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_ctrl
String ID:
API String ID: 3605655398-0
Opcode ID: cd6ab1ff2ccc5ca39234b9c81bc5bc4d44e51147e726373658dac3f555618656
Instruction ID: cc544ec7e64baaa33f9f0aaa362a8f1644e69e07b02ca908265c9657141785a5
Opcode Fuzzy Hash: cd6ab1ff2ccc5ca39234b9c81bc5bc4d44e51147e726373658dac3f555618656
Instruction Fuzzy Hash: 6C317232B193C152EB8CAB66D5A1BFD2792EB88B84F004575DA2E47B89DF2994608701

Function 00007FFDFAEC6E60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC6F3B
CRYPTO_strdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC6F50
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC7049

Strings

p, xrefs: 00007FFDFAEC6E7E
ssl\statem\extensions.c, xrefs: 00007FFDFAEC6EFE, 00007FFDFAEC70FF

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$O_strdup
String ID: p$ssl\statem\extensions.c
API String ID: 3211362174-2179555058
Opcode ID: 46a921d586dba0f81d6e71e09033b5a6d391c8730baef91dbd80dd84fc61d186
Instruction ID: 800a7e715c74d657a899ab14876a5dcbd6804a2825564f95a8d8eee02c817186
Opcode Fuzzy Hash: 46a921d586dba0f81d6e71e09033b5a6d391c8730baef91dbd80dd84fc61d186
Instruction Fuzzy Hash: A971B432B0878286EBA5AF15D464BB937A0EB84B88F091175DE5E077C9CF7ED591C700

Function 00007FFDFAE91B63 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

EVP_PKEY_get1_tls_encodedpoint.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECB3CC
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECB44B
EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECB4D5
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECB4E8

Strings

ssl\statem\extensions_clnt.c, xrefs: 00007FFDFAECB313, 00007FFDFAECB377, 00007FFDFAECB43C, 00007FFDFAECB4A2

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$Y_freeY_get1_tls_encodedpoint
String ID: ssl\statem\extensions_clnt.c
API String ID: 4042585043-2462086076
Opcode ID: 05fae2363c00ef2bb5c5b1967fce39f244cb2b427388fc9b97191564e59357ad
Instruction ID: 13ec28ef8fbcb0a5b7870e7d7527d9e3d7af329ce613832a8c5c716e679637fe
Opcode Fuzzy Hash: 05fae2363c00ef2bb5c5b1967fce39f244cb2b427388fc9b97191564e59357ad
Instruction Fuzzy Hash: 2A716D21B0C75185E768AB16E060BAA77A0FF85B84F054175EEAE47BD9DF3EE501CB00

Function 00007FFDFAE91CE4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED2ABE
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED2AFC
CRYPTO_memdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED2B2E

Strings

d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h, xrefs: 00007FFDFAED2ACA, 00007FFDFAED2B1E
ssl\statem\extensions_srvr.c, xrefs: 00007FFDFAED2A9D, 00007FFDFAED2B9F

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$O_memdup
String ID: d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h$ssl\statem\extensions_srvr.c
API String ID: 3545228654-2103770359
Opcode ID: 9e1918a99b66042724863daaedee8a9e2a28b531ac7d69bd0df454d5741ba57c
Instruction ID: 732538293196b71305220328b9a534206c46dc5d3e53c51ec699beb825bfb6e9
Opcode Fuzzy Hash: 9e1918a99b66042724863daaedee8a9e2a28b531ac7d69bd0df454d5741ba57c
Instruction Fuzzy Hash: 5E51A332B18B8186D7589F15F450AA9B3A0FB84B94F545270FAAE07B99DF3DE191C700

Function 00007FFDFAEBC960 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBC9A6
CRYPTO_realloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBC9FA
CRYPTO_realloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBCA28
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBCA52

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBC98B, 00007FFDFAEBC9DA, 00007FFDFAEBCA15, 00007FFDFAEBCA42

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_reallocR_put_error
String ID: ssl\ssl_lib.c
API String ID: 1389097454-1984206432
Opcode ID: c9d912a4e0593d47e7580246de6ab5d4e03c62a12bea928f469916254826f572
Instruction ID: 067f13dcae3c328c9540f3c6af10b7febc3b2dca52e6a250754379bd50b685b1
Opcode Fuzzy Hash: c9d912a4e0593d47e7580246de6ab5d4e03c62a12bea928f469916254826f572
Instruction Fuzzy Hash: 6E31153275978586EB15DF25E820AA977A0FB88B88F440172EEAE077D8DF3ED451D700

Function 00007FFDFAEF7270 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF72C6
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF72EE
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF736F
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF7382

Strings

ssl\t1_lib.c, xrefs: 00007FFDFAEF72B0, 00007FFDFAEF72D3, 00007FFDFAEF735A

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$O_mallocR_put_error
String ID: ssl\t1_lib.c
API String ID: 2563039504-1168734446
Opcode ID: 91fa3c03b005656edac671a9d81f51a0b34475f04cbd88127e2b5076fff040f3
Instruction ID: afcb79a389b2e7128d5b165711ca6ac3c52c6a3ea9cfeb6f73a97ae963bdf640
Opcode Fuzzy Hash: 91fa3c03b005656edac671a9d81f51a0b34475f04cbd88127e2b5076fff040f3
Instruction Fuzzy Hash: D231B736B19AD291E718EB15E020AA97BB4EF45780F444471EE6E07BD9EF3EE521C700

Function 00007FFDFAE91C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

X509_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB3D4
EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB3E1
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB3F4
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB40D

Strings

ssl\ssl_cert.c, xrefs: 00007FFDFAEAB3FD

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_sk_pop_freeO_freeX509_freeY_free
String ID: ssl\ssl_cert.c
API String ID: 1247630535-188639428
Opcode ID: db325d6359626edae46770550bf2d264bca1765b63f97150984263d541d293db
Instruction ID: 0e9f6154b853ca4c1291c4af77bb18cf9a3934e3ef757f0872d9a95833b6caf6
Opcode Fuzzy Hash: db325d6359626edae46770550bf2d264bca1765b63f97150984263d541d293db
Instruction Fuzzy Hash: 7F018E37B18B9181E714AB24E06086CB3A4FB88F88F544162EA9E5BB8DCF79D516C700

Function 00007FFDFAEF7E00 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64(?,?,?,?,?,00000000,00007FFDFAEF7C53), ref: 00007FFDFAEF7E4B
CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF803A
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF8062

Strings

ssl\t1_lib.c, xrefs: 00007FFDFAEF7E1E, 00007FFDFAEF8033, 00007FFDFAEF8047

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_mallocR_put_error
String ID: ssl\t1_lib.c
API String ID: 2160744234-1168734446
Opcode ID: 4d2d541890369b1daff2bc5b17bf2a8f641833dea24e7332f2a818c8e619e4a9
Instruction ID: 670baf7affac92a3e1f1484001859eddfd8195613ebcf72bc9b943c14e9682b2
Opcode Fuzzy Hash: 4d2d541890369b1daff2bc5b17bf2a8f641833dea24e7332f2a818c8e619e4a9
Instruction Fuzzy Hash: 5471A027B0968285E7A9AB11A520BB933B5FF44B90F5940B5EE6E077C8DF3DE851D300

Function 00007FFDFAE91F28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

ssl\statem\extensions_clnt.c, xrefs: 00007FFDFAECE05E, 00007FFDFAECE10C, 00007FFDFAECE162

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID:
String ID: ssl\statem\extensions_clnt.c
API String ID: 0-2462086076
Opcode ID: f6cb3058d17ab3743cfe3b3bb7936c2990428fd16f35c9e5d7fc0176ee5410dd
Instruction ID: d5ed9fa2cc45584170f5dd4c7e949d4211aefa7b0408af699503dc21da26131e
Opcode Fuzzy Hash: f6cb3058d17ab3743cfe3b3bb7936c2990428fd16f35c9e5d7fc0176ee5410dd
Instruction Fuzzy Hash: 86510172708B8181EB559B10E454BA977A1FF89BC4F084170EADD1BB99DF3EE191CB00

Function 00007FFDFAEBD350 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBD3FA

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBD3CE, 00007FFDFAEBD40C, 00007FFDFAEBD4DD
%02x, xrefs: 00007FFDFAEBD466, 00007FFDFAEBD4A5

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_malloc
String ID: %02x$ssl\ssl_lib.c
API String ID: 1457121658-4123061399
Opcode ID: 2448aebcb881cc7cd84a44fb796ecd5af99c49a6604bc60d9c9be4900a39836a
Instruction ID: 5b7280c30bdbe27e4ef1598393a69c044be0f322f74d4cd426cd3e8fe12949c9
Opcode Fuzzy Hash: 2448aebcb881cc7cd84a44fb796ecd5af99c49a6604bc60d9c9be4900a39836a
Instruction Fuzzy Hash: 83412722B0879186EB599F15F850BAA67A1FB88BD4F484072DF9E07799DF3DD045CB00

Function 00007FFDFAE9DDE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9DE62
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9DF0B
CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9DF1F

Strings

ssl\record\ssl3_buffer.c, xrefs: 00007FFDFAE9DE05

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_malloc$O_free
String ID: ssl\record\ssl3_buffer.c
API String ID: 2640950527-907675498
Opcode ID: 4e7727e9df7f5bd1fa610c2aa7711d6785af5b2ebc691485aa6ce54fa147b42f
Instruction ID: 688bdf1108edbf73c2eaa46f518fc858e21f192e6ee9b0cfb278ccf416c3a0de
Opcode Fuzzy Hash: 4e7727e9df7f5bd1fa610c2aa7711d6785af5b2ebc691485aa6ce54fa147b42f
Instruction Fuzzy Hash: 3A419072B0978186EB64AB11E9A07A963E0FB48BC8F044474DE9E4BBCDCF3ED5518704

Function 00007FFDFAECF350 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON

Download Yara Rule

APIs

CRYPTO_realloc.LIBCRYPTO-1_1-X64(?,?,?,00007FFDFAECF67A,?,?,?,00007FFDFAECF13E), ref: 00007FFDFAECF475

Strings

ssl\statem\extensions_cust.c, xrefs: 00007FFDFAECF46E
3, xrefs: 00007FFDFAECF3DF
t3, xrefs: 00007FFDFAECF3D5

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_realloc
String ID: 3$ssl\statem\extensions_cust.c$t3
API String ID: 3931833713-2956931296
Opcode ID: 2e0da5b627020d852760bc5778966b38de2594668abff8e63698b9fc6aaf7593
Instruction ID: 701146e3398073ee8dc87f1363d4a46e951b93a177a85be47c126666f92074f4
Opcode Fuzzy Hash: 2e0da5b627020d852760bc5778966b38de2594668abff8e63698b9fc6aaf7593
Instruction Fuzzy Hash: 1C419372B04B8281EB6C9F09D4A06B9B7A0FB48784F158171DE5E437E8DE3ED452C714

Function 00007FFDFAEEAA8C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEEAB4C
CRYPTO_memdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEEAB71

Strings

d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h, xrefs: 00007FFDFAEEAB3F, 00007FFDFAEEAB65
ssl\statem\statem_srvr.c, xrefs: 00007FFDFAEEABB4, 00007FFDFAEEABFD

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_memdup
String ID: d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h$ssl\statem\statem_srvr.c
API String ID: 3962629258-1632109628
Opcode ID: e3c3090f6f55177d6b99109b3714c50193283c5c666478ccdb4538579f0b6052
Instruction ID: f41ade9b0559edeb71d81b1b23b51d510bc2a478642c604393da8db0b7c0c2aa
Opcode Fuzzy Hash: e3c3090f6f55177d6b99109b3714c50193283c5c666478ccdb4538579f0b6052
Instruction Fuzzy Hash: 24410132B28B8182E7408F15F450AA9B3A5FB84B90F494235FE9E03BA9DF7DD591C700

Function 00007FFDFAE9193D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF19DA
CRYPTO_memdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF19FF

Strings

d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h, xrefs: 00007FFDFAEF19C8, 00007FFDFAEF19F3
ssl\statem\statem_srvr.c, xrefs: 00007FFDFAEF1A41, 00007FFDFAEF1A77

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_memdup
String ID: d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h$ssl\statem\statem_srvr.c
API String ID: 3962629258-1632109628
Opcode ID: 9a3a651a0980c8f9d43933ac711f9f0c6c9b42083ce41ce764502d048dc390df
Instruction ID: f39ad8c203443309a75e5b70b5d1b4ae8ea0222068b71bd24e3f529238b2d5b8
Opcode Fuzzy Hash: 9a3a651a0980c8f9d43933ac711f9f0c6c9b42083ce41ce764502d048dc390df
Instruction Fuzzy Hash: 7A41C032B29BC181E7459F14E450AA9B3A4FF84B84F444272FA9E17B99DF3DD191CB00

Function 00007FFDFAEDAB00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDAC47
EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDAC4F

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFDFAEDAB3D, 00007FFDFAEDAB77

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeY_free
String ID: ssl\statem\statem_clnt.c
API String ID: 1826982404-1578583260
Opcode ID: 23a232338c39d6370dce277b798269771fd8d26c8d6571922d072d500c432c5c
Instruction ID: 4f3d763014c00d9cb3eae1278518f9f83aa5d3b147e35302379950913317191c
Opcode Fuzzy Hash: 23a232338c39d6370dce277b798269771fd8d26c8d6571922d072d500c432c5c
Instruction Fuzzy Hash: C131863170C74186E768EF11E420AA96751FB89BD8F440574EE5E17BC9DF7EE2468B00

Function 00007FFDFAE919EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB63D5
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB63FD
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB6486

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEB63CE, 00007FFDFAEB63E2, 00007FFDFAEB647C

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_mallocR_put_error
String ID: ssl\ssl_lib.c
API String ID: 2160744234-1984206432
Opcode ID: 788c336dc930c4790232a1c9741c2693159693a362a3c5ecbaf0134127969990
Instruction ID: 378adeee575f94935e0bc2b8b1bf4f352e8aea50681d752d5ae63bbce0faf246
Opcode Fuzzy Hash: 788c336dc930c4790232a1c9741c2693159693a362a3c5ecbaf0134127969990
Instruction Fuzzy Hash: 9031B272B0AA4281EB98DF04D4686A967A1FB44BC4F544472DA6E477D8EF3EE442C700

Function 00007FFDFAEDCA70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDCA9C
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDCB0A
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDCB5F

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFDFAEDCACB

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$X_free
String ID: ssl\statem\statem_clnt.c
API String ID: 306345296-1578583260
Opcode ID: 611003fea63503c0df120acd1659e09ddf3fec271a640d151da16188b38be8bf
Instruction ID: 1aa03e173d587412d70b29862877ebefeee398e9045f61a309d4668caa2d6815
Opcode Fuzzy Hash: 611003fea63503c0df120acd1659e09ddf3fec271a640d151da16188b38be8bf
Instruction Fuzzy Hash: 7A31D23270878142F768AB22E5507AAA761FB89BC4F044171EF9D47BC9DF3ED5528B00

Function 00007FFDFAE9231A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECD624
CRYPTO_memdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECD651

Strings

d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h, xrefs: 00007FFDFAECD61D, 00007FFDFAECD644
ssl\statem\extensions_clnt.c, xrefs: 00007FFDFAECD68B

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_memdup
String ID: d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h$ssl\statem\extensions_clnt.c
API String ID: 3962629258-809686093
Opcode ID: 45f0bfc8daba7d28a2fc2eea6580614a63decea0880e37c3255b02cf2b630890
Instruction ID: 2f051b861af5e29790e5ea5940e39fe71f176a101c961d39ee4556627604baaf
Opcode Fuzzy Hash: 45f0bfc8daba7d28a2fc2eea6580614a63decea0880e37c3255b02cf2b630890
Instruction Fuzzy Hash: 61317432B18B8141EB589F14F4505A9B7A0FB487A4F444271FAAE577D9DF3DE1A1CB00

Function 00007FFDFAE918C5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBB51A
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBB547
CRYPTO_strdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBB561

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBB50A, 00007FFDFAEBB533, 00007FFDFAEBB557

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_strdupR_put_error
String ID: ssl\ssl_lib.c
API String ID: 626504629-1984206432
Opcode ID: 07b894f4293979efcca9411de61d2b6039919be6abaa6937bcf84b4f8416b81c
Instruction ID: da56c35c6e200011f3e0f355fd5e3a1df22ea306fe5539283890045a53262f55
Opcode Fuzzy Hash: 07b894f4293979efcca9411de61d2b6039919be6abaa6937bcf84b4f8416b81c
Instruction Fuzzy Hash: BB21D162B0968545EB88EB15E4647B873A1FB447C4F584472DB6E877D9EF2ED4908300

Function 00007FFDFAEB18D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB197C
CRYPTO_strdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB1991

Part of subcall function 00007FFDFAE9175D: ERR_clear_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC28E3
Part of subcall function 00007FFDFAE9175D: BIO_s_file.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC290B
Part of subcall function 00007FFDFAE9175D: BIO_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC2913
Part of subcall function 00007FFDFAE9175D: ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC293B
Part of subcall function 00007FFDFAE9175D: X509_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC2AB0
Part of subcall function 00007FFDFAE9175D: BIO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC2AB8

Strings

ssl\ssl_conf.c, xrefs: 00007FFDFAEB1975, 00007FFDFAEB1987
gfffffff, xrefs: 00007FFDFAEB194D

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free$O_newO_s_fileO_strdupR_clear_errorR_put_errorX509_free
String ID: gfffffff$ssl\ssl_conf.c
API String ID: 3738848979-992112152
Opcode ID: 0cc365725ebee17fab658cb00fcbf268b215681e4a1126e33d0068420cfea6e0
Instruction ID: 493f2ce218d8ec1226aeceaf30b41be1339b076e579c56dd03b4e6001bb53be9
Opcode Fuzzy Hash: 0cc365725ebee17fab658cb00fcbf268b215681e4a1126e33d0068420cfea6e0
Instruction Fuzzy Hash: 7421CF62B15B8585EF48EF2BE45066827A0EF88FC4F184036EE1E87799DF3DE5008341

Function 00007FFDFAE922CA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB5B21
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB5B4E
CRYPTO_strdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB5B68

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEB5B11, 00007FFDFAEB5B3A, 00007FFDFAEB5B5E

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_strdupR_put_error
String ID: ssl\ssl_lib.c
API String ID: 626504629-1984206432
Opcode ID: c24f7443a03703845bc4212138975796dd8045fa63741f58ddc93aa1216fe340
Instruction ID: 737aba08694a14b33bff5a2ac7f723eed83b6ca03b23f4da6b47efcc171f6c70
Opcode Fuzzy Hash: c24f7443a03703845bc4212138975796dd8045fa63741f58ddc93aa1216fe340
Instruction Fuzzy Hash: 16212532F0838185FB88DB15E4A47A923A0FB447C0F540172EB6E8B3DACF2ED4818700

Function 00007FFDFAE97ED0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE98BB7
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE98BE0

Strings

ssl\packet.c, xrefs: 00007FFDFAE98BA9, 00007FFDFAE98BC5
b, xrefs: 00007FFDFAE98BCC

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_zallocR_put_error
String ID: b$ssl\packet.c
API String ID: 2718799170-3318296912
Opcode ID: cab9c98f9257079e2311f6f2ee369d3da7b9fa8722007680d6d06f1113784f94
Instruction ID: d1da611783e2ed41726ada6b5b2021bbc40d896fed0548cc708aa1118df04261
Opcode Fuzzy Hash: cab9c98f9257079e2311f6f2ee369d3da7b9fa8722007680d6d06f1113784f94
Instruction Fuzzy Hash: A021F371B0974285EB58DB14E420BA832A0FB087A8F604234DA7D473D9EF7ED9598740

Function 00007FFDFAEE3980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE39C7
memcpy.VCRUNTIME140 ref: 00007FFDFAEE3A3D

Strings

J, xrefs: 00007FFDFAEE39D4
ssl\statem\statem_lib.c, xrefs: 00007FFDFAEE39AA

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_mallocmemcpy
String ID: J$ssl\statem\statem_lib.c
API String ID: 1834057931-1977568339
Opcode ID: d2c40af62655d2b20d4a42f63a511eba60593a1c1eae314bb2b53bda391960a3
Instruction ID: cd1d6ee27b2cce5e89dafc8f849f56335e152e4b679332c486349853a7bed8a9
Opcode Fuzzy Hash: d2c40af62655d2b20d4a42f63a511eba60593a1c1eae314bb2b53bda391960a3
Instruction Fuzzy Hash: C721A123B08B8192E710DB16E5106A9B720FB98BD4F098661EF9C1775ADF39E2D6C700

Function 00007FFDFAE97D70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE97DB2
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE97DDB

Strings

b, xrefs: 00007FFDFAE97DC7
ssl\packet.c, xrefs: 00007FFDFAE97D98, 00007FFDFAE97DC0

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_zallocR_put_error
String ID: b$ssl\packet.c
API String ID: 2718799170-3318296912
Opcode ID: de6bb04ed96cf2c87fb87fc0a5c9dfff0ad30fcec68bf0fc8f3b5347101d9199
Instruction ID: c5d973f50211e1f0b31d2f83852590abbc1c11c8d30cb81caf3e10752f9fb353
Opcode Fuzzy Hash: de6bb04ed96cf2c87fb87fc0a5c9dfff0ad30fcec68bf0fc8f3b5347101d9199
Instruction Fuzzy Hash: A2018032705B4186D7099F19E4505A873A0FB48768F644235D6BC477D9EF3AD96AC600

Function 00007FFDFAEA6DAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA6D6A
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA6DD2
CRYPTO_strdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA6DE7

Strings

ssl\s3_lib.c, xrefs: 00007FFDFAEA6D5C, 00007FFDFAEA6DCB, 00007FFDFAEA6DDD

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_strdupR_put_error
String ID: ssl\s3_lib.c
API String ID: 626504629-3639828702
Opcode ID: a95f08fd67e32929d388144eff53ab6e457ea06d88129f959ce97df532086cca
Instruction ID: 0320bfa5015cd968218c3318ef48e4c5082389fca447130e97812e8d7de04132
Opcode Fuzzy Hash: a95f08fd67e32929d388144eff53ab6e457ea06d88129f959ce97df532086cca
Instruction Fuzzy Hash: 86018865B59A5381EB55EB14E060ABD63A0EF40748F9401B1DA2D0A6DDEF3EE155C700

Function 00007FFDFAE92261 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE98FBD
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE98FE5

Strings

+, xrefs: 00007FFDFAE98FD1
ssl\pqueue.c, xrefs: 00007FFDFAE98FB3, 00007FFDFAE98FCA

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_zallocR_put_error
String ID: +$ssl\pqueue.c
API String ID: 2718799170-1790600208
Opcode ID: f41f168802a371908be0dc6d7a6b8c2d4446c60043b33b58f2574a647d0d28d6
Instruction ID: b67055350b4d1c5d7e8d6cf2ebf30af224dec7c236a41b6764dc655699431249
Opcode Fuzzy Hash: f41f168802a371908be0dc6d7a6b8c2d4446c60043b33b58f2574a647d0d28d6
Instruction Fuzzy Hash: E8F0A725B1911786EB08AB14D424DA82710EF48318F440075D91D477D9FF3EF616CA10

Function 00007FFDFAE91B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECE7B5
CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECE7DF

Strings

ssl\statem\extensions_clnt.c, xrefs: 00007FFDFAECE79E, 00007FFDFAECE87F

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_malloc
String ID: ssl\statem\extensions_clnt.c
API String ID: 2609694610-2462086076
Opcode ID: 3052a5ba3a9101605753507c3ba5f9ae9cf4d97a592aa99cc964b180ffa13325
Instruction ID: 30f59a82a43a5652d6ba8f0214ba86a624d59af49e178721e7be2774d8169507
Opcode Fuzzy Hash: 3052a5ba3a9101605753507c3ba5f9ae9cf4d97a592aa99cc964b180ffa13325
Instruction Fuzzy Hash: F2319422B08B8181E7689B11E410B6E7751EB84BC4F184075DE9E57BDDDF3EE651CB00

Function 00007FFDFAE91BAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9E1ED
CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9E201

Strings

ssl\record\ssl3_buffer.c, xrefs: 00007FFDFAE9E1CF

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_malloc
String ID: ssl\record\ssl3_buffer.c
API String ID: 2609694610-907675498
Opcode ID: 6033b59147d9bc3cc501de54a8f969d8204975e2f0abd4f06d16e019e6fe07bb
Instruction ID: fa5c855d008fe86dc5cd2b94c82ac9c93763c242e74fa0fc040ac276102d5961
Opcode Fuzzy Hash: 6033b59147d9bc3cc501de54a8f969d8204975e2f0abd4f06d16e019e6fe07bb
Instruction Fuzzy Hash: FA31C432B0978182E768AB11E85076962E0FB48BD8F184574DEAD07BCDDF7ED551C700

Function 00007FFDFAED8CDA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED8DBD
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED8DFD

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFDFAED8DB0

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free
String ID: ssl\statem\statem_clnt.c
API String ID: 2581946324-1578583260
Opcode ID: 32ba48cdfe899d2c17fed0ae30bce339e270bdb226aaad318ecf7ba0bc514ce9
Instruction ID: 52c161cad9f3f0ed1a545f011395c57f9d1cfd1e53ad8dddc410687f33a1ac03
Opcode Fuzzy Hash: 32ba48cdfe899d2c17fed0ae30bce339e270bdb226aaad318ecf7ba0bc514ce9
Instruction Fuzzy Hash: 5931EB72B1CB8182D720AB00E45096AB7A4FB857A4F044275FAEA07BCDDF7DE1908B00

Function 00007FFDFAE96B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAE92400: CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE99724
Part of subcall function 00007FFDFAE92400: ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9974C

Part of subcall function 00007FFDFAE916E5: CRYPTO_zalloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA7B04

CRYPTO_zalloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE96B7C

Part of subcall function 00007FFDFAE92261: CRYPTO_zalloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE98FBD
Part of subcall function 00007FFDFAE92261: ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE98FE5

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE96C1D

Strings

ssl\d1_lib.c, xrefs: 00007FFDFAE96B70, 00007FFDFAE96C13

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_zalloc$R_put_error$O_freeO_malloc
String ID: ssl\d1_lib.c
API String ID: 566506930-957499845
Opcode ID: 4c77c858b38040570b64505cb833dc132fcb991145d652d041cdb3ea07aa14c7
Instruction ID: 85405f459a6bc8973972efb9d05ce247a7c4b5298cc2b5e05a8fef0c27e0ef03
Opcode Fuzzy Hash: 4c77c858b38040570b64505cb833dc132fcb991145d652d041cdb3ea07aa14c7
Instruction Fuzzy Hash: 88214421B0974241FB4CBB65A561BF96290EF4C788F045475EE6E473CAEF2DE4A18200

Function 00007FFDFAE91E60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CRYPTO_clear_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDA8DC

Strings

@, xrefs: 00007FFDFAEDA88D
ssl\statem\statem_clnt.c, xrefs: 00007FFDFAEDA835

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_clear_free
String ID: @$ssl\statem\statem_clnt.c
API String ID: 2011826501-2520542856
Opcode ID: baebf0ae4530ccf226848bf453271081f5b44d0ef57f48847a9ee6c65cb3a35c
Instruction ID: f18f89fe294ce1d87b38d68da06a261133f37f184318b2dcebb11db6d4756173
Opcode Fuzzy Hash: baebf0ae4530ccf226848bf453271081f5b44d0ef57f48847a9ee6c65cb3a35c
Instruction Fuzzy Hash: 61219536B1878181F754AB12E564BA967A5FB84FD4F044071DE5E1BBD9CF3EE1428700

Function 00007FFDFAE9E010 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9E08D

Strings

ssl\record\ssl3_buffer.c, xrefs: 00007FFDFAE9E080
F, xrefs: 00007FFDFAE9E09B

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_malloc
String ID: F$ssl\record\ssl3_buffer.c
API String ID: 1457121658-2325794253
Opcode ID: bd6fd908bce8fa8e9e09f95005e6246e6be4bbf17436f36d1f35cb80fe445197
Instruction ID: 7bd09a8e33ecd812da50eb0f0cfb6d4bef98de3fed06e84e9ecef3586117be28
Opcode Fuzzy Hash: bd6fd908bce8fa8e9e09f95005e6246e6be4bbf17436f36d1f35cb80fe445197
Instruction Fuzzy Hash: 9D11B132B0878181E754AB15E9107A963A0FB88BC8F084175EF9D57B8DCF3ED591CB04

Function 00007FFDFAEA5F70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5F8D
CRYPTO_strdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5FE3

Strings

ssl\s3_lib.c, xrefs: 00007FFDFAEA5F80, 00007FFDFAEA5FD9

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_strdup
String ID: ssl\s3_lib.c
API String ID: 2148955802-3639828702
Opcode ID: 99722639141751f5fd7ca829ddf722bb3b5cfd52327b9b99ddbc89670d3aeda4
Instruction ID: f9e90c101057b19cc36bfd787a52d1a3f8f08c04f583a49e5ffd095e2a5d799b
Opcode Fuzzy Hash: 99722639141751f5fd7ca829ddf722bb3b5cfd52327b9b99ddbc89670d3aeda4
Instruction Fuzzy Hash: 131104A5B1C39185F735AB05E060BB8A690FB82B54F450075EAAE0F7C8CF7EE5868710

Function 00007FFDFAE91EB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CRYPTO_strdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB2297
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB22C5

Strings

ssl\ssl_conf.c, xrefs: 00007FFDFAEB228D, 00007FFDFAEB22B8

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_strdup
String ID: ssl\ssl_conf.c
API String ID: 2148955802-1155788636
Opcode ID: 8b3f018f0c76cb8e50eef2c5b0f6c7fe253c1f4f6523c8d60bc3e80dedba7b2f
Instruction ID: 907172c564a7c0867231a2bdf0b7964da693b74185bcf11adb9a8b24158c0e2f
Opcode Fuzzy Hash: 8b3f018f0c76cb8e50eef2c5b0f6c7fe253c1f4f6523c8d60bc3e80dedba7b2f
Instruction Fuzzy Hash: FC11E922F0C78242FB58A749F0A4A286690EF447C4F5841B6EB6F47BCDDF2EE4918700

