Edit tour

Windows Analysis Report
sVfXReO3QI.exe

Overview

General Information

Sample name:	sVfXReO3QI.exe renamed because original name is a hash value
Original sample name:	26e14ee776eacbbd45f8ee346dcecfcc.exe
Analysis ID:	1496369
MD5:	26e14ee776eacbbd45f8ee346dcecfcc
SHA1:	6a61a3987cb37df8d9f143fa384206c45260db1e
SHA256:	d79890b31d4d7ae839054794768e2f238a28506673591cafe5b1b82ed157e146
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contains functionality to register a low level keyboard hook

Tries to delay execution (extensive OutputDebugStringW loop)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

sVfXReO3QI.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\sVfXReO3QI.exe" MD5: 26E14EE776EACBBD45F8EE346DCECFCC)

PsiphonPortable.exe (PID: 7408 cmdline: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" MD5: 49BF9DCA0C8EAFF957F62F0F3CEF0BA5)

psiphon3.exe (PID: 7536 cmdline: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe" MD5: 03F2D4B132FC5802F9739F4B91C86C25)

psiphon-tunnel-core.exe (PID: 8156 cmdline: C:\Users\user~1\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe --config "C:\Users\user\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\user\AppData\Local\Psiphon3\server_list.dat" MD5: 77F9FB45FA91FBC0B2105900F7AF30DF)

conhost.exe (PID: 2584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Users\user~1\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe --config "C:\Users\user\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\user\AppData\Local\Psiphon3\server_list.dat", CommandLine: C:\Users\user~1\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe --config "C:\Users\user\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\user\AppData\Local\Psiphon3\server_list.dat", CommandLine|base64offset|contains: (, Image: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe", ParentImage: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe, ParentProcessId: 7536, ParentProcessName: psiphon3.exe, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe --config "C:\Users\user\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\user\AppData\Local\Psiphon3\server_list.dat", ProcessId: 8156, ProcessName: psiphon-tunnel-core.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://api.psi.cash:443

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: sVfXReO3QI.exe	ReversingLabs: Detection: 44%
Source: sVfXReO3QI.exe	Virustotal: Detection: 44%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.6% probability

Source: sVfXReO3QI.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: t:\untgz\MoreInfo\SRC\Release\MoreInfo.pdb source: PsiphonPortable.exe, 00000002.00000002.2609208112.0000000002882000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_0040372C GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040372C
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_00403211 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00403211
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Code function: 2_2_00406436 FindFirstFileW,FindClose,	2_2_00406436
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Code function: 2_2_00406DFC DeleteFileW,CloseHandle,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00406DFC
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Code function: 2_2_00402E18 FindFirstFileW,	2_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Code function: 2_2_050D5CE1 FindFirstFileW,FindClose,	2_2_050D5CE1

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: global traffic

UDP traffic: 192.168.2.7:64151 -> 146.70.144.213:554

Source: global traffic

TCP traffic: 192.168.2.7:49729 -> 192.155.93.29:53

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: eljvuop.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Content-Length: 6454Content-Type: image/tiffCookie: ak_cuscartcart=x0es792JsQU9UiGh7qdRQDsg5TsEs1HHQ2gwlakxB8UhHggMKVMQdiNuU8Gh5XnZb+oMIqtQMgSvdauo9ZtoxB6SqgdSq4hwcCbvlBsyWyajNGqqaC+OACxPDbrqt0yXtUqRfWHt1wweFCP9qluLkHrPxC7K6jXt5KpBFbXpzbYcsD4EopkXOWo9VfrZnxTsVNiicS/3YBH04pQoialfFQI84WWIi0eoQdd8jij0s8Zc8Rtev9OUkNVMfJKlymNKdwVyC/GKLgT57lP5yWUe9dgw0u+75BrcgY5VAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: eljvuop.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Content-Length: 0Content-Type: image/tiffCookie: ak_cuscartcart=vWR4wVcczUw/qsqsg1H1zgAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: eljvuop.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Content-Length: 1047Content-Type: image/tiffCookie: ak_cuscartcart=vWR4wVcczUw/qsqsg1H1zgAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: eljvuop.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Content-Length: 0Content-Type: image/tiffCookie: ak_cuscartcart=vWR4wVcczUw/qsqsg1H1zgAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: eljvuop.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Content-Length: 143Content-Type: image/tiffCookie: ak_cuscartcart=vWR4wVcczUw/qsqsg1H1zgAccept-Encoding: gzip