Function 00007FFDFAEA7EE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64(?,00007FFDFAEA6325), ref: 00007FFDFAEA7F15
CRYPTO_memdup.LIBCRYPTO-1_1-X64(?,00007FFDFAEA6325), ref: 00007FFDFAEA7F50

Strings

ssl\s3_lib.c, xrefs: 00007FFDFAEA7F01, 00007FFDFAEA7F43

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_memdup
String ID: ssl\s3_lib.c
API String ID: 3962629258-3639828702
Opcode ID: 9615781faf5e59e9c568cdf578871ac579bd8adeb7ee6c92585d8580069c2afc
Instruction ID: 1583de78ed0aafe500150a8b4b8e61bb29f62d593134af8aaeda507bf61f0d10
Opcode Fuzzy Hash: 9615781faf5e59e9c568cdf578871ac579bd8adeb7ee6c92585d8580069c2afc
Instruction Fuzzy Hash: 88018231B19B8151EB98DB15A4507D9A2E0FF48BC0F484170EB6D8B789DF2DD5618300

Function 00007FFDFAE91F6E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC3945
CRYPTO_memdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC3967

Strings

ssl\ssl_sess.c, xrefs: 00007FFDFAEC3931, 00007FFDFAEC395A

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_memdup
String ID: ssl\ssl_sess.c
API String ID: 3962629258-3038452671
Opcode ID: 43f460c523462c73ecbb046fb488f2619b568d3dbfc85e745c42dff49fa9892d
Instruction ID: 102da97d669f4f5a699158102b37f8bdefe3042685dd49727f13d125c5f363df
Opcode Fuzzy Hash: 43f460c523462c73ecbb046fb488f2619b568d3dbfc85e745c42dff49fa9892d
Instruction Fuzzy Hash: 4011C821B19B8180E785AB11F494AA8A3A4EF48FD4F180174EE9E4BBDDDF2DD652C700

Function 00007FFDFAE91CD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9FB44
COMP_expand_block.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9FB6D

Strings

ssl\record\ssl3_record.c, xrefs: 00007FFDFAE9FB38

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_mallocP_expand_block
String ID: ssl\record\ssl3_record.c
API String ID: 3543690440-2781342121
Opcode ID: 8eb26df50dffb92fb9f99084072291920c192d26a0d8bfc2c2d68b0b0bee4863
Instruction ID: 3a6a5038a68ce51f45bd884f1d6a66a09139094cdb262e05677615417a7898b4
Opcode Fuzzy Hash: 8eb26df50dffb92fb9f99084072291920c192d26a0d8bfc2c2d68b0b0bee4863
Instruction Fuzzy Hash: FD018062B08B4182EB489F21E4606A963A0FB4CBC8F144435EF5D4B3CDEF2ED4908710

Function 00007FFDFAF5285C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 00007FFDFAF52882
FormatMessageA.KERNEL32 ref: 00007FFDFAF528B1

Strings

!x-sys-default-locale, xrefs: 00007FFDFAF52875

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 8276c80c76852153998e0e975adc591f8809e2439487613114ddc3dbf5371e13
Instruction ID: d43e6c79706c17c30f782913b4675fb692551a6723341861fefea31d45915d7e
Opcode Fuzzy Hash: 8276c80c76852153998e0e975adc591f8809e2439487613114ddc3dbf5371e13
Instruction Fuzzy Hash: 4701F572B0878182E7188B51F850BB9B791FB887E4F404275E6595ABD8CF3CD405C700

Function 00007FFDFAEB3A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3A57
CRYPTO_memdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3A80

Strings

d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h, xrefs: 00007FFDFAEB3A47, 00007FFDFAEB3A70

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_memdup
String ID: d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h
API String ID: 3962629258-499535388
Opcode ID: 81128966d9e544a61976296de8a32c460a558a6961147b95c57856a11493464a
Instruction ID: 594ec90614f82a01baf11d00bf198895aa8ade77110426859d9b3c558387eef2
Opcode Fuzzy Hash: 81128966d9e544a61976296de8a32c460a558a6961147b95c57856a11493464a
Instruction Fuzzy Hash: 53017C32706B8281EB54DF02F894A5973A4FB58BC0F088471EE9D4BB89DF3DD0608700

Function 00007FFDFAECA030 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECA067
CRYPTO_memdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECA090

Strings

d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h, xrefs: 00007FFDFAECA057, 00007FFDFAECA080

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_memdup
String ID: d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h
API String ID: 3962629258-499535388
Opcode ID: 729c1c798f1f97ff917d005eff890ae8cffc9630d25b753cd16775b7a0caf807
Instruction ID: e84b5b879afc6099bfc477806ccbef31eef320d7a171e7cbcac213ebdcc65e7f
Opcode Fuzzy Hash: 729c1c798f1f97ff917d005eff890ae8cffc9630d25b753cd16775b7a0caf807
Instruction Fuzzy Hash: 22012C32716B9281EB549F02F890A5977A4FB98BC0F488471EE9D4BB89DF3ED561C700

Function 00007FFDFAE91C12 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC3A1D
CRYPTO_strdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC3A4E

Strings

ssl\ssl_sess.c, xrefs: 00007FFDFAEC3A10, 00007FFDFAEC3A44

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_strdup
String ID: ssl\ssl_sess.c
API String ID: 2148955802-3038452671
Opcode ID: 8555c6846e12b93a6a9159d18b9606f010b9f941e89a21534a379f23712696df
Instruction ID: 4577aea99c93ff655f034b484a19bbda330ffa5add13e2d8830a1da72b8f16d2
Opcode Fuzzy Hash: 8555c6846e12b93a6a9159d18b9606f010b9f941e89a21534a379f23712696df
Instruction Fuzzy Hash: D5F02D22B0878241E788DB15F550AA86391EF88BD0F188174ED6D47BDEDE2DD1928700

Function 00007FFDFAE98D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE98DA7
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE98DCF

Strings

ssl\pqueue.c, xrefs: 00007FFDFAE98D9D, 00007FFDFAE98DB4

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_mallocR_put_error
String ID: ssl\pqueue.c
API String ID: 2513334388-827308526
Opcode ID: 408acd6cbf12ec5fbe81c240392533988fd3f750782e29cdb8bbeaf0a671a324
Instruction ID: 7836f383f2a2d1c59c422eca26fc96850460dae77fcaba3ba3a1b0547aa4bdda
Opcode Fuzzy Hash: 408acd6cbf12ec5fbe81c240392533988fd3f750782e29cdb8bbeaf0a671a324
Instruction Fuzzy Hash: 18018B36B0974186DB449B14F450BA873A0FB48788F544036EB6C4379AEF39E658CB00

Function 00007FFDFAEA9D50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64(00000000,00007FFDFAEA9453), ref: 00007FFDFAEA9D79
CRYPTO_strndup.LIBCRYPTO-1_1-X64(00000000,00007FFDFAEA9453), ref: 00007FFDFAEA9D9E

Strings

ssl\ssl_asn1.c, xrefs: 00007FFDFAEA9D6C, 00007FFDFAEA9D8D

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_strndup
String ID: ssl\ssl_asn1.c
API String ID: 2641571835-3318222049
Opcode ID: 772178b950b6cc95ff038b7bb942cc2e4db0a099a4b798065c0a6b869c97f180
Instruction ID: a05b11227dc20fdf2457ecc63374f6eb5fccb9819eafa1fccbb3620f32fc4eff
Opcode Fuzzy Hash: 772178b950b6cc95ff038b7bb942cc2e4db0a099a4b798065c0a6b869c97f180
Instruction Fuzzy Hash: CAF0C876B05A4141EF55A755F6507A85350EF48B94F488071EF2D477C9EE2DD4904310

Function 00007FFDFAEE8A00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE8A29
CRYPTO_strndup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE8A42

Strings

d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h, xrefs: 00007FFDFAEE8A1F, 00007FFDFAEE8A32

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_strndup
String ID: d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h
API String ID: 2641571835-499535388
Opcode ID: 6dc86bcc492c2072e9688d4651649b0b7a146acb96cfb8213c87e03fcb377a00
Instruction ID: e35bee66999beb0b3f6128ab9f2722cd7aa1ae2d28b991dcdb5c0a4f7d32643d
Opcode Fuzzy Hash: 6dc86bcc492c2072e9688d4651649b0b7a146acb96cfb8213c87e03fcb377a00
Instruction Fuzzy Hash: 7AF0A732705A8281EB48AF11F4A19AC1321EF4CBD4F448075EE1D4B799CE3DD5518700

Function 00007FFDFAED09F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED0A19
CRYPTO_strndup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED0A32

Strings

d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h, xrefs: 00007FFDFAED0A0F, 00007FFDFAED0A22

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_strndup
String ID: d:\juno\p4\desktop\packages\openssl\1.1.1s\installed\source\ssl\packet_local.h
API String ID: 2641571835-499535388
Opcode ID: 2c88cd4fa3f84adf6c90a8bc1dccce3909e66834cd8da932fa18c7440d955a72
Instruction ID: e35bee66999beb0b3f6128ab9f2722cd7aa1ae2d28b991dcdb5c0a4f7d32643d
Opcode Fuzzy Hash: 2c88cd4fa3f84adf6c90a8bc1dccce3909e66834cd8da932fa18c7440d955a72
Instruction Fuzzy Hash: 7AF0A732705A8281EB48AF11F4A19AC1321EF4CBD4F448075EE1D4B799CE3DD5518700

Function 00007FFDFAEBC870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBC892
CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBC8AF

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBC882, 00007FFDFAEBC89B

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free
String ID: ssl\ssl_lib.c
API String ID: 2581946324-1984206432
Opcode ID: 89b88e9e68fd50fda827b92445b3d1194c74ad3cf0017b8c213f0c0a9fa2cacb
Instruction ID: 0476434331c1a1902ea32d32cd42231a83268e74ada5eeed3de4eecfb2e5ad0a
Opcode Fuzzy Hash: 89b88e9e68fd50fda827b92445b3d1194c74ad3cf0017b8c213f0c0a9fa2cacb
Instruction Fuzzy Hash: 9EE09262B0578180E745AB21D460B582761EF48B88F5440B0D91C0F3CACF7ED155C321

Function 00007FFDFAE91B4F Relevance: 4.5, APIs: 3, Instructions: 34COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_write_lock.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC2FE5
OPENSSL_LH_set_down_load.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC301C
CRYPTO_THREAD_unlock.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC3028

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: D_unlockD_write_lockH_set_down_load
String ID:
API String ID: 3243170206-0
Opcode ID: f1cc19bd0f3a85c40ec1f956f66ef054cb8c88a82b8d0545bd1a1be0c4c10ce4
Instruction ID: 4de994240e2f642808b55a23d00eb3f9acb2abb66b7766558d552884036decc8
Opcode Fuzzy Hash: f1cc19bd0f3a85c40ec1f956f66ef054cb8c88a82b8d0545bd1a1be0c4c10ce4
Instruction Fuzzy Hash: F1015222B08A8282DB58FB55E4A186C6360FFC8798F000171FA5E47B9ADF3DE4118740

Function 00007FFDFAEE1AD0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64(?,00000000,?,00007FFDFAEE1803), ref: 00007FFDFAEE1DED

Part of subcall function 00007FFDFAEE13B0: CRYPTO_malloc.LIBCRYPTO-1_1-X64(?,00007FFDFAEE0A03), ref: 00007FFDFAEE13EB
Part of subcall function 00007FFDFAEE13B0: ERR_put_error.LIBCRYPTO-1_1-X64(?,00007FFDFAEE0A03), ref: 00007FFDFAEE1413

Strings

ssl\statem\statem_dtls.c, xrefs: 00007FFDFAEE1DE3

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_mallocR_put_error
String ID: ssl\statem\statem_dtls.c
API String ID: 2160744234-3166991913
Opcode ID: 8ce064a22ff7243b6f66af6704532befed179ece15a8690a5e62cc5f11e23564
Instruction ID: 48dc54ae8ff2121043e6b1d83d19b1bfe2ca010c36a5f4d3eafd421718dfe3a5
Opcode Fuzzy Hash: 8ce064a22ff7243b6f66af6704532befed179ece15a8690a5e62cc5f11e23564
Instruction Fuzzy Hash: FDA10073708B8582DB28DB15D4A06BD77A0FBA4B84F454271DF9E47B9ADF39E4908700

Function 00007FFDFAE919BA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDCE4A

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFDFAEDCE37, 00007FFDFAEDCEB8, 00007FFDFAEDCEDF

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_malloc
String ID: ssl\statem\statem_clnt.c
API String ID: 1457121658-1578583260
Opcode ID: 2f7d58bf07577615a35d0cb77cfa8a33ec4239002b83fa28a8c831170cc914e7
Instruction ID: a83746676eaaa42fecde962c0ca009baf26995b3e97cdc76b20eed06e3953d5d
Opcode Fuzzy Hash: 2f7d58bf07577615a35d0cb77cfa8a33ec4239002b83fa28a8c831170cc914e7
Instruction Fuzzy Hash: DC31E57170878185E7149B21F410AADB7A1EB85BD4F584271EEAE07BC9DF3DD152C700

Function 00007FFDFAED896F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED89E8

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFDFAED89D5, 00007FFDFAED8A88

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_malloc
String ID: ssl\statem\statem_clnt.c
API String ID: 1457121658-1578583260
Opcode ID: 5c8c747b651bec801edda9ba56785f412d4b4e156484abd7f881227e056f859c
Instruction ID: 35e5a8cac6922992b1ef7121708e41efc407883704920f99dcaac74db9976776
Opcode Fuzzy Hash: 5c8c747b651bec801edda9ba56785f412d4b4e156484abd7f881227e056f859c
Instruction Fuzzy Hash: DA31C732708B4285E7649F11E810AADB7A1EB91BD4F488271DABE0B7C9DF3EE1518700

Function 00007FFDFAE91AB9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECA875

Strings

ssl\statem\extensions_clnt.c, xrefs: 00007FFDFAECA7F2

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free
String ID: ssl\statem\extensions_clnt.c
API String ID: 2581946324-2462086076
Opcode ID: 23250fc4a265bcd54e5597e87907c702c7d9518e844aaee69a6997ddb499b818
Instruction ID: e6edfdef97a2f61b92089523db5479a162518a9c20646dcfe5fecb78fddb26ec
Opcode Fuzzy Hash: 23250fc4a265bcd54e5597e87907c702c7d9518e844aaee69a6997ddb499b818
Instruction Fuzzy Hash: 89218D22B1864182E754AA16F024BAE67A1FB48BC4F140075DE5D4BBCDCF3EE942DB50

Function 00007FFDFAE98A70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE98B39

Strings

ssl\packet.c, xrefs: 00007FFDFAE98B25

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free
String ID: ssl\packet.c
API String ID: 2581946324-1909711903
Opcode ID: cfa3c6b0f10520a2e3fd1ff736651638cff90114829dc2eeb5bc55a84292fdca
Instruction ID: 0fbb3a37d9fd6b51dbc7b865e2b37b4c8590ed4bc88637a66b464de6e0bb5235
Opcode Fuzzy Hash: cfa3c6b0f10520a2e3fd1ff736651638cff90114829dc2eeb5bc55a84292fdca
Instruction Fuzzy Hash: F9216076B15B4581DF98AF15C468F7823A4FB58B84F5684B1DA2D87398FE7BE405C300

Function 00007FFDFAE91F78 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CRYPTO_strdup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECE9EF

Strings

ssl\statem\extensions_clnt.c, xrefs: 00007FFDFAECE96A, 00007FFDFAECE9AE, 00007FFDFAECE9CB

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_strdup
String ID: ssl\statem\extensions_clnt.c
API String ID: 1296259186-2462086076
Opcode ID: b07b305b48ac4d08b1a15cef5b12218a7183b0e15ffa51997510615119afc5f6
Instruction ID: a841be25960be02496a2b8d40a6841ca69076f7c1687fff9040d756abf8498d8
Opcode Fuzzy Hash: b07b305b48ac4d08b1a15cef5b12218a7183b0e15ffa51997510615119afc5f6
Instruction Fuzzy Hash: 8E21C532B08A4185E7A49B01E454BBA63B0EB44B88F5841B1DAAD1B6EDCF7DD9C5CB00

Function 00007FFDFAEBAA24 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBAA9D

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBAA82

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: ssl\ssl_lib.c
API String ID: 1767461275-1984206432
Opcode ID: 3031290885429c415fd22508028380b25faf43b5c4b0e41fc8a9208dc36700b0
Instruction ID: 4bd8dfa7e21c68c5d7225856797b65ac64eae0b22cf01332e834d1bfe3c07c53
Opcode Fuzzy Hash: 3031290885429c415fd22508028380b25faf43b5c4b0e41fc8a9208dc36700b0
Instruction Fuzzy Hash: B301E553F0D6C247EB6947149C309292B60EF65754F0842F5D6AC466CEEE3EE8458701

Function 00007FFDFAE9DD30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9DD80

Strings

ssl\record\ssl3_buffer.c, xrefs: 00007FFDFAE9DD73

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free
String ID: ssl\record\ssl3_buffer.c
API String ID: 2581946324-907675498
Opcode ID: 573c2f84118bfce346212d51f38bca594495efe86b236e75c3c2f883ebc58475
Instruction ID: caac86dac509fe9d60087047060010c7e84f3cb266e5b21a0234730be2b82c8f
Opcode Fuzzy Hash: 573c2f84118bfce346212d51f38bca594495efe86b236e75c3c2f883ebc58475
Instruction Fuzzy Hash: A0019E32725B92C1D750AF05E5405DC33A4FB48B98F584135EB9D0BB99CF3AD162C740

Function 00007FFDFAE97C70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE97CB6

Strings

ssl\packet.c, xrefs: 00007FFDFAE97CA9

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free
String ID: ssl\packet.c
API String ID: 2581946324-1909711903
Opcode ID: 04ab4f21a415d68bf8f597629e962417eef10804bebd4ed9ecd865a19874761b
Instruction ID: ce1188265e4d57715e1a48be7606a8805c1f0a6ba6e535e15034902df04ba16e
Opcode Fuzzy Hash: 04ab4f21a415d68bf8f597629e962417eef10804bebd4ed9ecd865a19874761b
Instruction Fuzzy Hash: D1F0B4A2B1470241EB54AB259460B7923A1EF4C7E4F181070DA1D8B7C9EF6ED8E5C710

Function 00007FFDFAE9228E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9B003

Strings

ssl\record\rec_layer_d1.c, xrefs: 00007FFDFAE9AFF6

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free
String ID: ssl\record\rec_layer_d1.c
API String ID: 2581946324-2186836241
Opcode ID: e2567c353c12a9f5e082f9b0b05476c957e6b1ac2f56666a9f17c676025000f4
Instruction ID: 6e02949643ca9b6cd88fcd246e241c3f093d4ec16b491fb88b5150ff81145915
Opcode Fuzzy Hash: e2567c353c12a9f5e082f9b0b05476c957e6b1ac2f56666a9f17c676025000f4
Instruction Fuzzy Hash: 10F05451B1964240EB88B756F461A7D5251EF8CBC8F485071FD2E4B7CFDE1ED4914700

Function 00007FFDFAE97B20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE97B50

Strings

ssl\packet.c, xrefs: 00007FFDFAE97B43

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free
String ID: ssl\packet.c
API String ID: 2581946324-1909711903
Opcode ID: b9b8e640fcae2b366299504ddeea33bd6ac1e8916384a9f7f7dcbc3f29a3813f
Instruction ID: 194f0addce7aa0260838fb9f96d5c46a090cabca1f5d89b5eef2785b48e2ffbd
Opcode Fuzzy Hash: b9b8e640fcae2b366299504ddeea33bd6ac1e8916384a9f7f7dcbc3f29a3813f
Instruction Fuzzy Hash: 6AE09222B19B4181FF98AB45E460B786221FF4CB98F1C0170EA5E47BC9EE2ED4614700

Function 00007FFDFAEAC990 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CRYPTO_get_ex_new_index.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC9BA

Strings

SSL for verify callback, xrefs: 00007FFDFAEAC9A1

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_get_ex_new_index
String ID: SSL for verify callback
API String ID: 3987194240-2900698531
Opcode ID: a9d02a2a09db33ccb708bd4d69d4235c50c386b56e3c4a85f3ed92968e8b7826
Instruction ID: 03dd1077cfbe4efcf974957f9ab48eb582f846226cef60c2c5723c372ab2a66d
Opcode Fuzzy Hash: a9d02a2a09db33ccb708bd4d69d4235c50c386b56e3c4a85f3ed92968e8b7826
Instruction Fuzzy Hash: 11E06576B0924147E315DF60E861ED536A5BF48320F888579ED684B698EE3CA151C610

Function 00007FFDFAEC6DF0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC6E26

Strings

ssl\statem\extensions.c, xrefs: 00007FFDFAEC6E12

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free
String ID: ssl\statem\extensions.c
API String ID: 2581946324-3728926295
Opcode ID: 1ec66eb0452475aedfea99c59b37e0d7b3feadb61b2d182a3756e929dd9bc983
Instruction ID: 4098cb39d91e15ebff05f5c90b82a6f3d8b638a92e2088c5c92840cec1c2db04
Opcode Fuzzy Hash: 1ec66eb0452475aedfea99c59b37e0d7b3feadb61b2d182a3756e929dd9bc983
Instruction Fuzzy Hash: C8E02662B023408AF350A714D0687D82360EF44728F580070E90D4F3C5DF7F9693CB50

Function 00007FFDFAEC7870 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC7896

Strings

ssl\statem\extensions.c, xrefs: 00007FFDFAEC7882

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free
String ID: ssl\statem\extensions.c
API String ID: 2581946324-3728926295
Opcode ID: 7c64739d4e29a9d6e0e4d787c41bd994b070bc52d595970ee8e31b4098b3382f
Instruction ID: ea9c7b9df5ffee5b6a592655831a04774d6a8472cad09d00aa7bc1d1b40d46f0
Opcode Fuzzy Hash: 7c64739d4e29a9d6e0e4d787c41bd994b070bc52d595970ee8e31b4098b3382f
Instruction Fuzzy Hash: 7BD05E96F0564141F7046755E825B981220EF48758F8810B1ED1C4F7C7DE6EE5924B10

Function 00007FFDFAE9DCD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9DCF6

Strings

ssl\record\ssl3_buffer.c, xrefs: 00007FFDFAE9DCE2

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free
String ID: ssl\record\ssl3_buffer.c
API String ID: 2581946324-907675498
Opcode ID: 0a9449d85f8508a8dbb42a31e4c01a251f20f8de3eaf2569e13d06295b4d4eaa
Instruction ID: d8e3027e92e237470f962a3f58f4bc21cf904690509c0a1d6ab46d4a78358c43
Opcode Fuzzy Hash: 0a9449d85f8508a8dbb42a31e4c01a251f20f8de3eaf2569e13d06295b4d4eaa
Instruction Fuzzy Hash: 6DD02E52B01A8040E7407350D8107A81300FF08748F084074EC2C4F3C7CE2ED0824B10

Function 00007FFDFAE92310 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF6B74

Strings

ssl\t1_lib.c, xrefs: 00007FFDFAEF6B6D

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free
String ID: ssl\t1_lib.c
API String ID: 2581946324-1168734446
Opcode ID: bf97724fc228ee8da995da13da6d63a21a3d03381cff82cf26d4983b03a6d019
Instruction ID: fdde70de55182eb4ec300f64f62bc70dc89e8c17d8381a856bef99a723f8594e
Opcode Fuzzy Hash: bf97724fc228ee8da995da13da6d63a21a3d03381cff82cf26d4983b03a6d019
Instruction Fuzzy Hash: 70D01716B5A18291FB58B6519832EBC1321EF88B58F5400B0EA3E4B2DACC2EB5569610

Function 00007FFDFAE9DC20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9DC40

Strings

ssl\record\ssl3_buffer.c, xrefs: 00007FFDFAE9DC39

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free
String ID: ssl\record\ssl3_buffer.c
API String ID: 2581946324-907675498
Opcode ID: 584547ccba932a87f5746a4d7ace7e8f70ed34f02ac2531bb73375d58440100a
Instruction ID: c922cf1dd2daef8d75b4450e137d80480f9890fba55e37fff6141a8887fb0ad9
Opcode Fuzzy Hash: 584547ccba932a87f5746a4d7ace7e8f70ed34f02ac2531bb73375d58440100a
Instruction Fuzzy Hash: C1D0A762F0554181EB447B21D8117982350EF48704F488070D51C4B3C6DE2ED5558700

Function 00007FFDFAEEBC60 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CRYPTO_memcmp.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEEBD5E

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_memcmp
String ID:
API String ID: 2788248766-0
Opcode ID: 151079c9d6ce6b29923227dfc25308dc42bebc0791857ec853974d87dc70dea6
Instruction ID: 9fd8f4198b8f7247f612029d646c211f19d543370e017588abfc649445a0e078
Opcode Fuzzy Hash: 151079c9d6ce6b29923227dfc25308dc42bebc0791857ec853974d87dc70dea6
Instruction Fuzzy Hash: 35312862B08AC085DB355724F4616B9B760FB897B4F084371EABD87AD9DF2DD2918700

Function 00007FFDFAEC9D90 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CRYPTO_memcmp.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC9DAD

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_memcmp
String ID:
API String ID: 2788248766-0
Opcode ID: 81a886808f2dfd992f20e54026fe597cca9ee73e232c17d4a06b397ecec11d50
Instruction ID: 682fa4ac2e413958b0fce4f74760ac15b13222f259ad765a57e7a52cdcf5c2a4
Opcode Fuzzy Hash: 81a886808f2dfd992f20e54026fe597cca9ee73e232c17d4a06b397ecec11d50
Instruction Fuzzy Hash: C7D0A91AF4214282E78CB23ECCA61A802C0AB84350FE484B4E11EC66C9CC0FDAB68A01

Function 00007FFDFAED0340 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CRYPTO_memcmp.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED035D

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_memcmp
String ID:
API String ID: 2788248766-0
Opcode ID: 81a886808f2dfd992f20e54026fe597cca9ee73e232c17d4a06b397ecec11d50
Instruction ID: 6d9ee226d91fe5018d654b19a574f8d4acade74ffde1b85b96ea3a9ddb55ecec
Opcode Fuzzy Hash: 81a886808f2dfd992f20e54026fe597cca9ee73e232c17d4a06b397ecec11d50
Instruction Fuzzy Hash: D2D0A71AF4254282E74CF23DCCA60A802C09B84350FD88474E11FC26D5CC0ED5A64601

Function 00007FFDFAEADEF0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_run_once.LIBCRYPTO-1_1-X64(00007FFDFAEAD4BE), ref: 00007FFDFAEADF0B

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: D_run_once
String ID:
API String ID: 1403826838-0
Opcode ID: c2b3581cf068ec6ed5926724cca3462576f2358c231d76b3ec8c2e707ddf339e
Instruction ID: 33cec5995319f1e2fbadd304a88653e20ed9151f1eb32d70dea4ed233f2086c5
Opcode Fuzzy Hash: c2b3581cf068ec6ed5926724cca3462576f2358c231d76b3ec8c2e707ddf339e
Instruction Fuzzy Hash: E7D05E24F0854392F70CBB24CCB69B12290AF44320FC040B6E82E8B1E9DD1DE9068601

Function 00007FFDFAEB32E0 Relevance: 71.9, APIs: 35, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3302
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB330F
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB331C
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3329
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3336
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3343
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3350
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB335D
EVP_aes_256_cbc.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3362
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB336A
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3377
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3384
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3391
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB339E
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB33AB
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB33B8
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB33C5
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB33D2
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB33DF
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB33EC
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB33F9
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3406
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3413
EVP_add_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3420
EVP_md5.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3425
EVP_add_digest.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3452
EVP_sha1.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3457
EVP_add_digest.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB345F
OBJ_NAME_add.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB3477
OBJ_NAME_add.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB348F
EVP_add_digest.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB349C
EVP_sha256.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB34A1
EVP_add_digest.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB34A9
EVP_add_digest.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB34B6
EVP_add_digest.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB34C3

Part of subcall function 00007FFDFAE91924: OBJ_nid2sn.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0DB7
Part of subcall function 00007FFDFAE91924: EVP_get_digestbyname.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0DBF
Part of subcall function 00007FFDFAE91924: EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0E41
Part of subcall function 00007FFDFAE91924: EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0E61
Part of subcall function 00007FFDFAE91924: ENGINE_finish.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0E75
Part of subcall function 00007FFDFAE91924: EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0EB3
Part of subcall function 00007FFDFAE91924: EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0ED3
Part of subcall function 00007FFDFAE91924: ENGINE_finish.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB0EE7

Strings

ssl3-sha1, xrefs: 00007FFDFAEB3470
SHA1, xrefs: 00007FFDFAEB3464
RSA-SHA1, xrefs: 00007FFDFAEB347C
ssl3-md5, xrefs: 00007FFDFAEB343E
RSA-SHA1-2, xrefs: 00007FFDFAEB3488
MD5, xrefs: 00007FFDFAEB3432

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: P_add_cipher$P_add_digest$E_addE_finishY_asn1_find_strY_asn1_get0_info$J_nid2snP_aes_256_cbcP_get_digestbynameP_md5P_sha1P_sha256
String ID: MD5$RSA-SHA1$RSA-SHA1-2$SHA1$ssl3-md5$ssl3-sha1
API String ID: 1429678301-3803824401
Opcode ID: 9ec6f6a66e0244b9107fc610a9b1de31638c3c1e6104203bd08ad951950c51c4
Instruction ID: a8fea9bd60c941c410b66095c6a45a8a6a8562e869a4254c93a8c670d111ee61
Opcode Fuzzy Hash: 9ec6f6a66e0244b9107fc610a9b1de31638c3c1e6104203bd08ad951950c51c4
Instruction Fuzzy Hash: 2C410110F0918344FB8CB7EA68B69F81B50DF92788F9445B5E83F4A2DBED2EE14542D1

Function 00007FFDFAE91E5B Relevance: 63.4, APIs: 19, Strings: 17, Instructions: 441COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_reset.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF9AC0
EVP_CIPHER_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF9ADF
EVP_MD_size.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF9BC4
EVP_CIPHER_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF9BE1

Part of subcall function 00007FFDFAEF96B0: EVP_MD_size.LIBCRYPTO-1_1-X64(?,?,?,?,?,00000374,00000000,?,00007FFDFAEFB88F), ref: 00007FFDFAEF9721
Part of subcall function 00007FFDFAEF96B0: OPENSSL_cleanse.LIBCRYPTO-1_1-X64(?,?,?,?,?,00000374,00000000,?,00007FFDFAEFB88F), ref: 00007FFDFAEF9950

memcpy.VCRUNTIME140 ref: 00007FFDFAEF9FD6
memcpy.VCRUNTIME140 ref: 00007FFDFAEF9FF5
memcpy.VCRUNTIME140 ref: 00007FFDFAEFA0DB
memcpy.VCRUNTIME140 ref: 00007FFDFAEFA16C
OPENSSL_cleanse.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFA216

Strings

EARLY_EXPORTER_SECRET, xrefs: 00007FFDFAEF9E93
CLIENT_EARLY_TRAFFIC_SECRET, xrefs: 00007FFDFAEF9C4D
SERVER_HANDSHAKE_TRAFFIC_SECRET, xrefs: 00007FFDFAEF9BCC
EXPORTER_SECRET, xrefs: 00007FFDFAEFA13B
finished, xrefs: 00007FFDFAEFA1A0
CLIENT_HANDSHAKE_TRAFFIC_SECRET, xrefs: 00007FFDFAEF9F1B
exp master, xrefs: 00007FFDFAEFA0F7
c hs traffic, xrefs: 00007FFDFAEF9F10
e exp master, xrefs: 00007FFDFAEF9E27
CLIENT_TRAFFIC_SECRET_0, xrefs: 00007FFDFAEF9F34
c e traffic, xrefs: 00007FFDFAEF9B7B, 00007FFDFAEFA1E4
s hs traffic, xrefs: 00007FFDFAEF9B89, 00007FFDFAEF9FDB
res master, xrefs: 00007FFDFAEFA01D
ssl\tls13_enc.c, xrefs: 00007FFDFAEF9B00, 00007FFDFAEF9C7E, 00007FFDFAEF9CE3, 00007FFDFAEF9D21, 00007FFDFAEF9D51, 00007FFDFAEF9E6E, 00007FFDFAEF9EBC
s ap traffic, xrefs: 00007FFDFAEF9B66, 00007FFDFAEF9FBC, 00007FFDFAEFA0BB
SERVER_TRAFFIC_SECRET_0, xrefs: 00007FFDFAEF9C06
c ap traffic, xrefs: 00007FFDFAEF9B82, 00007FFDFAEF9FFA, 00007FFDFAEFA060

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: memcpy$D_sizeL_cleanseX_new$X_reset
String ID: CLIENT_EARLY_TRAFFIC_SECRET$CLIENT_HANDSHAKE_TRAFFIC_SECRET$CLIENT_TRAFFIC_SECRET_0$EARLY_EXPORTER_SECRET$EXPORTER_SECRET$SERVER_HANDSHAKE_TRAFFIC_SECRET$SERVER_TRAFFIC_SECRET_0$c ap traffic$c e traffic$c hs traffic$e exp master$exp master$finished$res master$s ap traffic$s hs traffic$ssl\tls13_enc.c
API String ID: 2058625460-2235490636
Opcode ID: 8fe57a5a07baa72b24880e83cb0f14f760a94e1d54d7f37eabb17a93230599ba
Instruction ID: 8127141337f86df0073af6141cd1f8590a8ca547c69e48393814ac975c9390af
Opcode Fuzzy Hash: 8fe57a5a07baa72b24880e83cb0f14f760a94e1d54d7f37eabb17a93230599ba
Instruction Fuzzy Hash: 97229236B08B8295EB58AB21E960AE973A4FF44788F500175EAAE077DCDF3DE154C740

Function 00007FFDFAE91DC0 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 219COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAE2C
X509_STORE_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAE3C
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAE51
OPENSSL_sk_value.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAE66
X509_STORE_add_cert.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAE71
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAE84
X509_STORE_add_cert.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAE93
X509_STORE_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAED1
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAEF9
X509_STORE_CTX_init.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAF0F
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAF33
X509_STORE_CTX_set_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAF49
X509_verify_cert.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAF51
ERR_clear_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAF6D
X509_STORE_CTX_get1_chain.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAF7D
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAFA6
X509_STORE_CTX_get_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAFAE
X509_verify_cert_error_string.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAFB5
ERR_add_error_data.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAFC9
X509_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAFDE
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAFEC
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAFF8
OPENSSL_sk_value.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB003
X509_get_extension_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB00B
X509_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB021
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB02B
OPENSSL_sk_value.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB039
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB066
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB07A
X509_STORE_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB098
X509_STORE_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB0A0
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB0DC
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB0EB

Strings

Verify error:, xrefs: 00007FFDFAEAAFBD
ssl\ssl_cert.c, xrefs: 00007FFDFAEAAE0F, 00007FFDFAEAAEDE, 00007FFDFAEAAF18, 00007FFDFAEAAF96, 00007FFDFAEAB0C0

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: X509_$L_sk_num$R_put_error$L_sk_value$E_add_certL_sk_pop_freeX509_free$E_freeE_newR_add_error_dataR_clear_errorX509_get_extension_flagsX509_verify_certX509_verify_cert_error_stringX_freeX_get1_chainX_get_errorX_initX_newX_set_flags
String ID: Verify error:$ssl\ssl_cert.c
API String ID: 2742951747-1914138397
Opcode ID: a59fdef4cc3633782a8b22260660d03f74b7bd94cca7cb615b85f2225ad81aac
Instruction ID: 99571d5febe899055219d3598c77db15a730ade91f6a50d3cfe32f928723470e
Opcode Fuzzy Hash: a59fdef4cc3633782a8b22260660d03f74b7bd94cca7cb615b85f2225ad81aac
Instruction Fuzzy Hash: 6B81B255B0868245FB2CBA21A5B0BBA6791EF84788F0444B1DE2F4B7DEDF7FE5418240

Function 00007FFDFAEC22C0 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 198COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC2336
OPENSSL_sk_num.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC235B
OPENSSL_sk_value.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC2369
OPENSSL_sk_num.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC238E
X509_get_pubkey.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC23A2
ERR_put_error.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC23F1
ERR_put_error.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC2417
EVP_PKEY_missing_parameters.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC242E
ERR_put_error.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC245A
EVP_PKEY_copy_parameters.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC2476
EVP_PKEY_cmp.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC2481
ERR_put_error.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC24AE
ERR_put_error.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC2502
X509_chain_up_ref.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC2514
ERR_put_error.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC253E
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC2560
X509_free.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC258C
X509_up_ref.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC2594
EVP_PKEY_free.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC25BB
EVP_PKEY_up_ref.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC25C3
EVP_PKEY_free.LIBCRYPTO-1_1-X64(?,?,?,?,?,?,00007FFDFAEC03DA), ref: 00007FFDFAEC2607

Strings

ssl\ssl_rsa.c, xrefs: 00007FFDFAEC231A, 00007FFDFAEC23D4, 00007FFDFAEC23FB, 00007FFDFAEC243B, 00007FFDFAEC248F, 00007FFDFAEC24E3, 00007FFDFAEC2523

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error$L_sk_numY_free$L_sk_pop_freeL_sk_valueX509_chain_up_refX509_freeX509_get_pubkeyX509_up_refY_cmpY_copy_parametersY_missing_parametersY_up_ref
String ID: ssl\ssl_rsa.c
API String ID: 3359284134-2490807841
Opcode ID: d2c8acb4f3b78de242e0da00fbbc699b0fc739759d2cd59e19296b52861528ee
Instruction ID: 69ca2ebd4a7018c0253498d31c2b75fdf7629209662ab5c8674c8f71f8a1449a
Opcode Fuzzy Hash: d2c8acb4f3b78de242e0da00fbbc699b0fc739759d2cd59e19296b52861528ee
Instruction Fuzzy Hash: 45819461B0868285EB68FB05E464ABA67A0FF84B84F514171EE6E47BC9DF3ED105C701

Function 00007FFDFAE91299 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC61C
X509_STORE_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC651
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC679
OPENSSL_sk_value.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC69F
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC6D4
X509_STORE_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC6DC
X509_STORE_CTX_set_ex_data.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC74D
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC76D
X509_STORE_CTX_set0_dane.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC77C
X509_STORE_CTX_set_default.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC799
X509_VERIFY_PARAM_set1.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC7A8
X509_STORE_CTX_set_verify_cb.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC7BC
X509_STORE_CTX_get_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC7EC
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC805
X509_STORE_CTX_get0_chain.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC818
X509_STORE_CTX_get1_chain.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC825
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC851
X509_VERIFY_PARAM_move_peername.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC862
X509_STORE_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC86A

Strings

ssl_server, xrefs: 00007FFDFAEAC78B
ssl\ssl_cert.c, xrefs: 00007FFDFAEAC65E, 00007FFDFAEAC6B9, 00007FFDFAEAC836
ssl_client, xrefs: 00007FFDFAEAC784

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: X509_$R_put_error$L_sk_numX_free$L_sk_pop_freeL_sk_valueM_move_peernameM_set1X_get0_chainX_get1_chainX_get_errorX_newX_set0_daneX_set_defaultX_set_ex_dataX_set_verify_cb
String ID: ssl\ssl_cert.c$ssl_client$ssl_server
API String ID: 4276941150-2051215303
Opcode ID: bf08bfa75e7564bec82ab5a93fc8c391a62a12ad505885ff33e0a7163d474f0a
Instruction ID: 43c3247ee291febae3aa30ac0e9f1e7a5aaa5e53e0446deeb5f9a684bfcbde0e
Opcode Fuzzy Hash: bf08bfa75e7564bec82ab5a93fc8c391a62a12ad505885ff33e0a7163d474f0a
Instruction Fuzzy Hash: 9B617F61B0868241EB48FB619570BB967A2EF85BC8F444075ED2E4B7DEEF3EE4018740

Function 00007FFDFAEA48D0 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA4919
EVP_MD_CTX_new.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA4921
EVP_sha1.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA497E
EVP_DigestInit_ex.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA498C
EVP_DigestUpdate.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA49A4
EVP_DigestUpdate.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA49C3
EVP_DigestUpdate.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA49E7
EVP_DigestUpdate.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA4A0B
EVP_DigestFinal_ex.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA4A23
EVP_md5.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA4A30
EVP_DigestInit_ex.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA4A3E
EVP_DigestUpdate.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA4A5D
EVP_DigestUpdate.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA4A78
EVP_DigestFinal_ex.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA4A98
memcpy.VCRUNTIME140(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA4AAF
EVP_DigestFinal_ex.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA4AB9
OPENSSL_cleanse.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA4B21
EVP_MD_CTX_free.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA4B60
EVP_MD_CTX_free.LIBCRYPTO-1_1-X64(?,00000000,?,?,?,00000000,00000000,00007FFDFAEA5251), ref: 00007FFDFAEA4B68

Strings

", xrefs: 00007FFDFAEA4B30
ssl\s3_enc.c, xrefs: 00007FFDFAEA4B3E

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: Digest$Update$Final_ex$Init_exX_freeX_new$L_cleanseP_md5P_sha1memcpy
String ID: "$ssl\s3_enc.c
API String ID: 3423753248-3159716511
Opcode ID: 885136b415287631590d282dbe0bdc070c3d2052f9c668ce25502bea733a56cc
Instruction ID: e76b4b0a81f60915fabb99f5c1be1a0ce8ad3a09436f83dc4a407efeb74a7bbe
Opcode Fuzzy Hash: 885136b415287631590d282dbe0bdc070c3d2052f9c668ce25502bea733a56cc
Instruction Fuzzy Hash: 2A61E8A2B0828241F7A8B616A460F7A6780EF857C4F545075EE6F0BBCDDE3EE5448700

Function 00007FFDFAE91271 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA446F
EVP_MD_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA4489
BIO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA4546
EVP_MD_CTX_md.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA456B
EVP_MD_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA45B1
EVP_MD_CTX_md.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA45F8
EVP_MD_size.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA4600
EVP_DigestUpdate.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA4623
EVP_MD_CTX_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA4643
EVP_DigestFinal_ex.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA4655
EVP_MD_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA468F

Strings

ssl\s3_enc.c, xrefs: 00007FFDFAEA4517, 00007FFDFAEA458B, 00007FFDFAEA466C

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: DigestX_mdX_new$D_sizeFinal_exO_ctrlO_freeUpdateX_ctrlX_free
String ID: ssl\s3_enc.c
API String ID: 2523682943-1240879137
Opcode ID: fe055ecac753f962e3573f21dfdbfe2a56f6a2848e9121f1250d191342d3cac3
Instruction ID: 8b963bc9f055436d3dd73663cbf88ec1e0c053cc53cea4d2c0e1ba915146d349
Opcode Fuzzy Hash: fe055ecac753f962e3573f21dfdbfe2a56f6a2848e9121f1250d191342d3cac3
Instruction Fuzzy Hash: 9B61AF72B08A8285EB68AA12E460BBD2790EF85BC4F144471DD1E4B7DDDF3EE5458700

Function 00007FFDFAEF1B30 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64(?,?,?,00007FFDFAEF2CB7), ref: 00007FFDFAEF1BBC
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1-X64(?,?,?,00007FFDFAEF2CB7), ref: 00007FFDFAEF1C12
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1-X64(?,?,?,00007FFDFAEF2CB7), ref: 00007FFDFAEF1C4B
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1-X64(?,?,?,00007FFDFAEF2CB7), ref: 00007FFDFAEF1C76
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1-X64(?,?,?,00007FFDFAEF2CB7), ref: 00007FFDFAEF1CA4
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1-X64(?,?,?,00007FFDFAEF2CB7), ref: 00007FFDFAEF1CDA
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1-X64(?,?,?,00007FFDFAEF2CB7), ref: 00007FFDFAEF1D13
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1-X64(?,?,?,00007FFDFAEF2CB7), ref: 00007FFDFAEF1D48
EVP_PKEY_CTX_free.LIBCRYPTO-1_1-X64(?,?,?,00007FFDFAEF2CB7), ref: 00007FFDFAEF1DC8

Strings

7, xrefs: 00007FFDFAEF1DAF
5, xrefs: 00007FFDFAEF1D89
ssl\t1_enc.c, xrefs: 00007FFDFAEF1B6D, 00007FFDFAEF1D74

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: X_ctrl$R_put_errorX_free
String ID: 5$7$ssl\t1_enc.c
API String ID: 250720567-2011613492
Opcode ID: fee31dc2a8a8df2993e66ed49f5befdd8f7c3fc7457a63cb8645dac3083757a0
Instruction ID: 625b2743ddd99aaa4bbfc7f686c1f77bd8616dd6c40cd7778724997f8e76dbe1
Opcode Fuzzy Hash: fee31dc2a8a8df2993e66ed49f5befdd8f7c3fc7457a63cb8645dac3083757a0
Instruction Fuzzy Hash: 67616231B087C646E734AB15E410BAAA7A1FF89798F140275EAAD47BDDDF3ED5018B00

Function 00007FFDFAEBBCF0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBBDE3

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBBD1D, 00007FFDFAEBBD93, 00007FFDFAEBBED5, 00007FFDFAEBBF05, 00007FFDFAEBBF94

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: ssl\ssl_lib.c
API String ID: 1767461275-1984206432
Opcode ID: 01eeab4158dc740b8fdf0cb8ed2267f0f058a46fbc08a20e005f082f6adbab3d
Instruction ID: 00df7c5f84e162f0f4e0ae6fcf16e02ed28a1457569f162f9f7cf031ebba016d
Opcode Fuzzy Hash: 01eeab4158dc740b8fdf0cb8ed2267f0f058a46fbc08a20e005f082f6adbab3d
Instruction Fuzzy Hash: D471A632B1C68586E779AB11E414BAA7690FB847C8F444176DA5E4BBCDCF3EE541CB00

Function 00007FFDFAE91C17 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 132stringCOMMON

Download Yara Rule

APIs

OPENSSL_sk_new_null.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE97639
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE97661
strchr.VCRUNTIME140 ref: 00007FFDFAE97698
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAE9770C
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE97743
OPENSSL_sk_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9774B

Strings

H, xrefs: 00007FFDFAE9764B
ssl\d1_srtp.c, xrefs: 00007FFDFAE97653, 00007FFDFAE9772E

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error$L_sk_freeL_sk_new_nullstrchrstrncmp
String ID: H$ssl\d1_srtp.c
API String ID: 767303460-1470419497
Opcode ID: 29386592bf9e8c3ce4e466a34d3e8dc186c80de6294d9f9c9f48cd2700de4b27
Instruction ID: 641f4a85b3557003e08d9127a8842b74b0b5c40088ec93ebe43daf8fa27ae4d3
Opcode Fuzzy Hash: 29386592bf9e8c3ce4e466a34d3e8dc186c80de6294d9f9c9f48cd2700de4b27
Instruction Fuzzy Hash: 1B41D621F0D78246FB58BB15A420B7967A0EF48BD8F1440B1E96E477CEDE3EE5558700

Function 00007FFDFAE91C3F Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFAA68
EVP_PKEY_new_raw_private_key.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFAB38
OPENSSL_cleanse.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFAB4A
EVP_PKEY_new_raw_private_key.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFAB64
EVP_DigestSignInit.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFAB86
EVP_DigestUpdate.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFAB9F
EVP_DigestSignFinal.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFABB3
EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFABF1
EVP_MD_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFABF9

Strings

ssl\tls13_enc.c, xrefs: 00007FFDFAEFABD0
finished, xrefs: 00007FFDFAEFAAFA

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: Digest$SignY_new_raw_private_key$FinalInitL_cleanseUpdateX_freeX_newY_free
String ID: finished$ssl\tls13_enc.c
API String ID: 2202177965-2546891311
Opcode ID: f18d2c94e2cbe502f8d928aa661930e5ddfd70d1023f17a50bbef31060d2632d
Instruction ID: fbd708527772eeef6227f87e86b7fd15eb39ffe8e0b5aeb2a40b8567ce7cf18d
Opcode Fuzzy Hash: f18d2c94e2cbe502f8d928aa661930e5ddfd70d1023f17a50bbef31060d2632d
Instruction Fuzzy Hash: 90519121708BC185E768FB52A520AE9A391FF85784F840072EE6E47BDDCF3DD5018700

Function 00007FFDFAE91929 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

BIO_method_type.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBB169
BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBB182
BIO_up_ref.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBB18E
BIO_s_socket.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBB1A3
BIO_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBB1AB
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBB1D3
BIO_int_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBB1F7
BIO_pop.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBB207
BIO_free_all.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBB214
BIO_push.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBB229

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBB1B8

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_ctrlO_free_allO_int_ctrlO_method_typeO_newO_popO_pushO_s_socketO_up_refR_put_error
String ID: ssl\ssl_lib.c
API String ID: 2857342199-1984206432
Opcode ID: 85d67a6c2648e417ca74dec4a8ea35edcd40658fc2ecf942b8c514aa9a913ce1
Instruction ID: 3e2b061cee51d2995e34fa5be2f398230d1e0f2e796073eb6c8a468cc61a81f5
Opcode Fuzzy Hash: 85d67a6c2648e417ca74dec4a8ea35edcd40658fc2ecf942b8c514aa9a913ce1
Instruction Fuzzy Hash: AB21E521B0964281EB58FB11E565B7D2760EFC4BC8F100171DE6E47BDEDE2EE4518780

Function 00007FFDFAF42730 Relevance: 18.2, APIs: 12, Instructions: 240COMMON

Download Yara Rule

APIs

__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF42776
__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF4279B
GetCPInfo.KERNEL32 ref: 00007FFDFAF427DB
MultiByteToWideChar.KERNEL32 ref: 00007FFDFAF4287E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF428E5
MultiByteToWideChar.KERNEL32 ref: 00007FFDFAF42920
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF42942
MultiByteToWideChar.KERNEL32 ref: 00007FFDFAF4296B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF429CB
MultiByteToWideChar.KERNEL32 ref: 00007FFDFAF42A03
CompareStringEx.KERNEL32 ref: 00007FFDFAF42A36
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF42A63

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
String ID:
API String ID: 3420081407-0
Opcode ID: 0a3bc19766eb86094f686106f40c0cd605ca1c2ad763c2bac50d96296598dfb8
Instruction ID: 018684053f691190b337a6b6b85df3fbadce59abaa62072985fb3b20e484acea
Opcode Fuzzy Hash: 0a3bc19766eb86094f686106f40c0cd605ca1c2ad763c2bac50d96296598dfb8
Instruction Fuzzy Hash: 0BA1A122B0878346FB798B25D460B796691AF44BB8F484371EE7D8A7D8DF7DE6448300

Function 00007FFDFAE91320 Relevance: 18.1, APIs: 12, Instructions: 78COMMON

Download Yara Rule

APIs

BIO_f_buffer.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE947A7
BIO_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE947AF
BIO_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE947DF
BIO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9487A
BIO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE94882

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_freeO_new$O_f_buffer
String ID:
API String ID: 2811863154-0
Opcode ID: 42743fb8d9fef65412761086da19754b994cbc57217fa27989219f957673c808
Instruction ID: 1643e9af45b35364261c3cb482c7f4f02b2a035328153aab80bb53e7cc1baad2
Opcode Fuzzy Hash: 42743fb8d9fef65412761086da19754b994cbc57217fa27989219f957673c808
Instruction Fuzzy Hash: 82212F11F5E38241EB5CB712617197D16909F8ABC8E5404B4ED3F07BDEEE2FE4118641

Function 00007FFDFAE91CEE Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC6C1C
BIO_puts.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC6C33
BIO_printf.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC6C63
BIO_puts.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC6C82
BIO_printf.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC6CB0
BIO_puts.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC6CCC

Strings

Session-ID:, xrefs: 00007FFDFAEC6C29
%02X, xrefs: 00007FFDFAEC6C59, 00007FFDFAEC6CA6
Master-Key:, xrefs: 00007FFDFAEC6C78
RSA , xrefs: 00007FFDFAEC6C15

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_puts$O_printf
String ID: Master-Key:$%02X$RSA $Session-ID:
API String ID: 4098839300-1878088908
Opcode ID: 2ac200fe91c06d84d50dd9d8655bd17db567c2b8efc18dedef4f6edc0b592e37
Instruction ID: 6a19151fdac425143bedca9e8f322139ec062dcd129fbd0569e77a93453defb6
Opcode Fuzzy Hash: 2ac200fe91c06d84d50dd9d8655bd17db567c2b8efc18dedef4f6edc0b592e37
Instruction Fuzzy Hash: 4F31B521B0869299E74DBB159960FB967A5FF04388F4561B0EE2F472DEDF2EE450C700

Function 00007FFDFAF56F30 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAF7B910: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B930
Part of subcall function 00007FFDFAF7B910: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B938
Part of subcall function 00007FFDFAF7B910: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B941
Part of subcall function 00007FFDFAF7B910: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B95D

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFAF5ACBE), ref: 00007FFDFAF56F7B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFAF5ACBE), ref: 00007FFDFAF56F9B
_Maklocstr.LIBCPMT ref: 00007FFDFAF56FB5
_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFAF5ACBE), ref: 00007FFDFAF56FBE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFAF5ACBE), ref: 00007FFDFAF56FDE
_Maklocstr.LIBCPMT ref: 00007FFDFAF56FF8
_Maklocstr.LIBCPMT ref: 00007FFDFAF5700D

Part of subcall function 00007FFDFAF44E20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFAF520E4,?,?,?,00007FFDFAF444AB,?,?,?,00007FFDFAF45B51), ref: 00007FFDFAF44E42
Part of subcall function 00007FFDFAF44E20: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFAF520E4,?,?,?,00007FFDFAF444AB,?,?,?,00007FFDFAF45B51), ref: 00007FFDFAF44E68
Part of subcall function 00007FFDFAF44E20: memmove.VCRUNTIME140(?,?,?,00007FFDFAF520E4,?,?,?,00007FFDFAF444AB,?,?,?,00007FFDFAF45B51), ref: 00007FFDFAF44E80

Strings

:AM:am:PM:pm, xrefs: 00007FFDFAF57006
:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFDFAF56FA5
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFDFAF56FE8

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 269533641-35662545
Opcode ID: aa6256a802ae6aae60c89fbc4adf7e0fd39fa9afd2cae53cf67b217841ab49e8
Instruction ID: 921a12c48b476eee60317a5cc2dfe48009ea678df8521806fa7e38e30e5b4ad6
Opcode Fuzzy Hash: aa6256a802ae6aae60c89fbc4adf7e0fd39fa9afd2cae53cf67b217841ab49e8
Instruction Fuzzy Hash: 05318122B04B4686E704DF21E820AA837A5FF89F94F494275EA5D4B399DF3CE541C340

Function 00007FFDFAF42B60 Relevance: 16.7, APIs: 11, Instructions: 200COMMON

Download Yara Rule

APIs

__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF42BA7
MultiByteToWideChar.KERNEL32 ref: 00007FFDFAF42BD3
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF42C43
MultiByteToWideChar.KERNEL32 ref: 00007FFDFAF42C7C
LCMapStringEx.KERNEL32 ref: 00007FFDFAF42CB3
LCMapStringEx.KERNEL32 ref: 00007FFDFAF42D0C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF42D72
LCMapStringEx.KERNEL32 ref: 00007FFDFAF42DBA
WideCharToMultiByte.KERNEL32 ref: 00007FFDFAF42DFC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF42E10
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF42E2D

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ByteCharMultiStringWide$freemalloc$__strncnt
String ID:
API String ID: 1733283546-0
Opcode ID: ae1be26d2e51191e0f655ca795b68fc3904211f1733c49ea8a0ce77127fb274f
Instruction ID: 008cabf1709b5ee13aaf69837dca0d3f9487131d9b6c4d43e8c8267097cfd129
Opcode Fuzzy Hash: ae1be26d2e51191e0f655ca795b68fc3904211f1733c49ea8a0ce77127fb274f
Instruction Fuzzy Hash: D0816C32B0874286EB688F51D460B79A6A5FF44BB8F040374EE6E8BBD8DF3DD5458600

Function 00007FFDFAF79BC0 Relevance: 16.7, APIs: 11, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAF7A550: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF79992), ref: 00007FFDFAF7A576
Part of subcall function 00007FFDFAF7A550: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF79992), ref: 00007FFDFAF7A5E0

_Stoflt.LIBCPMT ref: 00007FFDFAF79C44
_FXp_setw.LIBCPMT ref: 00007FFDFAF79C5E
_FXp_setw.LIBCPMT ref: 00007FFDFAF79C71
_FXp_setn.LIBCPMT ref: 00007FFDFAF79CB5
_FXp_addx.LIBCPMT ref: 00007FFDFAF79CC7
_FXp_setw.LIBCPMT ref: 00007FFDFAF79D1E
_FXp_setw.LIBCPMT ref: 00007FFDFAF79D31
_FXp_setn.LIBCPMT ref: 00007FFDFAF79C7C

Part of subcall function 00007FFDFAF70EE0: _FXp_setw.LIBCPMT ref: 00007FFDFAF70F19

_FXp_setn.LIBCPMT ref: 00007FFDFAF79D3C
_FXp_setn.LIBCPMT ref: 00007FFDFAF79D75
_FXp_addx.LIBCPMT ref: 00007FFDFAF79D87

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
String ID:
API String ID: 3166507417-0
Opcode ID: 7e2d088b15f921fb1ce12ad9045780e6bb180db4915a72df7f7046ade5d815c5
Instruction ID: a8e9615d99120bcdd262206b5b1fbac54add7daa3635c3719090912164dab22c
Opcode Fuzzy Hash: 7e2d088b15f921fb1ce12ad9045780e6bb180db4915a72df7f7046ade5d815c5
Instruction Fuzzy Hash: D461C626F0850399FB54EAA2E4A09FD2721AF54768F504376FE1D6B6CDDE38E50A8300

Function 00007FFDFAE91A46 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

ssl\statem\extensions_srvr.c, xrefs: 00007FFDFAED112A, 00007FFDFAED1193

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID:
String ID: ssl\statem\extensions_srvr.c
API String ID: 0-3756415750
Opcode ID: 0c13625428d2d569e60c1e1243dc326c41fdc1f2e5e7eee4726254b7bcc73202
Instruction ID: d357168d73176b14f8e9cd228ac23538e69738e79339e4dff7c1627b308af7bd
Opcode Fuzzy Hash: 0c13625428d2d569e60c1e1243dc326c41fdc1f2e5e7eee4726254b7bcc73202
Instruction Fuzzy Hash: 3BC15061B0874395FB68BA229920BBD2391AF45B88F0440B5DE2F5BBDDDF3EE5458700

Function 00007FFDFAE91A0F Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 251COMMON

Download Yara Rule

APIs

ERR_clear_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED658A
SetLastError.KERNEL32 ref: 00007FFDFAED6591
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED6698
BUF_MEM_grow.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED6723
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED676A
BUF_MEM_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED6872
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED68D6
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED6929

Part of subcall function 00007FFDFAED6B10: ERR_put_error.LIBCRYPTO-1_1-X64(?,?,00000000,?,00007FFDFAED683E), ref: 00007FFDFAED6EAD

Strings

ssl\statem\statem.c, xrefs: 00007FFDFAED6688, 00007FFDFAED675A, 00007FFDFAED68C6, 00007FFDFAED6919