Source: unknown	TCP traffic detected without corresponding DNS query: 45.128.38.162
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.34.195
Source: unknown	TCP traffic detected without corresponding DNS query: 45.128.38.162
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.34.195
Source: unknown	TCP traffic detected without corresponding DNS query: 192.155.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.34.195
Source: unknown	TCP traffic detected without corresponding DNS query: 192.155.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.34.195
Source: unknown	TCP traffic detected without corresponding DNS query: 45.128.38.162
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.34.195
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.34.195
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.34.195
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.199.186
Source: unknown	TCP traffic detected without corresponding DNS query: 45.128.38.162
Source: unknown	TCP traffic detected without corresponding DNS query: 45.128.38.162
Source: unknown	TCP traffic detected without corresponding DNS query: 77.68.29.80
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.199.186
Source: unknown	TCP traffic detected without corresponding DNS query: 77.68.29.80
Source: unknown	TCP traffic detected without corresponding DNS query: 192.155.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 77.68.29.80
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.199.186
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.199.186
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.34.195
Source: unknown	TCP traffic detected without corresponding DNS query: 45.128.38.162
Source: unknown	TCP traffic detected without corresponding DNS query: 192.155.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 45.128.38.162
Source: unknown	TCP traffic detected without corresponding DNS query: 192.155.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.34.195
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.34.195
Source: unknown	TCP traffic detected without corresponding DNS query: 192.155.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 192.155.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 192.155.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 45.128.38.162
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.34.195
Source: unknown	TCP traffic detected without corresponding DNS query: 45.128.38.162
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.199.186
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.199.186
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.199.186
Source: unknown	TCP traffic detected without corresponding DNS query: 192.155.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.34.195
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.199.186
Source: unknown	TCP traffic detected without corresponding DNS query: 45.128.38.162
Source: unknown	TCP traffic detected without corresponding DNS query: 45.128.38.162
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.119.50
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.119.50
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.119.50
Source: unknown	TCP traffic detected without corresponding DNS query: 192.155.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 192.155.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 192.155.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 192.155.93.29

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Host: australiais.orgUser-Agent: Go-http-client/1.1Content-Length: 963Content-Type: audio/mpegCookie: D=wkKgjSLUI1gWvAYywhTgWpudEpBrwCoEQ3X9G6bxZHDby1xaL+8oLoh9t6Tzo05eXwhOQ2egrkD4eLLYHfMuziuR2UF5WDjej7e4aCjldZD6zAa+Gsv3hKxjVQ5mG45MrhtDzAGTeiACJEVc9qs+44nACu4kwjBkYsaIF0EHxko+O/HaT44tmx/TAg+g+htD0hoHU6a/ieTPWBUl0WTsgGtrqEZPDlBr/6/t+j+tb0HtcZeQtNrebO9f4zocrCdVXMtu7S3T8hfRXU+l2Vlp63KVpSu449YoGW4VAccept-Encoding: gzip