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error$ErrorLastM_freeM_growR_clear_error
String ID: ssl\statem\statem.c
API String ID: 2562538362-1283862301
Opcode ID: af0771f1e3baa5821fbbf0dff481a41c66c883d96b048463f74113fe52dbbdb4
Instruction ID: 86c314aaf1449959a72e54d6a68fd987e7cae487b35244ee73a7c725d875cb38
Opcode Fuzzy Hash: af0771f1e3baa5821fbbf0dff481a41c66c883d96b048463f74113fe52dbbdb4
Instruction Fuzzy Hash: 95B17A72F1824286FB68AF25D460B7C33A1EB44B48F1444B5DA6A466DDCF3FE885CB41

Function 00007FFDFAEDFAD0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

BN_bin2bn.LIBCRYPTO-1_1-X64(?,?,00000000,00000000,?,ssl\statem\statem_clnt.c,00007FFDFAEDDB4A), ref: 00007FFDFAEDFC6D
BN_bin2bn.LIBCRYPTO-1_1-X64(?,?,00000000,00000000,?,ssl\statem\statem_clnt.c,00007FFDFAEDDB4A), ref: 00007FFDFAEDFC80
BN_free.LIBCRYPTO-1_1-X64(?,?,00000000,00000000,?,ssl\statem\statem_clnt.c,00007FFDFAEDDB4A), ref: 00007FFDFAEDFE4F
BN_free.LIBCRYPTO-1_1-X64(?,?,00000000,00000000,?,ssl\statem\statem_clnt.c,00007FFDFAEDDB4A), ref: 00007FFDFAEDFE57
BN_free.LIBCRYPTO-1_1-X64(?,?,00000000,00000000,?,ssl\statem\statem_clnt.c,00007FFDFAEDDB4A), ref: 00007FFDFAEDFE5F
DH_free.LIBCRYPTO-1_1-X64(?,?,00000000,00000000,?,ssl\statem\statem_clnt.c,00007FFDFAEDDB4A), ref: 00007FFDFAEDFE67
EVP_PKEY_free.LIBCRYPTO-1_1-X64(?,?,00000000,00000000,?,ssl\statem\statem_clnt.c,00007FFDFAEDDB4A), ref: 00007FFDFAEDFE6F

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFDFAEDFAD5, 00007FFDFAEDFE38, 00007FFDFAEDFE88

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: N_free$N_bin2bn$H_freeY_free
String ID: ssl\statem\statem_clnt.c
API String ID: 2982095754-1578583260
Opcode ID: c59824668e962b8312b713983a02f9f12904af62aff9d52b5bd2a3956e7debe0
Instruction ID: e6af4b33f39bd021919a2b26431869af7b03fd7736e7ab565ec9837a4d3431a6
Opcode Fuzzy Hash: c59824668e962b8312b713983a02f9f12904af62aff9d52b5bd2a3956e7debe0
Instruction Fuzzy Hash: A1A1E832B087C182E768EB25A460ABA7790FB85798F044171EEAE47BD9DF3DE451C700

Function 00007FFDFAF8A140 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFAF8A34E
_CxxThrowException.VCRUNTIME140 ref: 00007FFDFAF8A35F
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFAF8A3A2
_CxxThrowException.VCRUNTIME140 ref: 00007FFDFAF8A3B3
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFAF8A42D
_CxxThrowException.VCRUNTIME140 ref: 00007FFDFAF8A43E

Strings

ios_base::eofbit set, xrefs: 00007FFDFAF8A329, 00007FFDFAF8A37D, 00007FFDFAF8A408
ios_base::failbit set, xrefs: 00007FFDFAF8A322, 00007FFDFAF8A376, 00007FFDFAF8A401
ios_base::badbit set, xrefs: 00007FFDFAF8A316, 00007FFDFAF8A36A, 00007FFDFAF8A3C0, 00007FFDFAF8A3F4, 00007FFDFAF8A450

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: bc5a5f704f5a0fe116566f2c05ca16373bd9148fc834108b203f9b5d4406b5b3
Instruction ID: 34106edd2166afbedf983a68a47da161be09289b68fe97a101ad1554b0fdb2db
Opcode Fuzzy Hash: bc5a5f704f5a0fe116566f2c05ca16373bd9148fc834108b203f9b5d4406b5b3
Instruction Fuzzy Hash: 0E91F522729A4685EF289B15D4A0BB86720FF44FA4F448275EA5D4F7E9DF3DD446C300

Function 00007FFDFAEEF280 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

EVP_PKEY_free.LIBCRYPTO-1_1-X64(?,?,?,00007FFDFAEF1502), ref: 00007FFDFAEEF471

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFDFAEEF3F3, 00007FFDFAEEF454

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: Y_free
String ID: ssl\statem\statem_srvr.c
API String ID: 1282063954-322006118
Opcode ID: 1474a246272cf9f38838f3d72e71aa1314a92ab7a109e85b2ac558a760ef9b52
Instruction ID: 8c243d10d4652b85f4ba612496ff5d1c17f4926bb6de646c2236af3e26403a7b
Opcode Fuzzy Hash: 1474a246272cf9f38838f3d72e71aa1314a92ab7a109e85b2ac558a760ef9b52
Instruction Fuzzy Hash: 6151933270874185EB28EB12E4A4BA97790EF84B94F148171EE6E07BD9DF3DE545C710

Function 00007FFDFAE91951 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

BIO_s_file.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC05E0
BIO_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC05E8
BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC0615
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC06AA
X509_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC06B2
BIO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC06BA

Strings

ssl\ssl_rsa.c, xrefs: 00007FFDFAEC0699

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_ctrlO_freeO_newO_s_fileR_put_errorX509_free
String ID: ssl\ssl_rsa.c
API String ID: 785824201-2490807841
Opcode ID: f5380994f99280aca6ee1575c6785d3e63a0fbf985033e14e251f4d2d55d9305
Instruction ID: 8635093ec3d53ebcda838c242e7f7e31323c09206dd8f7b96c4ed029c946ca8d
Opcode Fuzzy Hash: f5380994f99280aca6ee1575c6785d3e63a0fbf985033e14e251f4d2d55d9305
Instruction Fuzzy Hash: A7319321F0869286F728BE52A420AB96651AF847D4F154071ED6F0BFDDDF3EE5018740

Function 00007FFDFAE91032 Relevance: 15.3, APIs: 10, Instructions: 286COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0C96
EVP_CIPHER_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0C9E
EVP_MD_CTX_md.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0CB0
EVP_MD_size.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0CB8
EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0CD1
EVP_CIPHER_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0CD9
EVP_CIPHER_CTX_block_size.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0CEF
BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0D63
BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0D9E
BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0EE7

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_ctrl$R_flagsX_cipher$D_sizeX_block_sizeX_md
String ID:
API String ID: 1400698538-0
Opcode ID: 976d0b2d7d22c3f9b1cbd2b1294a24a1cc4f007521c4fc92ce7da0851ea6ebcf
Instruction ID: 5c361896ec7b136ce2e7a88649fd319404c82117eddd83be43642df13ecf0f24
Opcode Fuzzy Hash: 976d0b2d7d22c3f9b1cbd2b1294a24a1cc4f007521c4fc92ce7da0851ea6ebcf
Instruction Fuzzy Hash: D1D10922B097C185D754AF259060BBD77A0FB55B88F088172DEAE473CEDE39D494C311

Function 00007FFDFAF7BCC0 Relevance: 15.2, APIs: 10, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAF7C448: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF7BA92), ref: 00007FFDFAF7C46E
Part of subcall function 00007FFDFAF7C448: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF7BA92), ref: 00007FFDFAF7C4E6

_FXp_setw.LIBCPMT ref: 00007FFDFAF7BD5E
_FXp_setw.LIBCPMT ref: 00007FFDFAF7BD71
_FXp_setn.LIBCPMT ref: 00007FFDFAF7BDB5
_FXp_addx.LIBCPMT ref: 00007FFDFAF7BDC7
_FXp_setw.LIBCPMT ref: 00007FFDFAF7BE1E
_FXp_setw.LIBCPMT ref: 00007FFDFAF7BE31
_FXp_setn.LIBCPMT ref: 00007FFDFAF7BD7C

Part of subcall function 00007FFDFAF70EE0: _FXp_setw.LIBCPMT ref: 00007FFDFAF70F19

_FXp_setn.LIBCPMT ref: 00007FFDFAF7BE3C
_FXp_setn.LIBCPMT ref: 00007FFDFAF7BE75
_FXp_addx.LIBCPMT ref: 00007FFDFAF7BE87

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3781602613-0
Opcode ID: 349c559bbdd8abd20516d16031534ccd65eb2e704358a31c07bc4e2750892f39
Instruction ID: a2b720716bbfe2ba3479d258a4848b66de9ce275c1a118170fac7497f108f28b
Opcode Fuzzy Hash: 349c559bbdd8abd20516d16031534ccd65eb2e704358a31c07bc4e2750892f39
Instruction Fuzzy Hash: 7A61B432F0850689F715DAA2E4A09FD2321AF55768F904376FE1E6B7CDDE38E50A8300

Function 00007FFDFAEF8920 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 278COMMON

Download Yara Rule

APIs

EVP_PKEY_get0_EC_KEY.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF8A8B
EC_KEY_get0_group.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF8A93
EC_GROUP_get_curve_name.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF8A9B
EVP_PKEY_get0.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF8B95

Part of subcall function 00007FFDFAEF38E0: EVP_PKEY_get0_EC_KEY.LIBCRYPTO-1_1-X64(00000000,00000000,?,?,?,00007FFDFAEF6136), ref: 00007FFDFAEF3A15
Part of subcall function 00007FFDFAEF38E0: EC_KEY_get0_group.LIBCRYPTO-1_1-X64(00000000,00000000,?,?,?,00007FFDFAEF6136), ref: 00007FFDFAEF3A1D
Part of subcall function 00007FFDFAEF38E0: EC_GROUP_get_curve_name.LIBCRYPTO-1_1-X64(00000000,00000000,?,?,?,00007FFDFAEF6136), ref: 00007FFDFAEF3A25

Strings

gfffffff, xrefs: 00007FFDFAEF89FB
gfffffff, xrefs: 00007FFDFAEF8AA3
gfffffff, xrefs: 00007FFDFAEF8BB5
ssl\t1_lib.c, xrefs: 00007FFDFAEF89BA

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: P_get_curve_nameY_get0_Y_get0_group$Y_get0
String ID: gfffffff$gfffffff$gfffffff$ssl\t1_lib.c
API String ID: 2351481120-1436044173
Opcode ID: 4275621e98b344446e761ca2cde5eeccb5a3d92c7f1a1a4c1e04901f3f412e30
Instruction ID: 119d92c4d4cd0674860518203092e08c2da1495f0e542093e9e457c113a90039
Opcode Fuzzy Hash: 4275621e98b344446e761ca2cde5eeccb5a3d92c7f1a1a4c1e04901f3f412e30
Instruction Fuzzy Hash: 15C1E763B097C285EB58AE16E564AB82790FF84B94F184175CE6E473D8DF3AF481D302

Function 00007FFDFAF7A900 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7A93D
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7A9DB
memchr.VCRUNTIME140 ref: 00007FFDFAF7A9ED
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7AA28
memchr.VCRUNTIME140 ref: 00007FFDFAF7AA36
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFAF7AAB6

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FFDFAF7A9E4, 00007FFDFAF7A9F7
0, xrefs: 00007FFDFAF7A978

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: memchrtolower$_errnoisspace
String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3508154992-2692187688
Opcode ID: 2b4670cba146d0848530d1a73fb9280632563bfb36b5a852feec04728ddbac9e
Instruction ID: 0219dd16dc04827d291166e0e1ecd6df298d0d5e7dfe16f1ee3eef1b0461d8d7
Opcode Fuzzy Hash: 2b4670cba146d0848530d1a73fb9280632563bfb36b5a852feec04728ddbac9e
Instruction Fuzzy Hash: CC51FC12B1D6C685FB69AE21B520B7966A0AF45BB4F4A4370EDBD0E3CDDE3CD4528700

Function 00007FFDFAE91B81 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFA59B
EVP_DigestInit_ex.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFA5C7
EVP_DigestUpdate.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFA5ED
EVP_DigestFinal_ex.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFA60A
EVP_DigestInit_ex.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFA620
EVP_DigestFinal_ex.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFA63A
EVP_MD_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFA6EE

Strings

exporter, xrefs: 00007FFDFAEFA69E

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: Digest$Final_exInit_ex$UpdateX_freeX_new
String ID: exporter
API String ID: 3991325671-111224270
Opcode ID: 584e3206e601d43f78bb277a6f27d914b16a0ae904c15af8b36486611bc314f8
Instruction ID: d12261d4240f10b1ee79dda3a1e24b4774ecaf35c51bb86b656d603f552fcbc9
Opcode Fuzzy Hash: 584e3206e601d43f78bb277a6f27d914b16a0ae904c15af8b36486611bc314f8
Instruction Fuzzy Hash: 3441403271878245EB64AB16F860AEAB394EF897C4F444072EE9E4779DDE3DD1418A00

Function 00007FFDFAF46BE0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFAF46C34
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFDFAF466C0,?,?,?,00007FFDFAF4841D), ref: 00007FFDFAF46C45
_CxxThrowException.VCRUNTIME140 ref: 00007FFDFAF46C72
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFAF46CB5
_CxxThrowException.VCRUNTIME140 ref: 00007FFDFAF46CC6

Strings

ios_base::eofbit set, xrefs: 00007FFDFAF46C0F, 00007FFDFAF46C90
ios_base::failbit set, xrefs: 00007FFDFAF46BE0, 00007FFDFAF46C08, 00007FFDFAF46C89
ios_base::badbit set, xrefs: 00007FFDFAF46BFC, 00007FFDFAF46C50, 00007FFDFAF46C7D

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ExceptionThrow$std::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1099746521-1866435925
Opcode ID: e9b112727ce05ce70ede0a01036ddab8272d7d2d651d585c7161a61c8188cccc
Instruction ID: aa385bf0308031e2ce735decc07edf73c664810a99108496fa705f93aaf25651
Opcode Fuzzy Hash: e9b112727ce05ce70ede0a01036ddab8272d7d2d651d585c7161a61c8188cccc
Instruction Fuzzy Hash: 4921F692B2D50796EB4C8700D8A1AF92310EF50365F8803B5FAAD4E5EDDF2DE245C340

Function 00007FFDFAEA5DEF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5E13
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5E4A

Strings

b, xrefs: 00007FFDFAEA5E81
ssl\s3_lib.c, xrefs: 00007FFDFAEA5E02, 00007FFDFAEA5E2F, 00007FFDFAEA5E7A

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: b$ssl\s3_lib.c
API String ID: 1767461275-1517289500
Opcode ID: c743b996e699ccfeb91afd1a9b541d9ea70a541a2d5e0b9cac4781896bda67db
Instruction ID: 4d32889b56b59f76ed0c76183cdd72df9501b522d993a39f6fd2dd525ac5657c
Opcode Fuzzy Hash: c743b996e699ccfeb91afd1a9b541d9ea70a541a2d5e0b9cac4781896bda67db
Instruction Fuzzy Hash: 4421B661B0854681E728BF21E560AB96791EF85B98F504071DD2F0BBD9EF3EE5428710

Function 00007FFDFAF7C930 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFDFAF7C93D
GetProcAddress.KERNEL32 ref: 00007FFDFAF7C950
GetProcAddress.KERNEL32 ref: 00007FFDFAF7C967
GetProcAddress.KERNEL32 ref: 00007FFDFAF7C97E

Strings

GetTempPath2W, xrefs: 00007FFDFAF7C96D
GetCurrentPackageId, xrefs: 00007FFDFAF7C946
kernel32.dll, xrefs: 00007FFDFAF7C936
GetSystemTimePreciseAsFileTime, xrefs: 00007FFDFAF7C956

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: c63ac9f491757429db2b4c8115fda852612a6686672675b5b190d94e90c0dba3
Instruction ID: a0eec5e6cb9ba19b2afe6f4073c9977e616dc43350c85dc1593ae94799ee4871
Opcode Fuzzy Hash: c63ac9f491757429db2b4c8115fda852612a6686672675b5b190d94e90c0dba3
Instruction Fuzzy Hash: 1CF0D020B09A0B81EB099B51FCA48606365BF0C7A5B8442B1F52F0A3A8EE7CA1658310

Function 00007FFDFAE9131B Relevance: 13.6, APIs: 9, Instructions: 85COMMON

Download Yara Rule

APIs

BIO_next.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBA650
BIO_up_ref.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBA671
BIO_pop.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBA689
BIO_free_all.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBA696
BIO_push.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBA6AF
BIO_next.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBA6CD
BIO_next.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBA6EF
BIO_free_all.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBA708
BIO_free_all.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBA725

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_free_allO_next$O_popO_pushO_up_ref
String ID:
API String ID: 1496992895-0
Opcode ID: 830367400fcb5bd328ce08019e8a15fc141aebb7bec3f7f032b40297ffca48d0
Instruction ID: e0ccbbef649458067e4dc881ba40321ac14675cb46081a9efa3d4a2b6f86ea57
Opcode Fuzzy Hash: 830367400fcb5bd328ce08019e8a15fc141aebb7bec3f7f032b40297ffca48d0
Instruction Fuzzy Hash: 82314E61B1AA4182EF5CBB11E16557C6360EF94FC8F1405B2EE6F07BCEDE2AD8618340

Function 00007FFDFAE94267 Relevance: 13.6, APIs: 9, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9426F
BIO_set_retry_reason.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE94279

Part of subcall function 00007FFDFAE914CE: ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB6DF9

BIO_set_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE942B0
BIO_get_retry_reason.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE942B8
BIO_set_retry_reason.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE942C2
BIO_set_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE942D4
BIO_set_retry_reason.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE942E1
BIO_set_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE942F0
BIO_set_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE942FF

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_set_flags$O_set_retry_reason$O_clear_flagsO_get_retry_reasonR_put_error
String ID:
API String ID: 1383309399-0
Opcode ID: f05814c07d341e8128778588b51307b533c868f5966b37d070d4e4306cae774e
Instruction ID: 32c0e1bdf816f325c3543f01e503b26f595b00cedd4a0f970c5583a902cb97fb
Opcode Fuzzy Hash: f05814c07d341e8128778588b51307b533c868f5966b37d070d4e4306cae774e
Instruction Fuzzy Hash: 80110021F4D25242F75CF129613197D4641DFCAB84F2081B1D92B4BBDEDE2FA6574205

Function 00007FFDFAEF5050 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 257COMMON

Download Yara Rule

APIs

EVP_PKEY_id.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF5072

Strings

ssl\t1_lib.c, xrefs: 00007FFDFAEF50C8, 00007FFDFAEF540C

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: Y_id
String ID: ssl\t1_lib.c
API String ID: 239174422-1168734446
Opcode ID: c170aec686d262925b94a2ee15265c9f38bfa1dda5f72e7e072cfc689cab9b89
Instruction ID: 5713063105163c91251d042204fce37b40d451558b2ac421dd34352d6702f036
Opcode Fuzzy Hash: c170aec686d262925b94a2ee15265c9f38bfa1dda5f72e7e072cfc689cab9b89
Instruction Fuzzy Hash: CCB1F632B0828282FB68AA15D070B7D27A4EB94798F544075DE6F477DDCF3EE9828714

Function 00007FFDFAF89EC0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFAF8A0CE
_CxxThrowException.VCRUNTIME140 ref: 00007FFDFAF8A0DF
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFAF8A122
_CxxThrowException.VCRUNTIME140 ref: 00007FFDFAF8A133

Strings

ios_base::eofbit set, xrefs: 00007FFDFAF8A0A9, 00007FFDFAF8A0FD
ios_base::failbit set, xrefs: 00007FFDFAF8A0A2, 00007FFDFAF8A0F6
ios_base::badbit set, xrefs: 00007FFDFAF8A096, 00007FFDFAF8A0EA

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: e7a1ddc16ed2a2e1c457880007b7bedc724d33196b4cef38cf5969c1f8ddc510
Instruction ID: 6a6e86f55576ca2089582b62ab3652e5babd1a001b384d0cc4e80329234488d1
Opcode Fuzzy Hash: e7a1ddc16ed2a2e1c457880007b7bedc724d33196b4cef38cf5969c1f8ddc510
Instruction Fuzzy Hash: B261F222718A4685EB288F15D4A0BB92760FF84FA9F448272EA5D4F3E8CF3DD406C300

Function 00007FFDFAF54370 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166fileCOMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFAF54414
_CxxThrowException.VCRUNTIME140 ref: 00007FFDFAF54425
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFAF54501
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFAF5458D

Strings

ios_base::eofbit set, xrefs: 00007FFDFAF543EF
ios_base::failbit set, xrefs: 00007FFDFAF543E8
ios_base::badbit set, xrefs: 00007FFDFAF543DD

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1428583292-1866435925
Opcode ID: 69f6fa4fc4b5327128fd02e9a0cd4ecbe41eb52f667ad14cf0306187b55dfdb2
Instruction ID: 07acfd29bc90437e4e7f5c407587da03f401fe0e14560c41529ca8979fff5d13
Opcode Fuzzy Hash: 69f6fa4fc4b5327128fd02e9a0cd4ecbe41eb52f667ad14cf0306187b55dfdb2
Instruction Fuzzy Hash: F261CE32719A8289EB18CF25D4A06BC33A1FF44B99F844272FA5D4BBA8DF38D555C340

Function 00007FFDFAF89C60 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFAF89E53
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFAF7CBA4), ref: 00007FFDFAF89E64
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFAF89EA7
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFAF7CBA4), ref: 00007FFDFAF89EB8

Strings

ios_base::eofbit set, xrefs: 00007FFDFAF89E2E, 00007FFDFAF89E82
ios_base::failbit set, xrefs: 00007FFDFAF89E27, 00007FFDFAF89E7B
ios_base::badbit set, xrefs: 00007FFDFAF89E1B, 00007FFDFAF89E6F

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 8d958ad96f41122896841034e02e7778baf7bc65a9425929e75c28519ffffc83
Instruction ID: d6d11a383a4ce35a838e1a1cb650b2c5a50bf3072aefa2e01d09d34770d271d3
Opcode Fuzzy Hash: 8d958ad96f41122896841034e02e7778baf7bc65a9425929e75c28519ffffc83
Instruction Fuzzy Hash: 16619227B08A4685EB588B15D4A1BB96B60FF84FA9F448276EA5D4F3E9CF2CD405C340

Function 00007FFDFAF7A6F0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7A73A
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7A7CC
memchr.VCRUNTIME140 ref: 00007FFDFAF7A7DE
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF7A813
memchr.VCRUNTIME140 ref: 00007FFDFAF7A821
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFAF7A89F

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FFDFAF7A7D5, 00007FFDFAF7A7EB

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: memchrtolower$_errnoisspace
String ID: 0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3508154992-4256519037
Opcode ID: a74c752cea25472f474bc116e203514d7fdc827680c327d50067ffbb674dae7b
Instruction ID: 82af30b39f89374728cacf8409ff56cce00af519669d7a46d3cc279356d8da4d
Opcode Fuzzy Hash: a74c752cea25472f474bc116e203514d7fdc827680c327d50067ffbb674dae7b
Instruction Fuzzy Hash: 5E511D16F1D68646E769AE25B820B7976A0BF447A4F4942B4EDBD4A3CCDF3CD8078700

Function 00007FFDFAE91FF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECCA3D
OPENSSL_sk_value.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECCA59
i2d_OCSP_RESPID.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECCA98
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECCAAA
i2d_X509_EXTENSIONS.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECCAE6
i2d_X509_EXTENSIONS.LIBCRYPTO-1_1-X64 ref: 00007FFDFAECCB29

Strings

ssl\statem\extensions_clnt.c, xrefs: 00007FFDFAECCB86, 00007FFDFAECCBB5

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: i2d_$L_sk_numX509_$L_sk_value
String ID: ssl\statem\extensions_clnt.c
API String ID: 917959868-2462086076
Opcode ID: 8ecbeec722d2d53a7b14341058e800dd26307195aad5f6c4aa6484b3c1ee3bc1
Instruction ID: d06ddd14633df4a766683c482313fc4142b82747f41e392b72475a25b743491c
Opcode Fuzzy Hash: 8ecbeec722d2d53a7b14341058e800dd26307195aad5f6c4aa6484b3c1ee3bc1
Instruction Fuzzy Hash: 6551C661B4864285FB58BA629860ABD53919FC4BD8F040570DD2F877CEDF2EE542C700

Function 00007FFDFAF4B110 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFAF4B1A1
_CxxThrowException.VCRUNTIME140 ref: 00007FFDFAF4B1B2

Strings

ios_base::eofbit set, xrefs: 00007FFDFAF4B17C, 00007FFDFAF4B2CD
ios_base::failbit set, xrefs: 00007FFDFAF4B175, 00007FFDFAF4B2C6
ios_base::badbit set, xrefs: 00007FFDFAF4B16A, 00007FFDFAF4B2BA

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 7c510c2321f1927e2e811605a37c4ae885744e48415220fea874b10c93dfc8d9
Instruction ID: 4c77b4d86895f07202fc6a102dd6364662a7cf3dc242275961b28d661f17bb5b
Opcode Fuzzy Hash: 7c510c2321f1927e2e811605a37c4ae885744e48415220fea874b10c93dfc8d9
Instruction Fuzzy Hash: DF51E63271894681DB18CB19D8A0A696360FF84BA8F944371EE6D4B7F9DF3CD645C740

Function 00007FFDFAEA8A80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

EVP_PKEY_CTX_new_id.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA8AFE
EVP_PKEY_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA8C05

Strings

ssl\s3_lib.c, xrefs: 00007FFDFAEA8AB2, 00007FFDFAEA8B0B, 00007FFDFAEA8B8E, 00007FFDFAEA8BCC

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: X_freeX_new_id
String ID: ssl\s3_lib.c
API String ID: 4103210000-3639828702
Opcode ID: dc7b5a6cd93fc3b6b4bf002c69c5c2bc9f835892c7d65ab859e2e072087b5473
Instruction ID: 2a811463d8d6fc20a8cb2ea0db0eda07f00bf53c9bed3ffc805cd8533a6b8458
Opcode Fuzzy Hash: dc7b5a6cd93fc3b6b4bf002c69c5c2bc9f835892c7d65ab859e2e072087b5473
Instruction Fuzzy Hash: 4E41857670874185E768BF11F460AAAB791FB88744F540175EA5E0B7DDDF7EE9008B00

Function 00007FFDFAEDA950 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDA9B6
EVP_PKEY_get0_DH.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDA9ED
DH_get0_key.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDAA24
BN_num_bits.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDAA2E
BN_bn2bin.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDAA8E
EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDAA96

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFDFAEDA998, 00007FFDFAEDAA66

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: Y_free$H_get0_keyN_bn2binN_num_bitsY_get0_
String ID: ssl\statem\statem_clnt.c
API String ID: 2719771601-1578583260
Opcode ID: 3d69f6c81ecf0a835d62c573ae15468f21293b95961a1e2b894d6a445f8414eb
Instruction ID: d2278c983b6f59a4ab078229ffb42d9eafdc922d17a33fdf1472109114ee9a9c
Opcode Fuzzy Hash: 3d69f6c81ecf0a835d62c573ae15468f21293b95961a1e2b894d6a445f8414eb
Instruction Fuzzy Hash: 11319862B1878186FB68BB12F860EAA6750EF88BD8F040171E95E47BDDDF7DE5418700

Function 00007FFDFAEBE320 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

EVP_MD_CTX_md.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBE364
EVP_MD_size.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBE36C
EVP_MD_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBE37F
EVP_MD_CTX_copy_ex.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBE39C
EVP_DigestFinal_ex.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBE3AE
EVP_MD_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBE3FA

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBE3D9

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: D_sizeDigestFinal_exX_copy_exX_freeX_mdX_new
String ID: ssl\ssl_lib.c
API String ID: 2082763299-1984206432
Opcode ID: 67884d77f58c8e1174f6548bc4c3574f37c7f7abc2b899a388506ed2fd341c60
Instruction ID: 138fa8f33f7595a59ed9a10bb5cb34862ce1a6822d641b3f8d78303383481259
Opcode Fuzzy Hash: 67884d77f58c8e1174f6548bc4c3574f37c7f7abc2b899a388506ed2fd341c60
Instruction Fuzzy Hash: 0F219031B0C78241E768FA16B825ABA6790EF84BD4F184475EEAE477DDDE3DE1418700

Function 00007FFDFAF71DDC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAF7B910: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B930
Part of subcall function 00007FFDFAF7B910: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B938
Part of subcall function 00007FFDFAF7B910: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B941
Part of subcall function 00007FFDFAF7B910: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B95D

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFDFAF72FAE), ref: 00007FFDFAF71E27
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFDFAF72FAE), ref: 00007FFDFAF71E47
_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFDFAF72FAE), ref: 00007FFDFAF71E6A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFDFAF72FAE), ref: 00007FFDFAF71E8A

Part of subcall function 00007FFDFAF44E20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFAF520E4,?,?,?,00007FFDFAF444AB,?,?,?,00007FFDFAF45B51), ref: 00007FFDFAF44E42
Part of subcall function 00007FFDFAF44E20: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFAF520E4,?,?,?,00007FFDFAF444AB,?,?,?,00007FFDFAF45B51), ref: 00007FFDFAF44E68
Part of subcall function 00007FFDFAF44E20: memmove.VCRUNTIME140(?,?,?,00007FFDFAF520E4,?,?,?,00007FFDFAF444AB,?,?,?,00007FFDFAF45B51), ref: 00007FFDFAF44E80

Strings

:AM:am:PM:pm, xrefs: 00007FFDFAF71EB2
:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFDFAF71E51
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFDFAF71E94

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 2607222871-35662545
Opcode ID: 3c4420bee09877ec299f0ccf0785a70a10bbb9a03d7dec44f00519086dfc9e0b
Instruction ID: 50f53e53737008a439fec7162a573bdccbfff257538b6d4d15f6830ab3c142bc
Opcode Fuzzy Hash: 3c4420bee09877ec299f0ccf0785a70a10bbb9a03d7dec44f00519086dfc9e0b
Instruction Fuzzy Hash: 52316C22B04B4686E704DF21E820AA877A5FF88BD4F498271EA5D4B39ADF3CE145C340

Function 00007FFDFAEA6992 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA69B2
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA6FE1

Strings

ssl\s3_lib.c, xrefs: 00007FFDFAEA69A4, 00007FFDFAEA6A05, 00007FFDFAEA6FD3

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: ssl\s3_lib.c
API String ID: 1767461275-3639828702
Opcode ID: b3f422ad0e7b79111352644a261d6e4efb5fd749c3e9a4578d90f55e1127afba
Instruction ID: 40e29cb3c02a88094d92705f1ea0ad7977890e6a926eecaad8d2b31f3f53c4ba
Opcode Fuzzy Hash: b3f422ad0e7b79111352644a261d6e4efb5fd749c3e9a4578d90f55e1127afba
Instruction Fuzzy Hash: 9E21B262B4858281EB58EF21F550AAD63A0EB84B98F544471EE6E07BCEEF3ED5518700

Function 00007FFDFAF57040 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAF7B910: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B930
Part of subcall function 00007FFDFAF7B910: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B938
Part of subcall function 00007FFDFAF7B910: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B941
Part of subcall function 00007FFDFAF7B910: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B95D

_W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFAF5ADAE), ref: 00007FFDFAF57082
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFAF5ADAE), ref: 00007FFDFAF570A2
_W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFAF5ADAE), ref: 00007FFDFAF570C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFAF5ADAE), ref: 00007FFDFAF570E0

Part of subcall function 00007FFDFAF44EA0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF570DD,?,?,?,?,?,?,?,?,?,00007FFDFAF5ADAE), ref: 00007FFDFAF44EC9
Part of subcall function 00007FFDFAF44EA0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF570DD,?,?,?,?,?,?,?,?,?,00007FFDFAF5ADAE), ref: 00007FFDFAF44EF8
Part of subcall function 00007FFDFAF44EA0: memmove.VCRUNTIME140(?,?,00000000,00007FFDFAF570DD,?,?,?,?,?,?,?,?,?,00007FFDFAF5ADAE), ref: 00007FFDFAF44F0F

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFDFAF570AC
:AM:am:PM:pm, xrefs: 00007FFDFAF570FA
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFDFAF570EA

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 2607222871-3743323925
Opcode ID: a470608b7a250fb0ea238fa3c340b2ceb1189eb64d602e28189f51ae9642db91
Instruction ID: c6c0abb96653a4b8474b8e1b1176844a382b5680b08358c0566f48a4320c773d
Opcode Fuzzy Hash: a470608b7a250fb0ea238fa3c340b2ceb1189eb64d602e28189f51ae9642db91
Instruction Fuzzy Hash: C7216022B08B4686EB14DF21E82066973B0FF88BD4F444274EA5E4B79AEF3CE544C740

Function 00007FFDFAEF602E Relevance: 12.2, APIs: 8, Instructions: 189COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF614B
OPENSSL_sk_value.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF6159
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF6175
EVP_PKEY_id.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF62BD
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF634E
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF6369

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_sk_num$L_sk_valueY_id
String ID:
API String ID: 483135270-0
Opcode ID: 04a256367129bbe7ddcaa20dee09ea915e00b696c70bd942bca31ad14df8bddf
Instruction ID: fd92aec434b409136a3789d5a275aac9293316a94a24617817ebca52e4999dc5
Opcode Fuzzy Hash: 04a256367129bbe7ddcaa20dee09ea915e00b696c70bd942bca31ad14df8bddf
Instruction Fuzzy Hash: A2618221F0D2C286FF6C7A169574A796799EF81B84F1444B5DD2F872CEDE2EE4818301

Function 00007FFDFAE922C0 Relevance: 12.1, APIs: 8, Instructions: 130COMMON

Download Yara Rule

APIs

ERR_peek_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB84E3

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_peek_error
String ID:
API String ID: 3623038435-0
Opcode ID: da166de60a86ec62954d119925afbea3abea0f56187d94d37413aab34cd53be5
Instruction ID: 780cffb36ccda481d1d112a61ab6029566e6affb3a4f11a2928f87076155afc7
Opcode Fuzzy Hash: da166de60a86ec62954d119925afbea3abea0f56187d94d37413aab34cd53be5
Instruction Fuzzy Hash: 8041A462F0A18282FB6CBA119265B791291DF847D5F1850B2EE2E477CDDF1EF8D28704

Function 00007FFDFAEAF030 Relevance: 12.1, APIs: 8, Instructions: 114COMMON

Download Yara Rule

APIs

OBJ_nid2sn.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAF0DA
EVP_get_digestbyname.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAF0E2
EVP_MD_size.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAF0F3
OBJ_nid2sn.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAF131
EVP_get_cipherbyname.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAF139
EVP_CIPHER_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAF149
EVP_CIPHER_iv_length.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAF15E
EVP_CIPHER_block_size.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAF169

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: J_nid2sn$D_sizeP_get_cipherbynameP_get_digestbynameR_block_sizeR_flagsR_iv_length
String ID:
API String ID: 4211416117-0
Opcode ID: 32bd6790777a7e8bbc5d0565dd3a7a495f791eeabc097fd0645591dd254171c4
Instruction ID: 26ad5781996fe7a0e2df60471127051cc0e1ea4c3ac4b9778029c7695cdba615
Opcode Fuzzy Hash: 32bd6790777a7e8bbc5d0565dd3a7a495f791eeabc097fd0645591dd254171c4
Instruction Fuzzy Hash: D241F961F0934245FB2CEB15D4B4AB92290EF58B94F1445B1DD6F4B3CADE3EE8418390

Function 00007FFDFAE93AF0 Relevance: 12.1, APIs: 8, Instructions: 111COMMON

Download Yara Rule

APIs

BIO_get_data.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE93B3D
BIO_clear_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE93B50
BIO_set_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE93B95
BIO_set_retry_reason.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE93C30

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_clear_flagsO_get_dataO_set_flagsO_set_retry_reason
String ID:
API String ID: 3836630899-0
Opcode ID: 9332c784e00586fbed0b9ab4055211eead8e5446cb0e0a7062815bfd2568741c
Instruction ID: d988b394b5439f83cd654e0fbf4afa99a25379e40cd8e158d4bb21a8406662c8
Opcode Fuzzy Hash: 9332c784e00586fbed0b9ab4055211eead8e5446cb0e0a7062815bfd2568741c
Instruction Fuzzy Hash: EA31FA32F0874342E76CBA26652197D6691EF98B98F104475DE2B477CEDF3ED8529200

Function 00007FFDFAF7A1C0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAF7A550: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF79992), ref: 00007FFDFAF7A576
Part of subcall function 00007FFDFAF7A550: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF79992), ref: 00007FFDFAF7A5E0

_Stoflt.LIBCPMT ref: 00007FFDFAF7A24B
_Xp_setn.LIBCPMT ref: 00007FFDFAF7A286
_Xp_setn.LIBCPMT ref: 00007FFDFAF7A2C1
_Xp_addx.LIBCPMT ref: 00007FFDFAF7A2D4
_Xp_setn.LIBCPMT ref: 00007FFDFAF7A352
_Xp_setn.LIBCPMT ref: 00007FFDFAF7A38D
_Xp_addx.LIBCPMT ref: 00007FFDFAF7A3A1

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
String ID:
API String ID: 578106097-0
Opcode ID: 461bf3aab1cf8ce85de2ffe1f4e95a744948a87e503763ab1629b2b447818b56
Instruction ID: 7e31efdbac6fc056a61f2baa6a351ae4a1766a7436b26762b91073cd87bfee33
Opcode Fuzzy Hash: 461bf3aab1cf8ce85de2ffe1f4e95a744948a87e503763ab1629b2b447818b56
Instruction Fuzzy Hash: 6F611322F2854282E755EE61F4A09AE6720FF84764F510272FE5E1B6CDDE3DE949C700

Function 00007FFDFAF79940 Relevance: 10.7, APIs: 7, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAF7A550: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF79992), ref: 00007FFDFAF7A576
Part of subcall function 00007FFDFAF7A550: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF79992), ref: 00007FFDFAF7A5E0

_Stoflt.LIBCPMT ref: 00007FFDFAF799CB
_Xp_setn.LIBCPMT ref: 00007FFDFAF79A06
_Xp_setn.LIBCPMT ref: 00007FFDFAF79A41
_Xp_addx.LIBCPMT ref: 00007FFDFAF79A54
_Xp_setn.LIBCPMT ref: 00007FFDFAF79AD2
_Xp_setn.LIBCPMT ref: 00007FFDFAF79B0D
_Xp_addx.LIBCPMT ref: 00007FFDFAF79B21

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
String ID:
API String ID: 578106097-0
Opcode ID: 9304b029b93cdd8cb67750c4a42869adb59d3f129c1a8ed4c8c1c5a2f3519725
Instruction ID: c4f452b7bd7f8d16255b13353b8a55535e5a910efe5269ab75757f69b572304f
Opcode Fuzzy Hash: 9304b029b93cdd8cb67750c4a42869adb59d3f129c1a8ed4c8c1c5a2f3519725
Instruction Fuzzy Hash: 9B61D126B1854382E7959E21F4A09EA6720FF85764F500772FE6E1B6DDDF3CD5098700

Function 00007FFDFAEADA40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADA88
memcpy.VCRUNTIME140 ref: 00007FFDFAEADAA7
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADAE9
OPENSSL_sk_push.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEADB17

Strings

ssl\ssl_ciph.c, xrefs: 00007FFDFAEADA69, 00007FFDFAEADAD2, 00007FFDFAEADB28, 00007FFDFAEADBA3
P, xrefs: 00007FFDFAEADAAC

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error$L_sk_pushmemcpy
String ID: P$ssl\ssl_ciph.c
API String ID: 96246294-2249963089
Opcode ID: 9f464f50c7ee0d3173dd81df26f1ce0d8bb870ab45a17475f583496c46c160a8
Instruction ID: e4ddb16e35cc0b775f1ca8fbfd445b35dc9b11ed028a5755979d71a7d69b2b3e
Opcode Fuzzy Hash: 9f464f50c7ee0d3173dd81df26f1ce0d8bb870ab45a17475f583496c46c160a8
Instruction Fuzzy Hash: 7B21B561F0C68245FBA8AB21E871BBE2250EF88794F5041B1E95E4B7DDDF3EE5448B01

Function 00007FFDFAF52EBC Relevance: 10.6, APIs: 7, Instructions: 121threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FFDFAF52EEF
GetCurrentThreadId.KERNEL32 ref: 00007FFDFAF52F0A
GetCurrentThreadId.KERNEL32 ref: 00007FFDFAF52F42
xtime_get.LIBCPMT ref: 00007FFDFAF52F7E
GetCurrentThreadId.KERNEL32 ref: 00007FFDFAF52FA5
GetCurrentThreadId.KERNEL32 ref: 00007FFDFAF52FDE
GetCurrentThreadId.KERNEL32 ref: 00007FFDFAF53022

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: CurrentThread$xtime_get
String ID:
API String ID: 1104475336-0
Opcode ID: e4c2fda0aa47931c09ebbe09ac2384be1725825c128f1e01bd5f638f93e183d2
Instruction ID: e84d353be9c18431fd8e1ebc9c43cb006f55e7045212c10834e759148b456872
Opcode Fuzzy Hash: e4c2fda0aa47931c09ebbe09ac2384be1725825c128f1e01bd5f638f93e183d2
Instruction Fuzzy Hash: 90514431B1C6028AE7688F55E860A3963A0FF44B64F514371E66D8A6E8DF3DE881CB00

Function 00007FFDFAEBF290 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBF304
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBF31B
CT_POLICY_EVAL_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBF33F
OPENSSL_sk_value.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBF36C

Part of subcall function 00007FFDFAE924F0: SCT_LIST_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7E33
Part of subcall function 00007FFDFAE924F0: d2i_OCSP_RESPONSE.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7E88
Part of subcall function 00007FFDFAE924F0: OCSP_response_get1_basic.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7E98
Part of subcall function 00007FFDFAE924F0: OCSP_resp_count.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7EAA
Part of subcall function 00007FFDFAE924F0: OCSP_resp_get0.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7EB8
Part of subcall function 00007FFDFAE924F0: OCSP_SINGLERESP_get1_ext_d2i.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7ED0
Part of subcall function 00007FFDFAE924F0: OCSP_resp_count.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7EF8
Part of subcall function 00007FFDFAE924F0: SCT_LIST_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7F04
Part of subcall function 00007FFDFAE924F0: OCSP_BASICRESP_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7F0C
Part of subcall function 00007FFDFAE924F0: OCSP_RESPONSE_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7F14

CT_POLICY_EVAL_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBF43B

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBF41E

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_sk_numP_resp_countT_free$E_freeL_sk_valueP_freeP_get1_ext_d2iP_resp_get0P_response_get1_basicX_freeX_newd2i_
String ID: ssl\ssl_lib.c
API String ID: 382793502-1984206432
Opcode ID: 175fb00b4b0c943c56e9fdd1541d553298613e8c37b0d39c82f856ad7b48c20f
Instruction ID: b8c1df882455a625f47c601daff0e94f97fa3fc14ba26a9cab66e002103f98ea
Opcode Fuzzy Hash: 175fb00b4b0c943c56e9fdd1541d553298613e8c37b0d39c82f856ad7b48c20f
Instruction Fuzzy Hash: 1241A332B0968245EB6CBA159464AFD6790EF45BC8F084072EE6F4B7C9DF3EE4428750

Function 00007FFDFAF4B900 Relevance: 10.6, APIs: 7, Instructions: 110COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,00000002,?,?,00000000,00007FFDFAF71E66), ref: 00007FFDFAF4B9D0
memset.VCRUNTIME140(?,?,?,?,?,?,?,00000002,?,?,00000000,00007FFDFAF71E66), ref: 00007FFDFAF4B9E0
memmove.VCRUNTIME140(?,?,?,?,?,?,?,00000002,?,?,00000000,00007FFDFAF71E66), ref: 00007FFDFAF4B9F5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000002,?,?,00000000,00007FFDFAF71E66), ref: 00007FFDFAF4BA29
memmove.VCRUNTIME140(?,?,?,?,?,?,?,00000002,?,?,00000000,00007FFDFAF71E66), ref: 00007FFDFAF4BA33
memset.VCRUNTIME140(?,?,?,?,?,?,?,00000002,?,?,00000000,00007FFDFAF71E66), ref: 00007FFDFAF4BA43
memmove.VCRUNTIME140(?,?,?,?,?,?,?,00000002,?,?,00000000,00007FFDFAF71E66), ref: 00007FFDFAF4BA53

Part of subcall function 00007FFDFAF92D7C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF45B18), ref: 00007FFDFAF92D96

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: memmove$memset$_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1468981775-0
Opcode ID: bae7eca20d90a23f4dad2e9123c0b1955062e3eddedf53bfa93241c64ac03688
Instruction ID: 647835fc17d4965bb2f651e5b164298d3146f9bf7a8cd3d3ac60fce40292fb40
Opcode Fuzzy Hash: bae7eca20d90a23f4dad2e9123c0b1955062e3eddedf53bfa93241c64ac03688
Instruction Fuzzy Hash: 7D419262B08A8292EB089B56E4146A96311FF48BE4F944736FE2D0FBDACE7CD1458300

Function 00007FFDFAF55840 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFAF558E4
_CxxThrowException.VCRUNTIME140 ref: 00007FFDFAF558F5
setvbuf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFAF5592E

Strings

ios_base::eofbit set, xrefs: 00007FFDFAF558BF
ios_base::failbit set, xrefs: 00007FFDFAF558B8
ios_base::badbit set, xrefs: 00007FFDFAF558AD, 00007FFDFAF55900

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2924853686-1866435925
Opcode ID: cc8bcd658fd008fda63118cd5544acc5f5975b246a48eda0b6209e9839b3c941
Instruction ID: eed28e7ea2560d465e708b3991079b92156eb06da35069b6b62354b1f71a7cb1
Opcode Fuzzy Hash: cc8bcd658fd008fda63118cd5544acc5f5975b246a48eda0b6209e9839b3c941
Instruction Fuzzy Hash: 7941AF73B18B468AEB58CF25D460BA833A4FF14BA8F444271EA5C4B699DF3CE554C740

Function 00007FFDFAF63F5C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF63F8A

Part of subcall function 00007FFDFAF7B910: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B930
Part of subcall function 00007FFDFAF7B910: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B938
Part of subcall function 00007FFDFAF7B910: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B941
Part of subcall function 00007FFDFAF7B910: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B95D

_Maklocstr.LIBCPMT ref: 00007FFDFAF64003
_Maklocstr.LIBCPMT ref: 00007FFDFAF64019
_Getvals.LIBCPMT ref: 00007FFDFAF640BE

Strings

false, xrefs: 00007FFDFAF63FFC
true, xrefs: 00007FFDFAF64012

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 2626534690-2658103896
Opcode ID: ab6ddfc0edd1b1e02ea2e4d9aff9a33fdd292625dc6a35a8e045d46eff6058d5
Instruction ID: 0215e40bacdbe16be78aeb23b1c7262c519b19564f2308bfb0b865db23874975
Opcode Fuzzy Hash: ab6ddfc0edd1b1e02ea2e4d9aff9a33fdd292625dc6a35a8e045d46eff6058d5
Instruction Fuzzy Hash: 23416A22B18A819AE715CF74E4505EC33B0FF8875CB405226EE5D2BA89EF38D696C344

Function 00007FFDFAEE3C90 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00007FFDFAEE742D), ref: 00007FFDFAEE3DAB
BIO_ctrl.LIBCRYPTO-1_1-X64(?,00007FFDFAEE742D), ref: 00007FFDFAEE3DD8

Strings

TLS 1.3, server CertificateVerify, xrefs: 00007FFDFAEE3D41
, xrefs: 00007FFDFAEE3CE7
TLS 1.3, client CertificateVerify, xrefs: 00007FFDFAEE3D1B
ssl\statem\statem_lib.c, xrefs: 00007FFDFAEE3DEE

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_ctrlmemcpy
String ID: $TLS 1.3, client CertificateVerify$TLS 1.3, server CertificateVerify$ssl\statem\statem_lib.c
API String ID: 2266715306-2016050597
Opcode ID: 9efeef38c20d7252061f762666162bfcba879865b527c315a73acb19ce1a3f63
Instruction ID: 38b8af475017b597fb9a0562e6430b3a300140372eb74af47877af0642ef2153
Opcode Fuzzy Hash: 9efeef38c20d7252061f762666162bfcba879865b527c315a73acb19ce1a3f63
Instruction Fuzzy Hash: B441FE72708B8282E758DF14D4A0ABD77A0FB54B84F1041B2DB9E87799DF3AD960C700

Function 00007FFDFAE91AE1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE385B
OPENSSL_sk_value.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE3869
i2d_X509_NAME.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE38AD
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE38BB

Strings

ssl\statem\statem_lib.c, xrefs: 00007FFDFAEE3818, 00007FFDFAEE38DD
2, xrefs: 00007FFDFAEE38FF

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_sk_num$L_sk_valueX509_i2d_
String ID: 2$ssl\statem\statem_lib.c
API String ID: 3754435392-3249270021
Opcode ID: 148c742bff9b9566f4668898124a134040cb7b22a0f28f9ef2b6ee47e87793d9
Instruction ID: fd60cf61d82f7f4ac8320581ca45be7d401f9a178a9712a87f274dbd22d8316f
Opcode Fuzzy Hash: 148c742bff9b9566f4668898124a134040cb7b22a0f28f9ef2b6ee47e87793d9
Instruction Fuzzy Hash: AD31C725F0878345FB19F712A461ABA9694AF84BD4F040470ED6E47BDEDF3EE9418704

Function 00007FFDFAE91BDB Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 90COMMON

Download Yara Rule

APIs

OPENSSL_cleanse.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF2F06

Strings

, xrefs: 00007FFDFAEF2F99
extended master secret, xrefs: 00007FFDFAEF2EDD
0, xrefs: 00007FFDFAEF2F46
, xrefs: 00007FFDFAEF2F7A
master secret, xrefs: 00007FFDFAEF2F92

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_cleanse
String ID: $ $0$extended master secret$master secret
API String ID: 1040887069-741269486
Opcode ID: b4acd30fb72b04881ffa7e1fd36e63ef3cb38ad4edaf4d9eae74c2541607e0a0
Instruction ID: 2613757048666a1130bbb498bb086a944ce04c19ca7f0978aae98efd0ba7152e
Opcode Fuzzy Hash: b4acd30fb72b04881ffa7e1fd36e63ef3cb38ad4edaf4d9eae74c2541607e0a0
Instruction Fuzzy Hash: C7416872718B8181E768DB11F85079AB3E4FB88394F544134EA8D47BA9EF7ED055CB00

Function 00007FFDFAEF3B00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 88COMMON

Download Yara Rule

APIs

OBJ_sn2nid.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF3C1A

Strings

DSA, xrefs: 00007FFDFAEF3BB8
ECDSA, xrefs: 00007FFDFAEF3BE5
PSS, xrefs: 00007FFDFAEF3B89
RSA, xrefs: 00007FFDFAEF3B22
RSA-PSS, xrefs: 00007FFDFAEF3B5A

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: J_sn2nid
String ID: DSA$ECDSA$PSS$RSA$RSA-PSS
API String ID: 1172147710-2025297953
Opcode ID: 52b1e671322b666c5c87e545228a2192a9c4b4abe9525719e0a599b20b2b4c9d
Instruction ID: 137d680656ec6bd5736829a97a0898fafe3629d2aa201f236ac008afc15ec2ba
Opcode Fuzzy Hash: 52b1e671322b666c5c87e545228a2192a9c4b4abe9525719e0a599b20b2b4c9d
Instruction Fuzzy Hash: FD31E922B1C1C245EB599B25F070A7C3BA0DB56B54F4841B1D7BF0B6CEDE2ED5918B00

Function 00007FFDFAE91B27 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BIO_s_file.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC145F
BIO_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC1467
BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC1494
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC152D
BIO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC1535

Strings

ssl\ssl_rsa.c, xrefs: 00007FFDFAEC151C

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_ctrlO_freeO_newO_s_fileR_put_error
String ID: ssl\ssl_rsa.c
API String ID: 2618924202-2490807841
Opcode ID: 9ed7a8b4e73da94248c93e64f71e62c43b98af144e31c6d90ab615b0610da010
Instruction ID: a6f5a1456dda6ad23307bf9deff4ec90244b19b20385c1aef69cf849689bab13
Opcode Fuzzy Hash: 9ed7a8b4e73da94248c93e64f71e62c43b98af144e31c6d90ab615b0610da010
Instruction Fuzzy Hash: 4E315221B0868282F728BB52A420A796751FF85B84F544075EE6F0BBCDDF3FE5118B40

Function 00007FFDFAEABF70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEABFCF
OPENSSL_sk_value.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEABFE5
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC00A
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC01E
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAC060

Strings

ssl\ssl_cert.c, xrefs: 00007FFDFAEAC044

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_sk_num$L_sk_pop_freeL_sk_valueR_put_error
String ID: ssl\ssl_cert.c
API String ID: 732311666-188639428
Opcode ID: 3ef42d53206de9a755277ccb23dc02c8af9d92099a60641cfe8f82a85cd6190b
Instruction ID: a37b18fd1a0d72d45659ed08f7e1fa659786a2e4b946f62ba5d955bb4f8a810f
Opcode Fuzzy Hash: 3ef42d53206de9a755277ccb23dc02c8af9d92099a60641cfe8f82a85cd6190b
Instruction Fuzzy Hash: 6521F766B0868185E758FB15B960AA9A790FFC47D4F140471EE1E87BD9CF3DD4418700

Function 00007FFDFAE9133E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC1629
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC1671

Strings

ssl\ssl_rsa.c, xrefs: 00007FFDFAEC160E, 00007FFDFAEC1655, 00007FFDFAEC20DB
$, xrefs: 00007FFDFAEC165C

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: $$ssl\ssl_rsa.c
API String ID: 1767461275-2594201466
Opcode ID: 2c00796cc96422c1e777988fa0098b0fb60d54f5f1f8aa0f80b94e02fbf44d4d
Instruction ID: cae5f5449175e82d6835acd1c0cd27c94a165f006353bd7e17d274ee34d9b481
Opcode Fuzzy Hash: 2c00796cc96422c1e777988fa0098b0fb60d54f5f1f8aa0f80b94e02fbf44d4d
Instruction Fuzzy Hash: EB21E662B0818286E758EB14E420AAA6760FF88798F544570EB5D47BCEEF3ED551CB00

Function 00007FFDFAEBDFF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBE02B
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBE03F

Part of subcall function 00007FFDFAEBC8E0: OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64(?,00007FFDFAEB76D8), ref: 00007FFDFAEBC901
Part of subcall function 00007FFDFAEBC8E0: OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64(?,00007FFDFAEB76D8), ref: 00007FFDFAEBC917
Part of subcall function 00007FFDFAEBC8E0: X509_free.LIBCRYPTO-1_1-X64(?,00007FFDFAEB76D8), ref: 00007FFDFAEBC924

OPENSSL_sk_new_reserve.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBE076
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBE0A2
OPENSSL_sk_value.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBE0BA

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBE087

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_sk_numL_sk_pop_free$L_sk_new_reserveL_sk_valueR_put_errorX509_free
String ID: ssl\ssl_lib.c
API String ID: 1042751175-1984206432
Opcode ID: d2c5e887d699a48fc279c62dce4fe6ecffb046c7ab4f4802176b118b7380cc27
Instruction ID: 80f6b44cdb0391e14026f301f69054fb0900e8e3589d5a8e04b123c00f588db1
Opcode Fuzzy Hash: d2c5e887d699a48fc279c62dce4fe6ecffb046c7ab4f4802176b118b7380cc27
Instruction Fuzzy Hash: 56317332708A8281D758EB25E4707AEA7A1FBC4784F148576DE9E477CADE3ED4508740

Function 00007FFDFAF70708 Relevance: 9.2, APIs: 6, Instructions: 241COMMON

Download Yara Rule

APIs

_FDunscale.LIBCPMT ref: 00007FFDFAF70743
_FDunscale.LIBCPMT ref: 00007FFDFAF707FA

Part of subcall function 00007FFDFAF70540: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDFAF6F4D4), ref: 00007FFDFAF70549

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Dunscale$_errno
String ID:
API String ID: 2900277114-0
Opcode ID: 15ff96a0bf62c7e052e5ded1cc71958b83202e5a8f13f0381bc3fe635a436e56
Instruction ID: f5a59ecd82c4dcc9e156655bd6aebda8f704a5620e933ebe766fac409e26bf3b
Opcode Fuzzy Hash: 15ff96a0bf62c7e052e5ded1cc71958b83202e5a8f13f0381bc3fe635a436e56
Instruction Fuzzy Hash: 45A1EF32F186469AE718DE26D4A08BC7321FF65368F144370FA299A5C9EF38F4958740

Function 00007FFDFAF78F50 Relevance: 9.2, APIs: 6, Instructions: 241COMMON

Download Yara Rule

APIs

_Dunscale.LIBCPMT ref: 00007FFDFAF78F8B
_Dunscale.LIBCPMT ref: 00007FFDFAF79043

Part of subcall function 00007FFDFAF70540: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDFAF6F4D4), ref: 00007FFDFAF70549

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Dunscale$_errno
String ID:
API String ID: 2900277114-0
Opcode ID: ca3cd41d9f9ad30a8d9137d8663536786c182ab9c24274ca301f090a8433af1f
Instruction ID: e85e9d0c47f226423f8f6f2266bce0c8fc2a0b9c8d1d963c022caf77761330c4
Opcode Fuzzy Hash: ca3cd41d9f9ad30a8d9137d8663536786c182ab9c24274ca301f090a8433af1f
Instruction Fuzzy Hash: 5CA1D12BF28A4B89D749DF7094A09BD2362FF563A4F504375FA1A1A5C8DF38E496C300

Function 00007FFDFAF48F50 Relevance: 9.2, APIs: 6, Instructions: 181COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFAF49000

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: 82e80838e38242e7afc29c15fcf42c77e0e821748a074dd5f01e046d30f1d311
Instruction ID: 351a0f6387906cc6f64f978966e932dcb9de3fe246d36769ef9d3bb1db29ed69
Opcode Fuzzy Hash: 82e80838e38242e7afc29c15fcf42c77e0e821748a074dd5f01e046d30f1d311
Instruction Fuzzy Hash: A0815C36705A8299EB54CF35C4A47AC37A0FB48BA8F445672FB6D4BA98DF38D564C300

Function 00007FFDFAF7C1D0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAF7C448: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF7BA92), ref: 00007FFDFAF7C46E
Part of subcall function 00007FFDFAF7C448: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF7BA92), ref: 00007FFDFAF7C4E6

_Xp_setn.LIBCPMT ref: 00007FFDFAF7C296
_Xp_setn.LIBCPMT ref: 00007FFDFAF7C2D1
_Xp_addx.LIBCPMT ref: 00007FFDFAF7C2E4
_Xp_setn.LIBCPMT ref: 00007FFDFAF7C362
_Xp_setn.LIBCPMT ref: 00007FFDFAF7C39D
_Xp_addx.LIBCPMT ref: 00007FFDFAF7C3B1

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3490103321-0
Opcode ID: b85c19b15e6baae18e290b2f4fb5ec8c3089a0320ad16533d8df838bc3ede57e
Instruction ID: bfe033d2baa6d48deb4cf42202916068196f2fccc248714d73a6fe82f15e21d4
Opcode Fuzzy Hash: b85c19b15e6baae18e290b2f4fb5ec8c3089a0320ad16533d8df838bc3ede57e
Instruction Fuzzy Hash: 6661C122B1894282E7559E61F4A09BE6720FF85764F500272FE5E5B6CDDE3CE94AC700