Source: psiphon-tunnel-core.exe, 0000000C.00000002.2613588387.0000000001575000.00000004.00000001.01000000.00000017.sdmp	String found in binary or memory: http://.css
Source: psiphon-tunnel-core.exe, 0000000C.00000002.2621129777.000000000A94E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://api.psi.cash:443
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1698239410.000000000A49E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1698239410.000000000A49E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1654304898.000000000A662000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 0000000C.00000003.1653392198.000000000A6EE000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 0000000C.00000003.1634915231.000000000A49B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://eljvuop.net/
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1634915231.000000000A49B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://eljvuop.net/217.138.199.186:80217.138.199.186:80P
Source: psiphon-tunnel-core.exe, 0000000C.00000002.2619227637.000000000A6CE000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 0000000C.00000003.1653730551.000000000A6C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://eljvuop.net:800
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1669467875.000000000A56D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://eljvuop.net:8010471047
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1698239410.000000000A49E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1698239410.000000000A49E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r4.crt0
Source: psiphon3.exe, 00000004.00000003.1442580663.0000000001E16000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473000987.0000000005EF9000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1474941291.0000000005F03000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1471827251.0000000005EF1000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1475034526.0000000001E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jqueryui.com
Source: psiphon3.exe, 00000004.00000003.1428442569.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1422106316.000000000DF04000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500093045.000000000E144000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431710481.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500831334.000000000E14D000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500702174.000000000E145000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499493240.000000000E141000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499962191.000000000E143000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1421653832.000000000DB37000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500746423.000000000E146000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423035564.000000000DD3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://momentjs.com/guides/#/warnings/add-inverted-param/
Source: psiphon3.exe, 00000004.00000003.1428442569.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444504743.000000000CD02000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444613286.000000000CD05000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1422106316.000000000DF04000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431710481.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444769779.000000000CD08000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444717984.000000000CD07000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1421653832.000000000DB37000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444570063.000000000CD03000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444674747.000000000CD06000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423035564.000000000DD3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://momentjs.com/guides/#/warnings/define-locale/
Source: psiphon3.exe, 00000004.00000003.1428442569.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1422106316.000000000DF04000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500093045.000000000E144000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431710481.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500831334.000000000E14D000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500702174.000000000E145000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499493240.000000000E141000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499962191.000000000E143000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1421653832.000000000DB37000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500746423.000000000E146000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423035564.000000000DD3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://momentjs.com/guides/#/warnings/dst-shifted/
Source: psiphon3.exe, 00000004.00000003.1428442569.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1422106316.000000000DF04000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431710481.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1421653832.000000000DB37000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423035564.000000000DD3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://momentjs.com/guides/#/warnings/js-date/
Source: psiphon3.exe, 00000004.00000003.1423035564.000000000DD3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://momentjs.com/guides/#/warnings/min-max/
Source: psiphon3.exe, 00000004.00000003.1500093045.000000000E144000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500831334.000000000E14D000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500702174.000000000E145000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499493240.000000000E141000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499962191.000000000E143000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500746423.000000000E146000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://momentjs.com/guides/#/warnings/min-max/isDSTShifted
Source: psiphon3.exe, 00000004.00000003.1500093045.000000000E144000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500831334.000000000E14D000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500702174.000000000E145000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499493240.000000000E141000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499962191.000000000E143000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500746423.000000000E146000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://momentjs.com/guides/#/warnings/min-max/styczeD
Source: psiphon3.exe, 00000004.00000003.1428442569.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1422106316.000000000DF04000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431710481.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1421653832.000000000DB37000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423035564.000000000DD3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://momentjs.com/guides/#/warnings/zone/
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp, PsiphonPortable.exe, 00000002.00000000.1342138864.0000000000408000.00000002.00000001.01000000.00000005.sdmp, PsiphonPortable.exe, 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: PsiphonPortable.exe, 00000002.00000002.2609208112.0000000002882000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://portableapps.com/jportable
Source: sVfXReO3QI.exe, 00000000.00000002.2605237204.0000000000AD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sourceforge.net/projects/s-zipsfxbuilder/)
Source: psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473663652.0000000005373000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1428442569.0000000005F1F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1463554890.0000000005FA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1669356126.000000000A64C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.memoaiart.com/
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1669356126.000000000A64C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.memoaiart.com/s
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1664416805.000000000A4C6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.memoaiart.coma2938.b.akamai.net:80
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1664416805.000000000A4C6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.memoaiart.coma2938.b.akamai.net:80www.memoaiart.com:80
Source: psiphon3.exe, 00000004.00000003.1442580663.0000000001E16000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1471638538.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1475034526.0000000001E42000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1442092248.0000000005F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.satzansatz.de/cssd/onhavinglayout.html
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1666137802.000000000A7B2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://australiais.org/australiais.org:443
Source: psiphon-tunnel-core.exe, 0000000C.00000002.2608457403.0000000000F82000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://github.com/Psiphon-Labs/psiphon-tunnel-core.git