Function 00007FFDFAF7BA40 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAF7C448: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF7BA92), ref: 00007FFDFAF7C46E
Part of subcall function 00007FFDFAF7C448: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF7BA92), ref: 00007FFDFAF7C4E6

_Xp_setn.LIBCPMT ref: 00007FFDFAF7BB06
_Xp_setn.LIBCPMT ref: 00007FFDFAF7BB41
_Xp_addx.LIBCPMT ref: 00007FFDFAF7BB54
_Xp_setn.LIBCPMT ref: 00007FFDFAF7BBD2
_Xp_setn.LIBCPMT ref: 00007FFDFAF7BC0D
_Xp_addx.LIBCPMT ref: 00007FFDFAF7BC21

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3490103321-0
Opcode ID: c714774a65c67086b8fc1fe15050125c7ba114dbc64e621f4e95cbe5e0b23288
Instruction ID: ee4f1a24e37da5ca0558871fbf605b56459dae1411b4e8521320387f283a261b
Opcode Fuzzy Hash: c714774a65c67086b8fc1fe15050125c7ba114dbc64e621f4e95cbe5e0b23288
Instruction Fuzzy Hash: 3B61C122B1854282E7559E61F8A09EA6720FF85764F904372FE6E5B6CDDE3CD50A8700

Function 00007FFDFAE91B54 Relevance: 9.1, APIs: 6, Instructions: 116COMMON

Download Yara Rule

APIs

OPENSSL_sk_value.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF488E
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF48E8
OPENSSL_sk_value.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF4915
X509_get_extension_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF4941
X509_get_signature_info.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF4966
OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF49BF

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_sk_numL_sk_value$X509_get_extension_flagsX509_get_signature_info
String ID:
API String ID: 420811412-0
Opcode ID: 37244389008d71d2445abf7cbb43b09ecfb0a3041cd64704a5d497d4444491cd
Instruction ID: 06ff454abad11a1fa3c7ac8d3358e35a51b4687014d0c6ac3c817327a0b3fdec
Opcode Fuzzy Hash: 37244389008d71d2445abf7cbb43b09ecfb0a3041cd64704a5d497d4444491cd
Instruction Fuzzy Hash: D241C622B0C2C246F768B6166411ABA57D4FFC5788F148071EEAF83BDADE3DD5454600

Function 00007FFDFAF499E4 Relevance: 9.1, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFDFAF49AD5
memmove.VCRUNTIME140 ref: 00007FFDFAF49AE5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFAF49B24
memmove.VCRUNTIME140 ref: 00007FFDFAF49B2E
memmove.VCRUNTIME140 ref: 00007FFDFAF49B3E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFAF49B6D

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 08e5bda85927132369ea67039cff2a9a34e9592503bd1027113120cc910ba582
Instruction ID: 3c38097ca6cc6a8cb2b53cd2797f2a0fa708cf4a35e3465ba04fd88af34dcd94
Opcode Fuzzy Hash: 08e5bda85927132369ea67039cff2a9a34e9592503bd1027113120cc910ba582
Instruction Fuzzy Hash: ED41036570874691EF189B15E4545A96351EF08BF0F544B71EE3D4BBD9DE3CE141C300

Function 00007FFDFAF49F30 Relevance: 9.1, APIs: 6, Instructions: 94fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFDFAF49FA8
GetFileInformationByHandle.KERNEL32 ref: 00007FFDFAF49FBE
CloseHandle.KERNEL32 ref: 00007FFDFAF49FCD
CreateFileW.KERNEL32 ref: 00007FFDFAF49FF7
GetFileInformationByHandle.KERNEL32 ref: 00007FFDFAF4A00D
CloseHandle.KERNEL32 ref: 00007FFDFAF4A01C

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: FileHandle$CloseCreateInformation
String ID:
API String ID: 1240749428-0
Opcode ID: 091695359f5934fc4898942f03813c4708db05027f3785207c6e5d9a1c014585
Instruction ID: a04eabd2c77a8266a145f3b0773c2b0a9f4d52668b1143baac888ede872b558e
Opcode Fuzzy Hash: 091695359f5934fc4898942f03813c4708db05027f3785207c6e5d9a1c014585
Instruction Fuzzy Hash: 1C41D032F146428AF764CF74D860BA927A0AB587ACF014735EE2C4AAD8DE3CA5948700

Function 00007FFDFAEA88A0 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

EVP_PKEY_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA88D5
EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA88FE
EVP_PKEY_CTX_new_id.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA8917
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA8953
EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA8972
EVP_PKEY_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA8983

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: Y_free$X_ctrlX_freeX_new_idY_new
String ID:
API String ID: 1769623012-0
Opcode ID: 31a991bae83cf8867feae630f7307f8070efe0ad916929ad708e797654622bd0
Instruction ID: f25555c250cf21bd9e7d02dcfa61ed7c2dcfc9c651dc2e16a869e4f255b894f6
Opcode Fuzzy Hash: 31a991bae83cf8867feae630f7307f8070efe0ad916929ad708e797654622bd0
Instruction Fuzzy Hash: C7217C22B4964241EB58BB19B46176A93E1DFC5784F284074EAAE4B7DEEE3FE4408700

Function 00007FFDFAF42F80 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFDFAF45FB6), ref: 00007FFDFAF42F89
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF45FB6), ref: 00007FFDFAF42F9B
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFDFAF45FB6), ref: 00007FFDFAF42FAA
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFDFAF45FB6), ref: 00007FFDFAF43010
___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFDFAF45FB6), ref: 00007FFDFAF4301E
_wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFDFAF45FB6), ref: 00007FFDFAF43031

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
String ID:
API String ID: 490008815-0
Opcode ID: 24dfdaf3dfc79b8bbb5720d2743039c05b049ad27df30ca3ebbe60b462bca7fc
Instruction ID: 6d22ead73ce61bfd224c4948c32042e973891848296ff0c69e0614874bc53223
Opcode Fuzzy Hash: 24dfdaf3dfc79b8bbb5720d2743039c05b049ad27df30ca3ebbe60b462bca7fc
Instruction Fuzzy Hash: E6212C22E08B8583E7458F38D9156783760FFA9B5CF15A364DE980A356EF39E2D5C340

Function 00007FFDFAE919B5 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFDFAEDBB6E, 00007FFDFAEDBF12

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID:
String ID: ssl\statem\statem_clnt.c
API String ID: 0-1578583260
Opcode ID: 2031c329da7411688090cc5c03c438c7492173f307880b42d620872d912feeba
Instruction ID: bdb1bbeca9051442f3d7e1d7691b13b815e874af6deb92726338deab0ab7be0e
Opcode Fuzzy Hash: 2031c329da7411688090cc5c03c438c7492173f307880b42d620872d912feeba
Instruction Fuzzy Hash: 1AB19561B0C64285FB68BA12D820BBA7294AF84BC8F0840B5DE5F4B7DDEF3ED5418701

Function 00007FFDFAE9204F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

ENGINE_load_ssl_client_cert.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEDC84B

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFDFAEDC8E8, 00007FFDFAEDC99F

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: E_load_ssl_client_cert
String ID: ssl\statem\statem_clnt.c
API String ID: 2904557448-1578583260
Opcode ID: 2879ea954a26f85415bc2d868c4d03bdb62ee1bfa39557d4238f05a8f80b6a5c
Instruction ID: d0363dd7a2d7f7c0b69401c3beddfe001d3a8541d19ee7407fd30f649f88ddb0
Opcode Fuzzy Hash: 2879ea954a26f85415bc2d868c4d03bdb62ee1bfa39557d4238f05a8f80b6a5c
Instruction Fuzzy Hash: 8B61A572B4878281EB54AB25E460A7D63A1EBC8BD8F140075EA5E57BDDDF3EE442C700

Function 00007FFDFAF7C448 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF7BA92), ref: 00007FFDFAF7C46E
iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF7BA92), ref: 00007FFDFAF7C47F
iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF7BA92), ref: 00007FFDFAF7C4E6

Strings

(, xrefs: 00007FFDFAF7C5B7

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: iswspace$iswxdigit
String ID: (
API String ID: 3812816871-3887548279
Opcode ID: 650d72e6a99fbeaeae24055c8fc4941f869c87f825a42ed4852e29b378382afb
Instruction ID: d1def197284304f7fe0d1621b1c275815ec2e94da40ca34aad85ec7a0b139941
Opcode Fuzzy Hash: 650d72e6a99fbeaeae24055c8fc4941f869c87f825a42ed4852e29b378382afb
Instruction Fuzzy Hash: 4A518B56F0815381EB6C5F65E9206B972A1EF20BA5F488172FA594F4DCFF6DD842C310

Function 00007FFDFAF7A550 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF79992), ref: 00007FFDFAF7A576
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF79992), ref: 00007FFDFAF7A587
isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF79992), ref: 00007FFDFAF7A5E0
isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFAF79992), ref: 00007FFDFAF7A690

Strings

(, xrefs: 00007FFDFAF7A684

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: isspace$isalnumisxdigit
String ID: (
API String ID: 3355161242-3887548279
Opcode ID: f7ccdc3ff242e72e7502d34a25112cb878f66f9195d4a9d53ebc84bb3b9de4f6
Instruction ID: bdc806904bafb0276a07c48068e87c7f8d14c43d8d29564a6877c314e5276a9d
Opcode Fuzzy Hash: f7ccdc3ff242e72e7502d34a25112cb878f66f9195d4a9d53ebc84bb3b9de4f6
Instruction Fuzzy Hash: 4A41D953F181C245FB185F307974BF56B929F217A4F1A92B1EAA80F2C9DF1DE8498710

Function 00007FFDFAF63E14 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAF7B910: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B930
Part of subcall function 00007FFDFAF7B910: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B938
Part of subcall function 00007FFDFAF7B910: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B941
Part of subcall function 00007FFDFAF7B910: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B95D

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,00000001,00007FFDFAF5A66C), ref: 00007FFDFAF63E55

Part of subcall function 00007FFDFAF4B73C: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF71E66,?,?,?,?,?,?,?,?,00000000,00007FFDFAF72FAE), ref: 00007FFDFAF4B767
Part of subcall function 00007FFDFAF4B73C: memmove.VCRUNTIME140(?,?,00000000,00007FFDFAF71E66,?,?,?,?,?,?,?,?,00000000,00007FFDFAF72FAE), ref: 00007FFDFAF4B783

_Getvals.LIBCPMT ref: 00007FFDFAF63E91

Strings

+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFDFAF63ECA
$+xv, xrefs: 00007FFDFAF63F3A
$+xv, xrefs: 00007FFDFAF63EC3

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 3031888307-3573081731
Opcode ID: 18a20bee829977f415d4ed614effb5e51aec087fc5513ae10d53762c605408cc
Instruction ID: 33b279e45f3e0561628544ec3987112296b2acd465800b41ef3003db90669f2f
Opcode Fuzzy Hash: 18a20bee829977f415d4ed614effb5e51aec087fc5513ae10d53762c605408cc
Instruction Fuzzy Hash: FC41C032B18B8187E728CF2195A086DBBA0FF58790B044375EB9947F85DB78E566CB00

Function 00007FFDFAF640E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF64116

Part of subcall function 00007FFDFAF7B910: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B930
Part of subcall function 00007FFDFAF7B910: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B938
Part of subcall function 00007FFDFAF7B910: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B941
Part of subcall function 00007FFDFAF7B910: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B95D

_Maklocstr.LIBCPMT ref: 00007FFDFAF6418F
_Maklocstr.LIBCPMT ref: 00007FFDFAF641A5

Strings

false, xrefs: 00007FFDFAF64188
true, xrefs: 00007FFDFAF6419E

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 309754672-2658103896
Opcode ID: 204fbbb0406511b48c7da4c0c94600194adbc32e31c6029f99380f43c278a04d
Instruction ID: eae754157a4434f9fa40aa936d6432f70cd4ca6b69356b078b4f4825bb8ea5ad
Opcode Fuzzy Hash: 204fbbb0406511b48c7da4c0c94600194adbc32e31c6029f99380f43c278a04d
Instruction Fuzzy Hash: 62415B22B18B5599E714CFB0E4505ED33B0FF48758B405226EE4D2BB99EF38D595C384

Function 00007FFDFAE91C53 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB6BF8
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB6C33

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEB6BD9, 00007FFDFAEB6C14, 00007FFDFAEB6C7A

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: ssl\ssl_lib.c
API String ID: 1767461275-1984206432
Opcode ID: 2e20fcb9300140c9b7cd0308643249316800104086b36eb5c69772f968b94258
Instruction ID: 0b24f4b32b0993f4947c5606476464b0d021f719d6f6e72397222a75f2dfc8d1
Opcode Fuzzy Hash: 2e20fcb9300140c9b7cd0308643249316800104086b36eb5c69772f968b94258
Instruction Fuzzy Hash: 5E31E372B08A8582F7549F14E454BAD23A0FB447A8F540271EB6E0B7DDDF3ED5418B04

Function 00007FFDFAF48400 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFAF484A3
_CxxThrowException.VCRUNTIME140 ref: 00007FFDFAF484B4

Strings

ios_base::eofbit set, xrefs: 00007FFDFAF4847E
ios_base::failbit set, xrefs: 00007FFDFAF48477
ios_base::badbit set, xrefs: 00007FFDFAF4846C

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 9dfabcd0810c958d5c853a68a861df9002076998a7698bfbd5f1ec70049b1f9b
Instruction ID: 7be82ac076ca8c5fc21c17f828b925a0fa8c1ca14d3483044507c106958033b3
Opcode Fuzzy Hash: 9dfabcd0810c958d5c853a68a861df9002076998a7698bfbd5f1ec70049b1f9b
Instruction Fuzzy Hash: BD21B562B2864796EB289B20D5607A96360FF547A4F440271FA6D4B6E9DF3CF2A1C340

Function 00007FFDFAEFCBD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

BN_ucmp.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFCBF0
BN_ucmp.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFCC0B
BN_is_zero.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFCC1F
BN_num_bits.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFCC33

Strings

ssl\tls_srp.c, xrefs: 00007FFDFAEFCCCF

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: N_ucmp$N_is_zeroN_num_bits
String ID: ssl\tls_srp.c
API String ID: 1527310491-1545769946
Opcode ID: 98e4713863f84209632212a94126898761f728e4024265a2b469d5886c6a5211
Instruction ID: 644f83190f9576f272f3ea2718e5b54d9b5e9457df3f79ebfc62de32fd171fdd
Opcode Fuzzy Hash: 98e4713863f84209632212a94126898761f728e4024265a2b469d5886c6a5211
Instruction Fuzzy Hash: 97213271B4D6C281FB54BB11E860BA92760EF84B8CF280071DE2E4B7DDDE6EE5418784

Function 00007FFDFAE91DCF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB314
OPENSSL_sk_new_null.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB32F
OPENSSL_sk_push.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB343
X509_up_ref.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAB34F

Strings

ssl\ssl_cert.c, xrefs: 00007FFDFAEAB2F8

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_sk_new_nullL_sk_pushR_put_errorX509_up_ref
String ID: ssl\ssl_cert.c
API String ID: 1254856836-188639428
Opcode ID: 138c8d64329132df2bc16c6c0520400a8a4ca366aa4e3180ff6ab5ad530c2bfb
Instruction ID: 4b8c4e1af334a86f0b44c748fca0fa04a0679843477c5c1004d3bc5d202627ad
Opcode Fuzzy Hash: 138c8d64329132df2bc16c6c0520400a8a4ca366aa4e3180ff6ab5ad530c2bfb
Instruction Fuzzy Hash: 66119161B0964281FF98AB55F460BBD6290EF48B88F180171DA2E4B7CDDF3ED8514210

Function 00007FFDFAEA4F60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

BIO_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA4F7E
BIO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA4FCF
EVP_MD_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA4FF4
BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5032

Strings

ssl\s3_enc.c, xrefs: 00007FFDFAEA4F8B

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_ctrlO_freeO_newX_free
String ID: ssl\s3_enc.c
API String ID: 3686289451-1240879137
Opcode ID: 3aac6b123f0324e8d6693cbd54e6af84dc0449974dc93256ee8864de600641b6
Instruction ID: e95860f8984737a51ff54249675982c8201761f1478d97d3b57ab941239bf8bd
Opcode Fuzzy Hash: 3aac6b123f0324e8d6693cbd54e6af84dc0449974dc93256ee8864de600641b6
Instruction Fuzzy Hash: DD115C3670478195DB44EF15E060BEC37A0FB89B88F588671DE5E0B7A9DF3AD5948700

Function 00007FFDFAF48D30 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFAF48D87
_CxxThrowException.VCRUNTIME140 ref: 00007FFDFAF48D98

Strings

ios_base::eofbit set, xrefs: 00007FFDFAF48D62
ios_base::failbit set, xrefs: 00007FFDFAF48D5B
ios_base::badbit set, xrefs: 00007FFDFAF48D4F

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 7b41f8d1febe2b454a0125b9ad1541f7a2252b2ea020287f2fb228ed09d199b1
Instruction ID: 3729e7e215354a932bc5e69a9c05ca214b46842d0ce68ecd4868c01fa1388bf3
Opcode Fuzzy Hash: 7b41f8d1febe2b454a0125b9ad1541f7a2252b2ea020287f2fb228ed09d199b1
Instruction Fuzzy Hash: 58F0DF62B2950786EB5CCB00D8A1AE92321EF50758F9407B1FA6D4E5E9DE3DF246C380

Function 00007FFDFAF4BFC0 Relevance: 7.8, APIs: 5, Instructions: 330stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF4C056
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF4C069
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF4C07E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFAF4C3D6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFAF4C421

Part of subcall function 00007FFDFAF51D70: memmove.VCRUNTIME140(?,?,?,?,00000000,00007FFDFAF4C213), ref: 00007FFDFAF51DCB
Part of subcall function 00007FFDFAF51D70: memset.VCRUNTIME140(?,?,?,?,00000000,00007FFDFAF4C213), ref: 00007FFDFAF51DD8

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmovememset
String ID:
API String ID: 2282448879-0
Opcode ID: d91e8d6525f2bcef4d70c074f0734adbef12e9643811d592e814a5a05bf70ea4
Instruction ID: 27b7e0f063e6a689e7929c26667a161f7a60bdab837795cac63f8c6244aa6797
Opcode Fuzzy Hash: d91e8d6525f2bcef4d70c074f0734adbef12e9643811d592e814a5a05bf70ea4
Instruction Fuzzy Hash: 1AE1B622B08A8684FB058F75C4606BC6771AF48BA8F545272EE6D5B7D9DF38D54BC300

Function 00007FFDFAF59450 Relevance: 7.8, APIs: 5, Instructions: 308stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF594EC
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF594FF
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF59514
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFAF59840
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFAF59890

Part of subcall function 00007FFDFAF6F0B4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFDFAF596AD), ref: 00007FFDFAF6F118

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
String ID:
API String ID: 1326169664-0
Opcode ID: bef39ad2bff482918cc8a2d64df695a89e991e8843ecec70beaa5d97ae4d00ea
Instruction ID: 33f61c94338634a29025528f48c5fa447284103421aefb5a1613e9e139eadf14
Opcode Fuzzy Hash: bef39ad2bff482918cc8a2d64df695a89e991e8843ecec70beaa5d97ae4d00ea
Instruction Fuzzy Hash: B2D17026B1CB8589EB188F65D450AAC6371FF48B98F504276EE6D1BB98DF3CD54AC300

Function 00007FFDFAF598D0 Relevance: 7.8, APIs: 5, Instructions: 308stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF5996C
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF5997F
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF59994
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFAF59CC0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFAF59D10

Part of subcall function 00007FFDFAF6F0B4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFDFAF596AD), ref: 00007FFDFAF6F118

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
String ID:
API String ID: 1326169664-0
Opcode ID: 747f4b0b15909765274e01761e203811345033ba4691296995ad1f84cff49cee
Instruction ID: 7d1e6038a974282412f02b69ca2b14f70465244c1972bde8163e5a8de19166e8
Opcode Fuzzy Hash: 747f4b0b15909765274e01761e203811345033ba4691296995ad1f84cff49cee
Instruction Fuzzy Hash: 38D16026B0CB8589FB18CB65D454AAC6371FF48B98F504276EEAD1B798DF38D54AC300

Function 00007FFDFAF549E0 Relevance: 7.7, APIs: 5, Instructions: 181COMMON

Download Yara Rule

APIs

fgetwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFAF54A98

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: fgetwc
String ID:
API String ID: 2948136663-0
Opcode ID: 3388b904bc8c8a491ceac14fde95b9ec3df9de33be67c3cc33d8773466e44bb8
Instruction ID: b461ed0ed3b244498a0cca7fbb9757c8bd6bafcbd8f06242513cff519b50cf4c
Opcode Fuzzy Hash: 3388b904bc8c8a491ceac14fde95b9ec3df9de33be67c3cc33d8773466e44bb8
Instruction Fuzzy Hash: 69818A32709A41D9EB28CF25C0A47AC33A1FB48BA9F551236EA6D4BB88DF39D454C300

Function 00007FFDFAF4B7A4 Relevance: 7.6, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,00000002,?,?,00000000,00007FFDFAF71E66), ref: 00007FFDFAF4B86B
memset.VCRUNTIME140(?,?,?,00000002,?,?,00000000,00007FFDFAF71E66), ref: 00007FFDFAF4B879
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000002,?,?,00000000,00007FFDFAF71E66), ref: 00007FFDFAF4B8B2
memmove.VCRUNTIME140(?,?,?,00000002,?,?,00000000,00007FFDFAF71E66), ref: 00007FFDFAF4B8BC
memset.VCRUNTIME140(?,?,?,00000002,?,?,00000000,00007FFDFAF71E66), ref: 00007FFDFAF4B8CA

Part of subcall function 00007FFDFAF92D7C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF45B18), ref: 00007FFDFAF92D96

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: memmovememset$_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 3042321802-0
Opcode ID: 8ab0126498ae36cab3d6d6a8965865d9d8be3a01728541f85b4ad769b4f2913e
Instruction ID: ea14e344218e6194b3c81354920d5d99d09e24aadf4a90329051ee085cd82566
Opcode Fuzzy Hash: 8ab0126498ae36cab3d6d6a8965865d9d8be3a01728541f85b4ad769b4f2913e
Instruction Fuzzy Hash: C031D361B0868785EF089B16E5246696211FF08BE4F984771FE7D0FBCADE7CD1828300

Function 00007FFDFAEB1D50 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

BIO_s_file.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB1D92
BIO_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB1D9A
BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB1DB6
DH_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB1E10
BIO_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB1E18

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: H_freeO_ctrlO_freeO_newO_s_file
String ID:
API String ID: 1469330667-0
Opcode ID: 54f8e3fd835f610374ffa1fc3dd5420f05d39d097fbbdef78f0ad20a06e12533
Instruction ID: c87a3aceeaceea2954a1e786ba16e646d50b246ea48845fd7986a6b30fe24650
Opcode Fuzzy Hash: 54f8e3fd835f610374ffa1fc3dd5420f05d39d097fbbdef78f0ad20a06e12533
Instruction Fuzzy Hash: E8213822B0A64246FB5CFA179421E792790EF80BD4F044471EE2F87BC9DE3AE4114740

Function 00007FFDFAE91F5F Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

OPENSSL_sk_new_null.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAA74
X509_get_subject_name.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAA84
X509_NAME_dup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAA8C
OPENSSL_sk_push.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAA9F
X509_NAME_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAAAB

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: X509_$E_dupE_freeL_sk_new_nullL_sk_pushX509_get_subject_name
String ID:
API String ID: 2231116090-0
Opcode ID: af5d0d44aa03ca3b251dc6d2d9244e2c8d2ff125a6096e739ae61f1f405a00e0
Instruction ID: c6e15b96da1e9749f4227de0a5c63e4a9c5c04280577b6e81d8a6e48b78f17f5
Opcode Fuzzy Hash: af5d0d44aa03ca3b251dc6d2d9244e2c8d2ff125a6096e739ae61f1f405a00e0
Instruction Fuzzy Hash: 11017C65F1A78244FF8CB625AA35B7902D09F487C8F1480B0E92F4B7CEED1EE8524341

Function 00007FFDFAE922D9 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

OPENSSL_sk_new_null.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAA74
X509_get_subject_name.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAA84
X509_NAME_dup.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAA8C
OPENSSL_sk_push.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAA9F
X509_NAME_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEAAAAB

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: X509_$E_dupE_freeL_sk_new_nullL_sk_pushX509_get_subject_name
String ID:
API String ID: 2231116090-0
Opcode ID: d031af273a8d6d9f2ffb475025c24adff10410682e9c4c5a2d82074014cea191
Instruction ID: eccdea7c339c06d43c7103aa03e27cde54f6d38ca8f4541b2261734ea7432f6c
Opcode Fuzzy Hash: d031af273a8d6d9f2ffb475025c24adff10410682e9c4c5a2d82074014cea191
Instruction Fuzzy Hash: 5F017C61F1A78240EF9CB6259635B7802D09F48BC4F1480B0E92F4B7CEED1EE8524341

Function 00007FFDFAF44CF0 Relevance: 7.5, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAF52120: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFDFAF44CFE,?,?,00000000,00007FFDFAF45B7B), ref: 00007FFDFAF5212F

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF45B7B), ref: 00007FFDFAF44D07
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF45B7B), ref: 00007FFDFAF44D1B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF45B7B), ref: 00007FFDFAF44D2F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF45B7B), ref: 00007FFDFAF44D43
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF45B7B), ref: 00007FFDFAF44D57
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF45B7B), ref: 00007FFDFAF44D6B

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: free$setlocale
String ID:
API String ID: 294139027-0
Opcode ID: d8ad281ace512199a143424985c99e08dbf51e5e625437b95d36bcd354fcd84c
Instruction ID: 860ccb6d732b7c665bd42440a13e9e49612055528f54c664bbbfbd2d06bd56b9
Opcode Fuzzy Hash: d8ad281ace512199a143424985c99e08dbf51e5e625437b95d36bcd354fcd84c
Instruction Fuzzy Hash: EC11F111705A4681EB5D8FA1D4B5B391374EF48FA9F140774E91A0D18CCF6CD494C390

Function 00007FFDFAF4A520 Relevance: 7.5, APIs: 5, Instructions: 38fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFDFAF4A54F
GetLastError.KERNEL32 ref: 00007FFDFAF4A55E
SetFileInformationByHandle.KERNEL32 ref: 00007FFDFAF4A57D
CloseHandle.KERNEL32 ref: 00007FFDFAF4A588
GetLastError.KERNEL32 ref: 00007FFDFAF4A592

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ErrorFileHandleLast$CloseCreateInformation
String ID:
API String ID: 1345328482-0
Opcode ID: 30971b58a168b2db1a338b74e164fcee82c7c8eaa2720d16d5e8872ce76b288a
Instruction ID: 790c8629f5ae24725999ee08ffc6c233d398d65490abb455ef4570a2ae37152f
Opcode Fuzzy Hash: 30971b58a168b2db1a338b74e164fcee82c7c8eaa2720d16d5e8872ce76b288a
Instruction Fuzzy Hash: 0D01A171B0474182EB449B26E914918B3A4BF88BF4F144371DB39477E8CF78E9158700

Function 00007FFDFAF532B0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFAF532BE
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFAF532CA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFAF532D5
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFAF532E3
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFAF532E9

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: __acrt_iob_func$abortfputcfputs
String ID:
API String ID: 2697642930-0
Opcode ID: 39015308bb41799831a372941eed23743f05ce742de8110d7f8dae81d79ea820
Instruction ID: e78df9f8ea1c181a9f9e0b24bbb32c377a8d8d8b5fa769071c6598696fcf7af8
Opcode Fuzzy Hash: 39015308bb41799831a372941eed23743f05ce742de8110d7f8dae81d79ea820
Instruction Fuzzy Hash: 67F03055B1950587FB5C5B66EC687381325EF4CF99F041174D91E4F3A8DE2C94558300

Function 00007FFDFAF42550 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FFDFAF42592
RaiseException.KERNEL32 ref: 00007FFDFAF426A8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFAF426CD

Strings

csm, xrefs: 00007FFDFAF425F6

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Exception$RaiseThrowabort
String ID: csm
API String ID: 3758033050-1018135373
Opcode ID: 2858542dee19fcdc321e17dbc1313d316a641d29f3732522e80c055534a547a4
Instruction ID: 4268620c7086d0c69c30aeb9431e7c2f792d9e5ecd9959965065ad1bc9373e0c
Opcode Fuzzy Hash: 2858542dee19fcdc321e17dbc1313d316a641d29f3732522e80c055534a547a4
Instruction Fuzzy Hash: 1B517322A04F8686EB15CF28C4502A833A0FB58B6CF159335EE6D477A5DF39E6D5C300

Function 00007FFDFAF74AC0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAF7B910: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B930
Part of subcall function 00007FFDFAF7B910: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B938
Part of subcall function 00007FFDFAF7B910: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B941
Part of subcall function 00007FFDFAF7B910: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B95D

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFDFAF72DE8), ref: 00007FFDFAF74B01

Part of subcall function 00007FFDFAF4B73C: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF71E66,?,?,?,?,?,?,?,?,00000000,00007FFDFAF72FAE), ref: 00007FFDFAF4B767
Part of subcall function 00007FFDFAF4B73C: memmove.VCRUNTIME140(?,?,00000000,00007FFDFAF71E66,?,?,?,?,?,?,?,?,00000000,00007FFDFAF72FAE), ref: 00007FFDFAF4B783

Strings

+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFDFAF74B76
$+xv, xrefs: 00007FFDFAF74B6F
$+xv, xrefs: 00007FFDFAF74BE6

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 462457024-3573081731
Opcode ID: 1dcd3954d1f7d31f519392f07a18f721f3af74474999d7c70117f29d8a5b9635
Instruction ID: a5989521cc850f3cfdace79dd15d004ded914929bf78a3259ab8469e9cb4516d
Opcode Fuzzy Hash: 1dcd3954d1f7d31f519392f07a18f721f3af74474999d7c70117f29d8a5b9635
Instruction Fuzzy Hash: 4441E432B08B818BE729CF25E5A0A6D7BA0FF447517044275EBA947E45DF38F966CB00

Function 00007FFDFAF4F9D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF4F954
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF4F966
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF4F9EB

Part of subcall function 00007FFDFAF44E20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFAF520E4,?,?,?,00007FFDFAF444AB,?,?,?,00007FFDFAF45B51), ref: 00007FFDFAF44E42
Part of subcall function 00007FFDFAF44E20: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFAF520E4,?,?,?,00007FFDFAF444AB,?,?,?,00007FFDFAF45B51), ref: 00007FFDFAF44E68
Part of subcall function 00007FFDFAF44E20: memmove.VCRUNTIME140(?,?,?,00007FFDFAF520E4,?,?,?,00007FFDFAF444AB,?,?,?,00007FFDFAF45B51), ref: 00007FFDFAF44E80

Strings

bad locale name, xrefs: 00007FFDFAF4F9B5

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: setlocale$freemallocmemmove
String ID: bad locale name
API String ID: 4085402405-1405518554
Opcode ID: cf685965af1bdb6c02c346b5a88a7a304bd14e5c28664c5ffd619e7f50bbcb5b
Instruction ID: 51d3b61c2383ff790625157e6916b8502643e6bbb45204f021fcd474783a1410
Opcode Fuzzy Hash: cf685965af1bdb6c02c346b5a88a7a304bd14e5c28664c5ffd619e7f50bbcb5b
Instruction Fuzzy Hash: 9D319422F0864352FB598B15E8649797251AF44FB0F588275FE6E4B7DDDE3CE5818300

Function 00007FFDFAF63CCC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAF7B910: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B930
Part of subcall function 00007FFDFAF7B910: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B938
Part of subcall function 00007FFDFAF7B910: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B941
Part of subcall function 00007FFDFAF7B910: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B95D

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,00000001,00007FFDFAF5A4BC), ref: 00007FFDFAF63D0D

Part of subcall function 00007FFDFAF4B73C: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF71E66,?,?,?,?,?,?,?,?,00000000,00007FFDFAF72FAE), ref: 00007FFDFAF4B767
Part of subcall function 00007FFDFAF4B73C: memmove.VCRUNTIME140(?,?,00000000,00007FFDFAF71E66,?,?,?,?,?,?,?,?,00000000,00007FFDFAF72FAE), ref: 00007FFDFAF4B783

Part of subcall function 00007FFDFAF56DB4: _Maklocstr.LIBCPMT ref: 00007FFDFAF56DE4
Part of subcall function 00007FFDFAF56DB4: _Maklocstr.LIBCPMT ref: 00007FFDFAF56E03
Part of subcall function 00007FFDFAF56DB4: _Maklocstr.LIBCPMT ref: 00007FFDFAF56E22

Strings

+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFDFAF63D82
$+xv, xrefs: 00007FFDFAF63DF2
$+xv, xrefs: 00007FFDFAF63D7B

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 2504686060-3573081731
Opcode ID: b6e4c9aae34a7dffa236f5823e255392fc6f7986d2d047a44bd2cf243147a234
Instruction ID: 7625304252b6eefea019a5443ac33aaae741502d06e38151830d9fdde681961c
Opcode Fuzzy Hash: b6e4c9aae34a7dffa236f5823e255392fc6f7986d2d047a44bd2cf243147a234
Instruction Fuzzy Hash: 7441CE32B08B859BE768CB21D5A096D7BA0FF44BA07044375EBA947B55DF38E562CB00

Function 00007FFDFAE91EA1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBB75E

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBB690, 00007FFDFAEBB752

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: ssl\ssl_lib.c
API String ID: 1767461275-1984206432
Opcode ID: e2accd4c012e4d4ef6f7ca0d85fc3a45213e3a5c1f3583805207b4b3e3c130c7
Instruction ID: 0bd98a1d009ae97630a35dc2d2f2af9e52599da2ecbaa86762f5d6709b125bcf
Opcode Fuzzy Hash: e2accd4c012e4d4ef6f7ca0d85fc3a45213e3a5c1f3583805207b4b3e3c130c7
Instruction Fuzzy Hash: 4C31A171B1C15686F368AB20D438BF93690FB45788F580275DA6E4AADCCF7FE9418B00

Function 00007FFDFAEBE8B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBE8FD

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBE8E0, 00007FFDFAEBE9AD

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: ssl\ssl_lib.c
API String ID: 1767461275-1984206432
Opcode ID: 3e90dc6f6eea8fea918a51f8e406982d81a0af92379df355acbf385e8a3b6664
Instruction ID: 863127bbdbda994f42c6e93b602f65785d70e2278d9a49b3429a3f8630e08361
Opcode Fuzzy Hash: 3e90dc6f6eea8fea918a51f8e406982d81a0af92379df355acbf385e8a3b6664
Instruction Fuzzy Hash: 0631DC32B0878585E3A8EB15E458BA97360FB84BC4F1801B2EA9E477E9CF3ED405C740

Function 00007FFDFAF4A400 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32 ref: 00007FFDFAF4A432
FindNextFileW.KERNEL32 ref: 00007FFDFAF4A463
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF4A482

Strings

., xrefs: 00007FFDFAF4A43C

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: FileFindNext$wcscpy_s
String ID: .
API String ID: 544952861-248832578
Opcode ID: f6cb4239e9efc5bc91c4f1ca07b7fed765b8d9bc947f1092407d0eb74915392c
Instruction ID: 162372c3568380fe717641bd695f25e4769c9a3cbc2c444390d26cb722dd5cf3
Opcode Fuzzy Hash: f6cb4239e9efc5bc91c4f1ca07b7fed765b8d9bc947f1092407d0eb74915392c
Instruction Fuzzy Hash: 2821A422B1C68281FB74AF11E8697797360FF48764F544271EEAC4A6E8DF3CD5458700

Function 00007FFDFAEACD10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEACF84

Strings

SHA256, xrefs: 00007FFDFAEACE00
any, xrefs: 00007FFDFAEACD10
IDEA(128), xrefs: 00007FFDFAEACD5A

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_snprintf
String ID: IDEA(128)$SHA256$any
API String ID: 3142812517-1956614738
Opcode ID: 41b686e8ae60a22895ef708ffbacbfac0cecf94a42ad52990ba60dd124d6d427
Instruction ID: e2d2df742a98a5357913af99ab381091b19d2756ea5135963d8b9c9a50a0c607
Opcode Fuzzy Hash: 41b686e8ae60a22895ef708ffbacbfac0cecf94a42ad52990ba60dd124d6d427
Instruction Fuzzy Hash: 951184B6F8C64380E37C66A8A0A487556A0FFC1754F0541B2DD7E1AADC8E3EE9518344

Function 00007FFDFAEACD07 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEACF84

Strings

SHA256, xrefs: 00007FFDFAEACE00
IDEA(128), xrefs: 00007FFDFAEACD5A
GOST12, xrefs: 00007FFDFAEACD07

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_snprintf
String ID: GOST12$IDEA(128)$SHA256
API String ID: 3142812517-3478822438
Opcode ID: c2ea456ee136582a62d5304ef21b37c7ea6febe3dcb5927025b953543f6578d1
Instruction ID: ba73dacb4be0afd6bc7452232fba8348f02e3321c70c78ed9d94ed05adc0f2e2
Opcode Fuzzy Hash: c2ea456ee136582a62d5304ef21b37c7ea6febe3dcb5927025b953543f6578d1
Instruction Fuzzy Hash: A91184B6F8C64380E37C66A8A0A487556A0FFC1754F0541B2DD7E1AADC8E3EE9518344

Function 00007FFDFAEACCFE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEACF84

Strings

SHA256, xrefs: 00007FFDFAEACE00
IDEA(128), xrefs: 00007FFDFAEACD5A
GOST01, xrefs: 00007FFDFAEACCFE

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_snprintf
String ID: GOST01$IDEA(128)$SHA256
API String ID: 3142812517-4064199452
Opcode ID: fe553c6fab774e19d891e07af31ff418bc7ecdf46ea8fb3f0c23cfa85ae5d105
Instruction ID: e692790dc87d5bfa0ca59b0b069f6e7cb15feabf582f4d98528d0d283e8c9727
Opcode Fuzzy Hash: fe553c6fab774e19d891e07af31ff418bc7ecdf46ea8fb3f0c23cfa85ae5d105
Instruction Fuzzy Hash: AF11A4B2F8C64380E37C66A8A0A487556A0FFC1754F0541B2DD7E1AADC8E3EE8518340

Function 00007FFDFAEACCF5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEACF84

Strings

SHA256, xrefs: 00007FFDFAEACE00
IDEA(128), xrefs: 00007FFDFAEACD5A
SRP, xrefs: 00007FFDFAEACCF5

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_snprintf
String ID: IDEA(128)$SHA256$SRP
API String ID: 3142812517-1647395391
Opcode ID: 7090698bdcc68b6a15aa9f71ac5cc9a384dd9a344dd97a029da310242ba6245e
Instruction ID: 3333cce533b02e79fea23d33b079571bf20727bcd2797eac2e511af2a5aff466
Opcode Fuzzy Hash: 7090698bdcc68b6a15aa9f71ac5cc9a384dd9a344dd97a029da310242ba6245e
Instruction Fuzzy Hash: CE11A4B6F8C64380E37C66A8A0A487956A0FFC1754F0541B2DD7F1AADC8E3EE8518340

Function 00007FFDFAEACCEC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEACF84

Strings

SHA256, xrefs: 00007FFDFAEACE00
PSK, xrefs: 00007FFDFAEACCEC
IDEA(128), xrefs: 00007FFDFAEACD5A

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_snprintf
String ID: IDEA(128)$PSK$SHA256
API String ID: 3142812517-1637006702
Opcode ID: 10522031b8613a72a2e65bba58e0bafa1f525849c64a635a884ae61e966c72d7
Instruction ID: f69b363b68545180734cab8f24109db40aff88d5931ab50ebe0b8d0e15e2f6cf
Opcode Fuzzy Hash: 10522031b8613a72a2e65bba58e0bafa1f525849c64a635a884ae61e966c72d7
Instruction Fuzzy Hash: D211A4B2F8C64380E37C66A8A0A4C7556A0FFC1754F0541B2DDBF1AAEC8E3EE8518340

Function 00007FFDFAEACCE3 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEACF84

Strings

SHA256, xrefs: 00007FFDFAEACE00
IDEA(128), xrefs: 00007FFDFAEACD5A
ECDSA, xrefs: 00007FFDFAEACCE3

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_snprintf
String ID: ECDSA$IDEA(128)$SHA256
API String ID: 3142812517-1715931570
Opcode ID: 0125b02d5344fd4e537268e4d856b18e622b5e9f116203bd6f45ec6ef23ea3a8
Instruction ID: 4410f112db19411fd2bf02e43a83e1a5fdf716f916dd8b56ce5d9d6872f1a879
Opcode Fuzzy Hash: 0125b02d5344fd4e537268e4d856b18e622b5e9f116203bd6f45ec6ef23ea3a8
Instruction Fuzzy Hash: 8111A4B2F8C64380E37C66A8A0A487956A0FFC1754F0541B2DD7F1AAEC8E3EE8518340

Function 00007FFDFAEACCD5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEACF84

Strings

SHA256, xrefs: 00007FFDFAEACE00
IDEA(128), xrefs: 00007FFDFAEACD5A
DSS, xrefs: 00007FFDFAEACCD5

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_snprintf
String ID: DSS$IDEA(128)$SHA256
API String ID: 3142812517-3841199953
Opcode ID: 8c1b6463996619e8ea71d5dfa1f8eda5d77dbd468a102a1eb6650ac641da94fe
Instruction ID: 771eb5be388e006f8a8f75dc0dc14a2718914aa192bbafeaae3c3d57669d15ea
Opcode Fuzzy Hash: 8c1b6463996619e8ea71d5dfa1f8eda5d77dbd468a102a1eb6650ac641da94fe
Instruction Fuzzy Hash: 7C1184B6F8C64380E37CA6A8A0A4C7556A0FFC1754F4541B2DD7F1AADC8E3EE9518344

Function 00007FFDFAEE4005 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

OPENSSL_sk_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE403C
OPENSSL_sk_push.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE413E
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE4161
OPENSSL_sk_pop_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE4211
X509_NAME_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE4219

Strings

ssl\statem\statem_lib.c, xrefs: 00007FFDFAEE4053

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_sk_pop_free$E_freeL_sk_newL_sk_pushX509_
String ID: ssl\statem\statem_lib.c
API String ID: 3595667005-846902345
Opcode ID: bec52d82d2b31a7b8a50f11615cad6403eff8c8a368e2d202ef990a61cf98b73
Instruction ID: 57a0dde67f2f512c9dae132cd3b694006697c48af7df41d982787c8145e6d2ac
Opcode Fuzzy Hash: bec52d82d2b31a7b8a50f11615cad6403eff8c8a368e2d202ef990a61cf98b73
Instruction Fuzzy Hash: 9201D222B1864285E708FB16B8209A56790FF88B84F548571FE6E03BD9DF3DE405CB00

Function 00007FFDFAF46BC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FFDFAF46C72
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFAF46CB5
_CxxThrowException.VCRUNTIME140 ref: 00007FFDFAF46CC6

Strings

ios_base::badbit set, xrefs: 00007FFDFAF46C50, 00007FFDFAF46C7D

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ExceptionThrow$std::ios_base::failure::failure
String ID: ios_base::badbit set
API String ID: 1099746521-3882152299
Opcode ID: ea8e07bdf6bddd24848a70f65d50b6c8ee1c16b94179bca5c2399a45ae682a0b
Instruction ID: f6e8b1d1a06ab520f67d88e85ab2e66f40695c17231c6a4022c55c4c4873ad8d
Opcode Fuzzy Hash: ea8e07bdf6bddd24848a70f65d50b6c8ee1c16b94179bca5c2399a45ae682a0b
Instruction Fuzzy Hash: 7701F762B2D50751F75C8611D8A1DB96311EF807A5F1483B5FA6D0EADDDE3DE2068240

Function 00007FFDFAEA6AAF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

EC_KEY_get0_group.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA6AC4
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA6AE9

Strings

ssl\s3_lib.c, xrefs: 00007FFDFAEA6ACE

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_errorY_get0_group
String ID: ssl\s3_lib.c
API String ID: 3547453883-3639828702
Opcode ID: d50829b8c2ee8263492bba2ce2c47aa6abb4a4b74c4c7dc4f618e704aba10af4
Instruction ID: ea0b7471912b563658acf815008b984bb4049321f8de6276b28ab988819fb974
Opcode Fuzzy Hash: d50829b8c2ee8263492bba2ce2c47aa6abb4a4b74c4c7dc4f618e704aba10af4
Instruction Fuzzy Hash: 160128A2B0C58281EB54EB14F020AAD67A0EB84788F940571DF5D4B7DDEF3ED545CB00

Function 00007FFDFAEA6FA9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

OPENSSL_sk_new_null.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA6FB5
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA6FE1
OPENSSL_sk_push.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA6FF9

Strings

ssl\s3_lib.c, xrefs: 00007FFDFAEA6FD3

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_sk_new_nullL_sk_pushR_put_error
String ID: ssl\s3_lib.c
API String ID: 1176158178-3639828702
Opcode ID: 372d9b98b0f8987c32b0d9ad482a8ba392a1ef144003fcbf5f960516b378e0f9
Instruction ID: b9a43bfb81705d4547c868f951aa5994d7e91793ead8ec2ec47b5122a34fea30
Opcode Fuzzy Hash: 372d9b98b0f8987c32b0d9ad482a8ba392a1ef144003fcbf5f960516b378e0f9
Instruction Fuzzy Hash: 5EF0AF62B4954382EB68AF15E020ABD63A0FB44B4CF540474EA2D0ABCDEF3EE4648700

Function 00007FFDFAEF3D90 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFDFAEF3DDF
EC_curve_nist2nid.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF3DF8
OBJ_sn2nid.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF3E08
OBJ_ln2nid.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEF3E18

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: C_curve_nist2nidJ_ln2nidJ_sn2nidmemcpy
String ID:
API String ID: 722349470-0
Opcode ID: 16a780c6775c3b7096dd2f9bbe2dc9f1b5b61dd5595437c7a170dcfe3fa3dc99
Instruction ID: 581d008d51cf2baa6af6a1e6f5f696afc039fec19299cfad131a2f6a7012b88e
Opcode Fuzzy Hash: 16a780c6775c3b7096dd2f9bbe2dc9f1b5b61dd5595437c7a170dcfe3fa3dc99
Instruction Fuzzy Hash: 4721C822B0878345FF6CAB24D4715796390EF58788F504171E67F8A6DEDF2EE8418600

Function 00007FFDFAF572B4 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,00000000,?,?,00000000,00000000,0000003F,00000000,00000048,00007FFDFAF56DE9,00000000,00000000,00000000,00000000), ref: 00007FFDFAF57393
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,?,00000000,00000000,0000003F,00000000,00000048,00007FFDFAF56DE9,00000000,00000000,00000000,00000000), ref: 00007FFDFAF573E7
memmove.VCRUNTIME140(?,?,?,00000000,?,?,00000000,00000000,0000003F,00000000,00000048,00007FFDFAF56DE9,00000000,00000000,00000000,00000000), ref: 00007FFDFAF573F1
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFAF57435

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 81c5d91834ed81817bc7a3763d63d2768ad372312a92bcbf1dac3dd0a69bbd43
Instruction ID: d8af4872a1fab2039ae97d3ed426a2e1c4858b7e3356566324e33937fb5bc1c2
Opcode Fuzzy Hash: 81c5d91834ed81817bc7a3763d63d2768ad372312a92bcbf1dac3dd0a69bbd43
Instruction Fuzzy Hash: 6441CF61B08A5699EB189B16E5249796265AF48BF4F540B71FE3D0BBDCEE3CE042C300

Function 00007FFDFAF49B7C Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFDFAF49C5B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFAF49C9E
memmove.VCRUNTIME140 ref: 00007FFDFAF49CA8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFAF49CDB

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: a89062e393a741c4124de89569396661fb3b7d2ebb6b35516b482e3205cecbc5
Instruction ID: 0ce1eda4a9361213e1233ed9ea42f46a6c1292f6efd9af3a1ac2d50abede6b97
Opcode Fuzzy Hash: a89062e393a741c4124de89569396661fb3b7d2ebb6b35516b482e3205cecbc5
Instruction Fuzzy Hash: 7A31F265B0868785EB08DB12E5A4969A395AF04BF4F104735EE7D0BBEDEE7CE141C304

Function 00007FFDFAF702DC Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

_FXp_setw.LIBCPMT ref: 00007FFDFAF7033B
_FXp_movx.LIBCPMT ref: 00007FFDFAF7034B

Part of subcall function 00007FFDFAF70BC0: memmove.VCRUNTIME140(?,?,00000004,00007FFDFAF70350), ref: 00007FFDFAF70BD6

Part of subcall function 00007FFDFAF70B48: ldexp.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,00007FFDFAF70360), ref: 00007FFDFAF70B7C

_FXp_movx.LIBCPMT ref: 00007FFDFAF70392
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFAF7040B

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: Xp_movx$Xp_setw_errnoldexpmemmove
String ID:
API String ID: 2295688418-0
Opcode ID: e4b707cf4477b9210f83377f1d03c1102352ebe1cebc52e4276839aa2ca0479d
Instruction ID: 99267cbc098054be15883656981f16e1be7822feeb8e0eac588905ff76136e18
Opcode Fuzzy Hash: e4b707cf4477b9210f83377f1d03c1102352ebe1cebc52e4276839aa2ca0479d
Instruction Fuzzy Hash: 9A41E922B0C64682F3599B19F4619BA6350BF88764F5443B1FA6D9B2EDDF3CF6068700

Function 00007FFDFAF43190 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF431AD
___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF431B7
islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF431F4
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF4324E

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
String ID:
API String ID: 2234106055-0
Opcode ID: a3872e754e55f1c04c4e298ba1e51031b2d21b48679bf5aa99d2a5b0246515ce
Instruction ID: 5a1dac433b2914acd87afe59f524b4c12e0e23f093037dca492cc610887cf64d
Opcode Fuzzy Hash: a3872e754e55f1c04c4e298ba1e51031b2d21b48679bf5aa99d2a5b0246515ce
Instruction Fuzzy Hash: EA31C722B0C74282F7198B16E46067D7A51FF84BA0F184275EEAA4B7DCDE3CE644C710

Function 00007FFDFAF43050 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF43067
___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF43071
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF430A7
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFAF43107

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
String ID:
API String ID: 3857474680-0
Opcode ID: 2d22c5332818ae336685b8c1a75e65d53b738ad4a147a8048896ae0ee6a841fc
Instruction ID: 17b2c0710ba551ee517b7c9772930220825bd724833653aaaa3d1a0bdf86b091
Opcode Fuzzy Hash: 2d22c5332818ae336685b8c1a75e65d53b738ad4a147a8048896ae0ee6a841fc
Instruction Fuzzy Hash: B831E462B0C64282F7198B19D86077D6A61EF84BA4F1843B5EEA90B7DDDE2CE584C710

Function 00007FFDFAF7B7F0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FFDFAF6EE24), ref: 00007FFDFAF7B837
memmove.VCRUNTIME140(?,00000000,?,?,?,00007FFDFAF6EE24), ref: 00007FFDFAF7B85B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFDFAF6EE24), ref: 00007FFDFAF7B868
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFDFAF6EE24), ref: 00007FFDFAF7B8DB

Part of subcall function 00007FFDFAF42E60: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF42E8A
Part of subcall function 00007FFDFAF42E60: LCMapStringEx.KERNEL32 ref: 00007FFDFAF42ECE

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: String___lc_locale_name_funcfreemallocmemmovewcsnlen
String ID:
API String ID: 1076354707-0
Opcode ID: effc925cbdc0536cab099e7de828bba3e5ea5334690c790ec5e0d6b708825ae1
Instruction ID: 1c9ceac1d0e5b1983f4980ad22649617c510183ac793e7d667eca15761fadb5f
Opcode Fuzzy Hash: effc925cbdc0536cab099e7de828bba3e5ea5334690c790ec5e0d6b708825ae1
Instruction Fuzzy Hash: 0E21C821B0869585E7249F12E4109699A94FF45FF4F584371EE7A1B7D8DE3CD0428300

Function 00007FFDFAF7AE50 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,00007FFDFAF75DBB), ref: 00007FFDFAF7AE84
___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,00007FFDFAF75DBB), ref: 00007FFDFAF7AE8E

Part of subcall function 00007FFDFAF42730: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF42776
Part of subcall function 00007FFDFAF42730: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAF4279B
Part of subcall function 00007FFDFAF42730: GetCPInfo.KERNEL32 ref: 00007FFDFAF427DB

memcmp.VCRUNTIME140 ref: 00007FFDFAF7AEB1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,00007FFDFAF75DBB), ref: 00007FFDFAF7AEEF

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
String ID:
API String ID: 3421985146-0
Opcode ID: 630b986ac7e967e37226091dd14a9e0bb2a9489160b047c7bfb1c90bdc4767c1
Instruction ID: 3a7483ae2c81ccfa6f47e3122d12673d30e62bcfcf7ba2fd5deaa0db413103c6
Opcode Fuzzy Hash: 630b986ac7e967e37226091dd14a9e0bb2a9489160b047c7bfb1c90bdc4767c1
Instruction Fuzzy Hash: 8B218371B1874286E7289F16A85046AA694FF88FE0B464375EA6D4B7D8DF7CE4418700

Function 00007FFDFAE918FC Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

RAND_priv_bytes.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC64B
BN_bin2bn.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC660
OPENSSL_cleanse.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC676
SRP_Calc_B.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEFC697

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: Calc_D_priv_bytesL_cleanseN_bin2bn
String ID:
API String ID: 4178199679-0
Opcode ID: bcdc0d561eb63b858571914a9ac6c70cc3037523bece707b186e45720b42d5f1
Instruction ID: c0800cd1662be12ed3a58b7c7806901ad99a8fe177ccc92d4894353f6478e2fc
Opcode Fuzzy Hash: bcdc0d561eb63b858571914a9ac6c70cc3037523bece707b186e45720b42d5f1
Instruction Fuzzy Hash: A8216222B0CAC181EB99EF15E8607B923A0FF88B88F545076DA5D4A7DDDF7DE4418B40

Function 00007FFDFAF7B910 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B930
___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B938
___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B941
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B95D

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
String ID:
API String ID: 3203701943-0
Opcode ID: 1f8a53e7ba3679edb9a7079c2ea40e071cdf60c42289322c327c412af45768ff
Instruction ID: 94b29ef27480b43afb617bdc30e9b0ecf5a6f72f9668c76fa855047856bcf96b
Opcode Fuzzy Hash: 1f8a53e7ba3679edb9a7079c2ea40e071cdf60c42289322c327c412af45768ff
Instruction Fuzzy Hash: DB01E9A2F1579186EB594F7AD810428A7B0FF59F98B149335E96A4B754DE3CD0818700

Function 00007FFDFAE919C9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

BIO_find_type.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE94AC0
BIO_find_type.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE94AD0
BIO_get_data.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE94AE5
BIO_get_data.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE94AF0

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_find_typeO_get_data
String ID:
API String ID: 280995463-0
Opcode ID: bdcf0033f2becbb481c592d08fead31aaf167084d534321484e95e0fa39469e7
Instruction ID: ea9840e1336e4e94cfde32a7e860a3456f7b03b0be9f59d6f47c469d3f0df99a
Opcode Fuzzy Hash: bdcf0033f2becbb481c592d08fead31aaf167084d534321484e95e0fa39469e7
Instruction Fuzzy Hash: 54014411F1D74241FB98B662B52066956909F9CFD8F185071E92E4BBCEED1EE4518700

Function 00007FFDFAF424B8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF42520

Strings

csm, xrefs: 00007FFDFAF424EA
RCC, xrefs: 00007FFDFAF424E2
MOC, xrefs: 00007FFDFAF424DA

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: malloc
String ID: MOC$RCC$csm
API String ID: 2803490479-2671469338
Opcode ID: 0842c5ad6dae9956eacd9125fe4a1901678d67ebb923e416be1135266b159cb0
Instruction ID: 409d7116cf1647621dd8c0ed5b7d45d81189991c34bd0d7556cc7671953a9a6b
Opcode Fuzzy Hash: 0842c5ad6dae9956eacd9125fe4a1901678d67ebb923e416be1135266b159cb0
Instruction Fuzzy Hash: 36018D61F0814386EB6C5E11D1B497C22A1AF4CBA4F185275EE2D4B7CDCE2DE641C702

Function 00007FF66A2C19D4 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF66A2C1A00
GetCurrentThreadId.KERNEL32 ref: 00007FF66A2C1A0E
GetCurrentProcessId.KERNEL32 ref: 00007FF66A2C1A1A
QueryPerformanceCounter.KERNEL32 ref: 00007FF66A2C1A2A

Memory Dump Source

Source File: 00000001.00000002.1658971487.00007FF66A081000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF66A080000, based on PE: true

Associated: 00000001.00000002.1658959930.00007FF66A080000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1659294593.00007FF66A3F5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1659435975.00007FF66A587000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1659461535.00007FF66A589000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1659505719.00007FF66A58A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1659505719.00007FF66A58F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1659540556.00007FF66A5B9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff66a080000_EASteamProxy.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 75c67c841cac99491d120d09bb65f58ef6c84b973e9777b9548181de714e37ab
Instruction ID: e51008bf850fecc415fc72162aad58fe43cf78106a790db9f739af13c2d13ee1
Opcode Fuzzy Hash: 75c67c841cac99491d120d09bb65f58ef6c84b973e9777b9548181de714e37ab
Instruction Fuzzy Hash: FB111822B24F01CAEB00CFA0E8552A833B4FB59758F440A75DA6D8B7A4DF78D1988340

Function 00007FFDFAF93640 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDFAF9366C
GetCurrentThreadId.KERNEL32 ref: 00007FFDFAF9367A
GetCurrentProcessId.KERNEL32 ref: 00007FFDFAF93686
QueryPerformanceCounter.KERNEL32 ref: 00007FFDFAF93696

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: cb7e06f3717605cddd7c35a5c57c0366a01dadd7c2aa9b059d7e6a79716cb6a0
Instruction ID: 2d65dc8583912e578bc807250238c25d84631b1c494f6b5720d9aa55c9f4a3d8
Opcode Fuzzy Hash: cb7e06f3717605cddd7c35a5c57c0366a01dadd7c2aa9b059d7e6a79716cb6a0
Instruction Fuzzy Hash: 83112122B14F018AEB44CF61EC556B833A4FB59B6CF440E35EA7D467A8DF78D1948340

Function 00007FFDFAE91D39 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

EVP_MD_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBEA4C
EVP_MD_CTX_new.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBEA58
EVP_DigestInit_ex.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBEA73
EVP_MD_CTX_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBEA8D

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: X_free$DigestInit_exX_new
String ID:
API String ID: 4262507187-0
Opcode ID: e62312fddf008079d806520efcb95d6c161e13ca9e86869da3e1a0db40dd8aa4
Instruction ID: 6d5fdecdf84bab69854ede3d07b28b50e1de32efe30f8a9daf24b711a75ee5ab
Opcode Fuzzy Hash: e62312fddf008079d806520efcb95d6c161e13ca9e86869da3e1a0db40dd8aa4
Instruction Fuzzy Hash: 83F0A422B18A4140EB89B739F565B3962D4EF88BC4F544071EA7E477DEDE2DD4404701

Function 00007FFDFAEB1310 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

OPENSSL_sk_dup.LIBCRYPTO-1_1-X64(00000000,00007FFDFAEB089A), ref: 00007FFDFAEB1329
OPENSSL_sk_free.LIBCRYPTO-1_1-X64(00000000,00007FFDFAEB089A), ref: 00007FFDFAEB1344
OPENSSL_sk_set_cmp_func.LIBCRYPTO-1_1-X64(00000000,00007FFDFAEB089A), ref: 00007FFDFAEB1356
OPENSSL_sk_sort.LIBCRYPTO-1_1-X64(00000000,00007FFDFAEB089A), ref: 00007FFDFAEB135E

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_sk_dupL_sk_freeL_sk_set_cmp_funcL_sk_sort
String ID:
API String ID: 1312970346-0
Opcode ID: d9421c5c70a1570cc2bea07aa0f64cab07104f549ed64c8a0e96e4bd9b222403
Instruction ID: 875dbaf7bc825f7c8ae2e14a72b764d29f3ce6c36c5974c30c4deffc36098806
Opcode Fuzzy Hash: d9421c5c70a1570cc2bea07aa0f64cab07104f549ed64c8a0e96e4bd9b222403
Instruction Fuzzy Hash: EFF0FE12B09A8181EB49B726F5A16785350DF88BC8F444071EA6E477DFED2ED4514641

Function 00007FFDFAEE1F30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFDFAEE2007

Part of subcall function 00007FFDFAE91032: EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0C96
Part of subcall function 00007FFDFAE91032: EVP_CIPHER_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0C9E
Part of subcall function 00007FFDFAE91032: EVP_MD_CTX_md.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0CB0
Part of subcall function 00007FFDFAE91032: EVP_MD_size.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0CB8
Part of subcall function 00007FFDFAE91032: EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0CD1
Part of subcall function 00007FFDFAE91032: EVP_CIPHER_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0CD9
Part of subcall function 00007FFDFAE91032: EVP_CIPHER_CTX_block_size.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0CEF
Part of subcall function 00007FFDFAE91032: BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0D63
Part of subcall function 00007FFDFAE91032: BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE0D9E

BIO_ctrl.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE2137

Strings

ssl\statem\statem_dtls.c, xrefs: 00007FFDFAEE2190

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_ctrl$R_flagsX_cipher$D_sizeX_block_sizeX_mdmemcpy
String ID: ssl\statem\statem_dtls.c
API String ID: 3785471851-3166991913
Opcode ID: f0376476223ca5b5eb1193b58123743fc5de8f64405c368878a7a5e3f396095d
Instruction ID: 63eaf97d8924a9acf8a457e28610988e27746717b4e2491203965709c905b265
Opcode Fuzzy Hash: f0376476223ca5b5eb1193b58123743fc5de8f64405c368878a7a5e3f396095d
Instruction Fuzzy Hash: 0A617B32304BC492D788EB15E490BAA77A8FB88B84F114176EF9D43795DF39D461C700

Function 00007FFDFAE9188E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED5A1A
OPENSSL_sk_value.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED5A55

Strings

ssl\statem\extensions_srvr.c, xrefs: 00007FFDFAED5AFF, 00007FFDFAED5B30

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: L_sk_numL_sk_value
String ID: ssl\statem\extensions_srvr.c
API String ID: 557030205-3756415750
Opcode ID: c0599a210c79e4edeeb1c87807e58ce92dba7f9b44aa9649bd85fe6edf7b05ca
Instruction ID: f91196e31a39c21c582dff7260f7d512f0b90e8213c2704f00d3a685282b10e5
Opcode Fuzzy Hash: c0599a210c79e4edeeb1c87807e58ce92dba7f9b44aa9649bd85fe6edf7b05ca
Instruction Fuzzy Hash: 59514672B08BA185E754AB11F498A6A77A8FB447C4F548171EEAE0B7C8DE3ED440CB00

Function 00007FFDFAF79770 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FFDFAF79779

Strings

invalid random_device value, xrefs: 00007FFDFAF7978C

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: rand_s
String ID: invalid random_device value
API String ID: 863162693-3926945683
Opcode ID: fb8b8b0a59541a3b5094057a7a931a89cd1326ed5fda1f5c0a2957855d45c4c1
Instruction ID: 18cd59885ef890eaf459d6a0ac74a3e2d14d91b51618b4f2983047e1d27c3cd1
Opcode Fuzzy Hash: fb8b8b0a59541a3b5094057a7a931a89cd1326ed5fda1f5c0a2957855d45c4c1
Instruction Fuzzy Hash: 7C51E526F18E4785F38A9B34A4B19B96360BF153E4F4443B2F57E2E5D9DF28F4928200

Function 00007FFDFAE9DA00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFAE9DA85
BIO_write.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE9DAAA

Strings

ssl\record\rec_layer_s3.c, xrefs: 00007FFDFAE9DB2E, 00007FFDFAE9DB7D

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: ErrorLastO_write
String ID: ssl\record\rec_layer_s3.c
API String ID: 186964608-1276297817
Opcode ID: fd81688a79d4b43537f48702839cf65589caf88959d67b8bbd43040e11293d13
Instruction ID: a5911d686503ffdc3a137b1ebeb54f692a03a66b66267e9a0c5ee956412077b7
Opcode Fuzzy Hash: fd81688a79d4b43537f48702839cf65589caf88959d67b8bbd43040e11293d13
Instruction Fuzzy Hash: AF41C372709B5282EB289F15D4946A973A0FB48B9CF148171DB6E07BD8DF7EE461C700

Function 00007FFDFAE91DBB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED926B
BIO_set_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAED9278

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFDFAED94B8

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_clear_flagsO_set_flags
String ID: ssl\statem\statem_clnt.c
API String ID: 3946675294-1578583260
Opcode ID: c3d478adcc933f2a31e5845737007983ddc5824918a6adc7ea54315452cafe66
Instruction ID: b6f0154973ce2ba55c750c5488b7f8b3955495fc52b7e534ff685539d3d88df2
Opcode Fuzzy Hash: c3d478adcc933f2a31e5845737007983ddc5824918a6adc7ea54315452cafe66
Instruction Fuzzy Hash: D431EB72B0864186EB58EB19E8A4B7D37A0EB49B88F148474DA5F877DDCE3ED541C700

Function 00007FFDFAE91A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB74F8
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB7573

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEB74DB, 00007FFDFAEB7554

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: ssl\ssl_lib.c
API String ID: 1767461275-1984206432
Opcode ID: 5cc7d20eb9b8f6f8db961da784c0521df782382e7ed2cee78b239302687db78d
Instruction ID: 80327cd2502d0df1dd66ed7a730cbf45fcc8f743cdc1684655073da1ed39aae3
Opcode Fuzzy Hash: 5cc7d20eb9b8f6f8db961da784c0521df782382e7ed2cee78b239302687db78d
Instruction Fuzzy Hash: A1219532F1A54282E798EB61D424BF922A1EF88784F544072D91E47BD9EF3EE551C710

Function 00007FFDFAE91E15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEEB0BE
BIO_set_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEEB0CB

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFDFAEEB0EF

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_clear_flagsO_set_flags
String ID: ssl\statem\statem_srvr.c
API String ID: 3946675294-322006118
Opcode ID: 86699b4dcd612fba6cb0a3e660c83f512b4b91c441ef1ea9b0412e3ee0a95d4e
Instruction ID: a5ba49f99bf289bf2cfd172cfdf0fe9e198e34abbe8e938db1adbb47dfe24df7
Opcode Fuzzy Hash: 86699b4dcd612fba6cb0a3e660c83f512b4b91c441ef1ea9b0412e3ee0a95d4e
Instruction Fuzzy Hash: 3121F731B1964286E798AB15E4B4FB83790EB88344F918071EE5E477CACF7EE946C701

Function 00007FFDFAEBEED0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64(?,00007FFDFAEBB31B), ref: 00007FFDFAEBEFC0

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBEFA8
(, xrefs: 00007FFDFAEBEF23

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: ($ssl\ssl_lib.c
API String ID: 1767461275-1030215391
Opcode ID: 71b6bacd16b72d381d1bd5fd69f3c057dcdf5fe3e5776780a6cf4cdeec2f1cec
Instruction ID: 9af84d7d8793d1098bf87e8dc3e6678b15dfa1bb526b6f574d743158ebd31bf2
Opcode Fuzzy Hash: 71b6bacd16b72d381d1bd5fd69f3c057dcdf5fe3e5776780a6cf4cdeec2f1cec
Instruction Fuzzy Hash: F0219172709B4285E724AF14E4147A977A0FB48798F280275EBAD07BDDCF3ED5408B00

Function 00007FFDFAF4F210 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDFAF4C674), ref: 00007FFDFAF4F234

Part of subcall function 00007FFDFAF7B910: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B930
Part of subcall function 00007FFDFAF7B910: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B938
Part of subcall function 00007FFDFAF7B910: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B941
Part of subcall function 00007FFDFAF7B910: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFAF460B3), ref: 00007FFDFAF7B95D

Strings

false, xrefs: 00007FFDFAF4F28C
true, xrefs: 00007FFDFAF4F2A3

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 2502581279-2658103896
Opcode ID: e8e081a8cb43ef9295a337f8ecd723003f620eb654c6ab8e603fbc288a81a766
Instruction ID: 5b1486006009341bb49f310588a2bbf2cc112dc7dcee2da6ece92fc17b9f0651
Opcode Fuzzy Hash: e8e081a8cb43ef9295a337f8ecd723003f620eb654c6ab8e603fbc288a81a766
Instruction Fuzzy Hash: 45216426608B4681E714DB21E4507A937A0FF9C7B8F940672EA9C0B399CF38D655C780

Function 00007FFDFAEEAF7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEEB0BE
BIO_set_flags.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEEB0CB

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFDFAEEB0EF

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_clear_flagsO_set_flags
String ID: ssl\statem\statem_srvr.c
API String ID: 3946675294-322006118
Opcode ID: 3ea748118843faef1c8a2e85082df80ab2c47ae2f2f8834f916e36369f234119
Instruction ID: d068ded0b9a1bec0b1f6e99b54ec0c40ae780608387c7fecb40eb298c920d26b
Opcode Fuzzy Hash: 3ea748118843faef1c8a2e85082df80ab2c47ae2f2f8834f916e36369f234119
Instruction Fuzzy Hash: 0B119331F1524286FBA8AB11D4B4F793790EB85300F858074DE5E076C9EF7EE9458B05

Function 00007FFDFAEACCDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEACF84

Strings

SHA256, xrefs: 00007FFDFAEACE00
IDEA(128), xrefs: 00007FFDFAEACD5A

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: O_snprintf
String ID: IDEA(128)$SHA256
API String ID: 3142812517-2727354722
Opcode ID: d239a6e0a5cc01775a3a95ede22f8470c87dfa4f8994d46dfba8b10cb1df99b7
Instruction ID: 003c08349c9cff57cd305dfe8887b3a5df56d39477cf822a447300c70302c132
Opcode Fuzzy Hash: d239a6e0a5cc01775a3a95ede22f8470c87dfa4f8994d46dfba8b10cb1df99b7
Instruction Fuzzy Hash: F61193B6F8C74380E37C66A8A0A887956A0FFC1754F0541B2DD7F1AADC8E3EE9518344

Function 00007FFDFAE91D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE97346
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAE97378

Strings

ssl\d1_msg.c, xrefs: 00007FFDFAE97336, 00007FFDFAE97368

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: ssl\d1_msg.c
API String ID: 1767461275-1025316197
Opcode ID: d2a58c442cffbe6c02702d0a3a6f5bacfdeb2b3217e808f4e32dff1d43564172
Instruction ID: 3f4697f2a4746c57b5c3107c78901bd78408e2c5160f218b487c1a913fa3dde2
Opcode Fuzzy Hash: d2a58c442cffbe6c02702d0a3a6f5bacfdeb2b3217e808f4e32dff1d43564172
Instruction Fuzzy Hash: 85116621B0874682F714EF12A4206AD7364BF88BD8F540171EE6E57BDDDF3ED9558600

Function 00007FFDFAE922F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBF855
conf_ssl_name_find.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBF884
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBF8B0
ERR_add_error_data.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBF8C7
conf_ssl_get_cmd.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBF980
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBFA11
ERR_add_error_data.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBFA51

Strings

!, xrefs: 00007FFDFAEBF841
ssl\ssl_mcnf.c, xrefs: 00007FFDFAEBF83A

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error$R_add_error_data$conf_ssl_get_cmdconf_ssl_name_find
String ID: !$ssl\ssl_mcnf.c
API String ID: 1136227658-1039655086
Opcode ID: 16c5e490804405a219c571e559f7b6d86f21c4abe29403bfc206e8a60db8770c
Instruction ID: e831b7068d44c005ccab8d5e03c8c4b05ba0e4cc68bb663b13bc694add8f7e60
Opcode Fuzzy Hash: 16c5e490804405a219c571e559f7b6d86f21c4abe29403bfc206e8a60db8770c
Instruction Fuzzy Hash: 41016D67F0924157F75CA691A824FFA1151AF447E4F008079FE2E077C9DE3ED5514710

Function 00007FFDFAE91C8A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

EVP_MD_CTX_copy_ex.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEE5D8C

Strings

ssl\statem\statem_lib.c, xrefs: 00007FFDFAEE5D5B, 00007FFDFAEE5DA2
~, xrefs: 00007FFDFAEE5D53

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: X_copy_ex
String ID: ssl\statem\statem_lib.c$~
API String ID: 774438373-1196924433
Opcode ID: 2c7f6ccde6b6c72d22731ae92f331437733496d88560b01ce29e2e1bed4be32a
Instruction ID: f7eb818e6857d9935c47168306b1e0194ab8702a23d15ef50639356c928ecbf8
Opcode Fuzzy Hash: 2c7f6ccde6b6c72d22731ae92f331437733496d88560b01ce29e2e1bed4be32a
Instruction Fuzzy Hash: FB016871B1960181F7509720E424BAE7394FF88B94F580570DD2C8B7E8DF3EE5828B00

Function 00007FFDFAE912A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB9F9D
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB9FD4

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEB9F7E, 00007FFDFAEB9FB5

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: ssl\ssl_lib.c
API String ID: 1767461275-1984206432
Opcode ID: 668e39b8f09f8e2e09e19568bb60b92b60d80ba04b57040821964baf901559d1
Instruction ID: 9cc1864b31f45ff5ad2bec223b2c53aeca821b55586558ba365b5b0c66aeddd0
Opcode Fuzzy Hash: 668e39b8f09f8e2e09e19568bb60b92b60d80ba04b57040821964baf901559d1
Instruction Fuzzy Hash: 4801F576F0928186F358AB50D828BA927A0FB40798F548175EA5D4B3D9CF7FD586CB00

Function 00007FFDFAEB9E70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB9EBD
ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEB9EF4

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEB9E9E, 00007FFDFAEB9ED5

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: ssl\ssl_lib.c
API String ID: 1767461275-1984206432
Opcode ID: a520236ca836906218ab13ed502d769902421d3460436bf511007df2775abc29
Instruction ID: 0346b213adf754fdc01963ec5fb13a940b3ea484f0a1ab7c29e3758923770204
Opcode Fuzzy Hash: a520236ca836906218ab13ed502d769902421d3460436bf511007df2775abc29
Instruction Fuzzy Hash: CA01D8B2F0928586F754AB54C428BD927A0FB40748F508175D69C473D9CF7ED586CB00

Function 00007FFDFAE91F7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC13DA
RSA_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEC13FC

Strings

ssl\ssl_rsa.c, xrefs: 00007FFDFAEC13BF

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: A_freeR_put_error
String ID: ssl\ssl_rsa.c
API String ID: 2676655247-2490807841
Opcode ID: f7afb7323dbc39f1ec4285446fb7cfc5cea401b301a1aac909f712be16032d21
Instruction ID: 0df454ef574a259ec86f3e60e42f00202520faee105238754cc1b3d689de56b5
Opcode Fuzzy Hash: f7afb7323dbc39f1ec4285446fb7cfc5cea401b301a1aac909f712be16032d21
Instruction Fuzzy Hash: 5DF0F921B0C24141EB48BB25F4606BEA7A0EF887D8F544071EA5E47BDEDE3ED5508600

Function 00007FFDFAE91D43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBFE6A
EVP_PKEY_free.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBFE90

Strings

ssl\ssl_rsa.c, xrefs: 00007FFDFAEBFE4F

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_errorY_free
String ID: ssl\ssl_rsa.c
API String ID: 3485142574-2490807841
Opcode ID: 79be70c7d102e90a93bfa561b349fe829f840a71159723b3e49e8c9e93494490
Instruction ID: 6d17ccba1fada3313dba088914e2c5db8f3b29264586ee42d5eaa822f1db141a
Opcode Fuzzy Hash: 79be70c7d102e90a93bfa561b349fe829f840a71159723b3e49e8c9e93494490
Instruction Fuzzy Hash: DD01A222B0828146E748EB65F5545BAA3A1EF887D8F544071EA6D47BCEEF3DD500C700

Function 00007FFDFAE918F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBA881

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBA873
., xrefs: 00007FFDFAEBA86B

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: .$ssl\ssl_lib.c
API String ID: 1767461275-301046964
Opcode ID: 6d6a145ba30ba6773f5c24da8e3ec241345985f9c00227eaad4080f1ff66e480
Instruction ID: 5bd7cbe699ed9386464475faf17c094d4aa071001927a4e0854bfb888b6f89c0
Opcode Fuzzy Hash: 6d6a145ba30ba6773f5c24da8e3ec241345985f9c00227eaad4080f1ff66e480
Instruction Fuzzy Hash: AD01D672F1568282EB58EF14D829BE923A0FB88798F504072EA5D477D9EF3ED146C700

Function 00007FFDFAEA5F09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

EC_KEY_get0_group.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5F1E

Strings

{, xrefs: 00007FFDFAEA5F0E

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: Y_get0_group
String ID: {
API String ID: 3268241200-4087598719
Opcode ID: 36e2d367f5023399c4702ab0d31ec56bbda08103d5d64d7213f7a284c5badc51
Instruction ID: ac9d758890de6dc6dadac1c3b7cd555dda050312318af55cf5f6b9942b6a0ce9
Opcode Fuzzy Hash: 36e2d367f5023399c4702ab0d31ec56bbda08103d5d64d7213f7a284c5badc51
Instruction Fuzzy Hash: 5AF0A9B2B1C68286FB29BE11E0209BD6390EB85758F400071DD5E4B6DDDF3EE5468714

Function 00007FFDFAEBAF50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEBAF7E
memcpy.VCRUNTIME140 ref: 00007FFDFAEBAF9B

Strings

ssl\ssl_lib.c, xrefs: 00007FFDFAEBAF70

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_errormemcpy
String ID: ssl\ssl_lib.c
API String ID: 1385177007-1984206432
Opcode ID: 75f7a56d6ccf2d05e5c960602fc416d268f3a83e43c7add29499209c0241549b
Instruction ID: 1b4ddfed03c72061bd51b2d6bea0a57a2b8dea9465f0ab58316a746c0385fce9
Opcode Fuzzy Hash: 75f7a56d6ccf2d05e5c960602fc416d268f3a83e43c7add29499209c0241549b
Instruction Fuzzy Hash: 73E06D62F241D686E765BB64E425B9C27A0FB80384F9040B0F21E076C9DE6FA6568F00

Function 00007FFDFAF46A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFAF46A6D

Part of subcall function 00007FFDFAF44EA0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF570DD,?,?,?,?,?,?,?,?,?,00007FFDFAF5ADAE), ref: 00007FFDFAF44EC9
Part of subcall function 00007FFDFAF44EA0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF570DD,?,?,?,?,?,?,?,?,?,00007FFDFAF5ADAE), ref: 00007FFDFAF44EF8
Part of subcall function 00007FFDFAF44EA0: memmove.VCRUNTIME140(?,?,00000000,00007FFDFAF570DD,?,?,?,?,?,?,?,?,?,00007FFDFAF5ADAE), ref: 00007FFDFAF44F0F

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF46A8A

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFDFAF46A95

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: free$Getmonthsmallocmemmove
String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
API String ID: 794196016-2030377133
Opcode ID: 2cc3f0f0aac67192b5dc527dd05e2afad95fca5d16595c67e4e5702266fb4209
Instruction ID: e9f6a581d34247ac4921c0c9fcebec64c7037eedc0a5af94177f43bdce324db5
Opcode Fuzzy Hash: 2cc3f0f0aac67192b5dc527dd05e2afad95fca5d16595c67e4e5702266fb4209
Instruction Fuzzy Hash: 45E06D21719B4281EB888F11E8A47696365EF48BE8F445174FA1E0A39CDF3CD8C4C380

Function 00007FFDFAF462E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFAF462ED

Part of subcall function 00007FFDFAF44E20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFAF520E4,?,?,?,00007FFDFAF444AB,?,?,?,00007FFDFAF45B51), ref: 00007FFDFAF44E42
Part of subcall function 00007FFDFAF44E20: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFAF520E4,?,?,?,00007FFDFAF444AB,?,?,?,00007FFDFAF45B51), ref: 00007FFDFAF44E68
Part of subcall function 00007FFDFAF44E20: memmove.VCRUNTIME140(?,?,?,00007FFDFAF520E4,?,?,?,00007FFDFAF444AB,?,?,?,00007FFDFAF45B51), ref: 00007FFDFAF44E80

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF4630A

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFDFAF46315

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: free$Getdaysmallocmemmove
String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 2126063425-3283725177
Opcode ID: cf3b9cb2719fd82482f242ab13e22a821fa448307bd48c7231827c29ae5e77f3
Instruction ID: b2fae1ffc55f3d5bf6bc8e900ef94da94dc9c773ad05201be74308544c6ed821
Opcode Fuzzy Hash: cf3b9cb2719fd82482f242ab13e22a821fa448307bd48c7231827c29ae5e77f3
Instruction Fuzzy Hash: ADE0301170468281EB448F11E4647696260EF48B94F484174EA1D0E398DF2CD884C340

Function 00007FFDFAF46350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFAF4635D

Part of subcall function 00007FFDFAF44E20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFAF520E4,?,?,?,00007FFDFAF444AB,?,?,?,00007FFDFAF45B51), ref: 00007FFDFAF44E42
Part of subcall function 00007FFDFAF44E20: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFAF520E4,?,?,?,00007FFDFAF444AB,?,?,?,00007FFDFAF45B51), ref: 00007FFDFAF44E68
Part of subcall function 00007FFDFAF44E20: memmove.VCRUNTIME140(?,?,?,00007FFDFAF520E4,?,?,?,00007FFDFAF444AB,?,?,?,00007FFDFAF45B51), ref: 00007FFDFAF44E80

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF4637A

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFDFAF46385

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: free$Getmonthsmallocmemmove
String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
API String ID: 794196016-4232081075
Opcode ID: 01b6df0c5a32783271c1d44743edf727b08a12ca807dc51791265def35fd431d
Instruction ID: 6a8f2df191c6b2259ffcda7552ce6c7931b1e3f484cb105dd7961d894870c0b8
Opcode Fuzzy Hash: 01b6df0c5a32783271c1d44743edf727b08a12ca807dc51791265def35fd431d
Instruction Fuzzy Hash: FCE03921B08A8281EB488F11F9A5B696260EF48BD8F440170EA1D0A3DCDF2CD994C780

Function 00007FFDFAF46A10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFAF46A1D

Part of subcall function 00007FFDFAF44EA0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF570DD,?,?,?,?,?,?,?,?,?,00007FFDFAF5ADAE), ref: 00007FFDFAF44EC9
Part of subcall function 00007FFDFAF44EA0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFAF570DD,?,?,?,?,?,?,?,?,?,00007FFDFAF5ADAE), ref: 00007FFDFAF44EF8
Part of subcall function 00007FFDFAF44EA0: memmove.VCRUNTIME140(?,?,00000000,00007FFDFAF570DD,?,?,?,?,?,?,?,?,?,00007FFDFAF5ADAE), ref: 00007FFDFAF44F0F

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF46A3A

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFDFAF46A45

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: free$Getdaysmallocmemmove
String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 2126063425-3283725177
Opcode ID: f7e26dc4266958c173a3430888e864de7830ae0ef88cc2e19d2f4897516ce833
Instruction ID: 21e512b98ef421506223e1b511a86441a123bb45caadf3f1c2213f7af27b3f8a
Opcode Fuzzy Hash: f7e26dc4266958c173a3430888e864de7830ae0ef88cc2e19d2f4897516ce833
Instruction Fuzzy Hash: 25E06D22718B4281EB588F11E8A47696370EF4CBE8F545270EA1D0A39DDF3CD884C780

Function 00007FFDFAEA5ECB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1-X64 ref: 00007FFDFAEA5EE8

Strings

m, xrefs: 00007FFDFAEA5ED0
ssl\s3_lib.c, xrefs: 00007FFDFAEA5ED8

Memory Dump Source

Source File: 00000001.00000002.1659613927.00007FFDFAE91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFAE90000, based on PE: true

Associated: 00000001.00000002.1659594122.00007FFDFAE90000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659613927.00007FFDFAF02000.00000020.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659739933.00007FFDFAF04000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659762957.00007FFDFAF27000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659804289.00007FFDFAF2B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF2C000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF32000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000001.00000002.1659817107.00007FFDFAF39000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfae90000_EASteamProxy.jbxd

Similarity

API ID: R_put_error
String ID: m$ssl\s3_lib.c
API String ID: 1767461275-251184001
Opcode ID: 934ac4913cd8fa2c4a5d03a72c5787e349d9eab9522ccf5affefac1bcaabcaab
Instruction ID: d2be282740c51516166f7a290f01733570c85f515f6fce3759af897f53f2dd29
Opcode Fuzzy Hash: 934ac4913cd8fa2c4a5d03a72c5787e349d9eab9522ccf5affefac1bcaabcaab
Instruction Fuzzy Hash: 72D0C276B18444C6E320EF11F4105DA6320F784324F540532EF1D066E9DB3ED486CA10

Function 00007FFDFAF591C0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF591DD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF591E7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF591F1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF591FB

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 13193e21f149c4aeda2efa874f66700f9351542ec7569964581556df8b2039f1
Instruction ID: 9df44737d6bd7173ddc6f33b7b9fc4a240538bacad36ae955e190d0615d68744
Opcode Fuzzy Hash: 13193e21f149c4aeda2efa874f66700f9351542ec7569964581556df8b2039f1
Instruction Fuzzy Hash: 0FF03125718A4192E7489F55EDB49283324FF8CBD8F004170EA6D47BA8DF3CE469C300

Function 00007FFDFAF59230 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF5924D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF59257
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF59261
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF5926B

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ef2d8b2a1413e289d80fc6858061999c605cfe567b4026e48189ef144d76b691
Instruction ID: 10f659a3616a554e04f1e3136fa82f78b6e33a14cc3de81ed64827ed5e9f744a
Opcode Fuzzy Hash: ef2d8b2a1413e289d80fc6858061999c605cfe567b4026e48189ef144d76b691
Instruction Fuzzy Hash: 5BF03125718A4192E7489F55EDA49283324FF8CBD4F004170EA6D47BA8DF3CE469C300

Function 00007FFDFAF72920 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF7293D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF72947
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF72951
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF7295B

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 75cc225b6fd121c91b44ba4209663626a6e4a14c02222f6ea5bcb188a1c5ed31
Instruction ID: aaa5df7335dddd568e6373fe7f2db518364ccaf475696658303242448d67e437
Opcode Fuzzy Hash: 75cc225b6fd121c91b44ba4209663626a6e4a14c02222f6ea5bcb188a1c5ed31
Instruction Fuzzy Hash: D9F03C25718A4292EB489F55EDA49283324FF8CFE4F544170EA6D4BBA8DF3CE469C300

Function 00007FFDFAF58FB8 Relevance: 5.0, APIs: 4, Instructions: 16COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF58FCA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF58FD4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF58FDE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFAF58FE8

Memory Dump Source

Source File: 00000001.00000002.1659900582.00007FFDFAF41000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFAF40000, based on PE: true

Associated: 00000001.00000002.1659887076.00007FFDFAF40000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1659971608.00007FFDFAF96000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660059503.00007FFDFAFC4000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.1660129216.00007FFDFAFC8000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaf40000_EASteamProxy.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 94620383fa3d516d55b5938add7ec0024d51d320c2812d4b25e5f0045479ed3c
Instruction ID: a798dfbceb16a735c8116eb71827d7ca9db5f4909f3bf22ec6ac8ebdc6349eba
Opcode Fuzzy Hash: 94620383fa3d516d55b5938add7ec0024d51d320c2812d4b25e5f0045479ed3c
Instruction Fuzzy Hash: 8AE0BF62B1495192EB589F61EC748382334FF8CFD9F181171EE2E4A3A8CF68D458C300

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4OVYJHCTFA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\45f611bb

C:\Users\user\AppData\Local\Temp\4ab519bc

C:\Users\user\AppData\Local\Temp\EASteamProxy.exe

C:\Users\user\AppData\Local\Temp\Qt5Core.dll

C:\Users\user\AppData\Local\Temp\Qt5Network.dll

C:\Users\user\AppData\Local\Temp\blackleg.pptx

C:\Users\user\AppData\Local\Temp\decibel.mp3

C:\Users\user\AppData\Local\Temp\gqnmaqicmbds

C:\Users\user\AppData\Local\Temp\libcrypto-1_1-x64.dll

C:\Users\user\AppData\Local\Temp\libssl-1_1-x64.dll

C:\Users\user\AppData\Local\Temp\msvcp140.dll

C:\Users\user\AppData\Local\Temp\msvcp140_1.dll

C:\Users\user\AppData\Local\Temp\steam_api64.dll

C:\Users\user\AppData\Local\Temp\tbh

C:\Users\user\AppData\Local\Temp\vcruntime140.dll

C:\Users\user\AppData\Local\Temp\vcruntime140_1.dll

Windows Analysis Report
4OVYJHCTFA.exe

Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45
COMMON