Source: psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473663652.0000000005373000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1428442569.0000000005F1F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1463554890.0000000005FA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lrepacks.net/
Source: psiphon3.exe, 00000004.00000003.1430222323.000000000EE41000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1428293155.000000000CEB6000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427675274.000000000CB19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://my.psi.cash/?etc
Source: psiphon3.exe, 00000004.00000003.1430222323.000000000EE41000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1428293155.000000000CEB6000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427675274.000000000CB19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://my.psi.cash/forgot?etc
Source: psiphon3.exe, 00000004.00000003.1472835924.0000000006913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon.ca
Source: psiphon3.exe, 00000004.00000003.1473554166.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441784900.0000000006DC3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473554166.0000000006DC3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1445555358.0000000006621000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1443066247.0000000006739000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441784900.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon.ca/faq.html#psicash
Source: psiphon3.exe, 00000004.00000003.1426554413.000000000CB9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon.ca/faq.html#psicash-account
Source: psiphon3.exe, 00000004.00000003.1473554166.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441784900.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon.ca/faq.html#psicashZ
Source: psiphon3.exe, 00000004.00000003.1432123300.000000000664E000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1433349886.0000000006668000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1434437300.000000000667C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1443999867.0000000006681000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444907628.0000000006684000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon.ca/faq.html#psicashb
Source: psiphon3.exe, 00000004.00000003.1444400608.00000000068C3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1445485486.00000000068E6000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1472291031.00000000068ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon.ca/faq.html#psicashs
Source: psiphon3.exe, 00000004.00000003.1443999867.00000000066C6000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1440610650.00000000066C3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1433159235.00000000066B9000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431997707.00000000066AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon.ca/faq.html#psicashtion-TransactionAmountMismatch-title
Source: psiphon3.exe, 00000004.00000003.1473554166.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441784900.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon.ca/faq.html#psicashu
Source: psiphon3.exe, 00000004.00000003.1463378975.0000000006717000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441730730.00000000066EC000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423852162.000000000E43C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1440610650.00000000066C3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427199405.000000001001F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1443713968.00000000066EF000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427392429.000000000E931000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1433159235.00000000066B9000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1426661379.000000000CB8E000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431997707.00000000066AB000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444349174.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1448518621.000000000E650000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1424314831.000000000E65E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon.ca/fr/license.html
Source: psiphon3.exe, 00000004.00000003.1441948287.0000000006689000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1432123300.000000000664E000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423852162.000000000E43C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1433349886.0000000006668000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1443999867.000000000668B000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427199405.000000001001F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427392429.000000000E931000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1434437300.000000000667C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1426661379.000000000CB8E000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1448518621.000000000E650000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1424314831.000000000E65E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon.ca/fr/privacy.html
Source: psiphon3.exe, 00000004.00000003.1426554413.000000000CB9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon.ca/license.html
Source: psiphon3.exe, 00000004.00000003.1426554413.000000000CB9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon.ca/privacy.html
Source: psiphon3.exe, 00000004.00000003.1443066247.000000000682E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon3.co
Source: psiphon3.exe, 00000004.00000003.1441784900.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon3.com/faq.html#clear
Source: psiphon3.exe, 00000004.00000003.1426554413.000000000CB9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon3.com/faq.html#clear-windows-data
Source: psiphon3.exe, 00000004.00000003.1432123300.000000000664E000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1433349886.0000000006668000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1434437300.000000000667C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1443999867.0000000006681000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444907628.0000000006684000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon3.com/faq.html#clear:
Source: psiphon3.exe, 00000004.00000003.1473554166.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441784900.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon3.com/faq.html#clear?
Source: psiphon3.exe, 00000004.00000003.1443066247.0000000006739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon3.com/faq.html#clearB
Source: psiphon3.exe, 00000004.00000003.1443066247.0000000006739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon3.com/faq.html#clearR
Source: psiphon3.exe, 00000004.00000003.1441784900.0000000006DC3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473554166.0000000006DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon3.com/faq.html#clearTB.n_
Source: psiphon3.exe, 00000004.00000003.1473554166.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441784900.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon3.com/faq.html#cleari
Source: psiphon3.exe, 00000004.00000003.1433582896.0000000006646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon3.com/faq.html#clearies-to-lan#help-text
Source: psiphon3.exe, 00000004.00000003.1432123300.000000000664E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon3.com/faq.html#clearinimize#heading
Source: psiphon3.exe, 00000004.00000003.1445335169.0000000006724000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1443713968.00000000066EF000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444349174.00000000066FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon3.com/faqT
Source: psiphon3.exe, 00000004.00000003.1445786011.000000000671D000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1463378975.0000000006721000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441730730.00000000066EC000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423852162.000000000E43C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1440610650.00000000066C3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427199405.000000001001F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1443713968.00000000066EF000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427392429.000000000E931000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1433159235.00000000066B9000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431997707.00000000066AB000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444349174.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1448518621.000000000E650000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1424314831.000000000E65E000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1426554413.000000000CB9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://psiphon3.com/fr/faq.html#clear-windows-data
Source: psiphon3.exe, 00000004.00000003.1473554166.0000000006DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html
Source: psiphon3.exe, 00000004.00000003.1428442569.0000000005F1F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473726026.0000000006064000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473529864.0000000005987000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#direct
Source: psiphon3.exe, 00000004.00000003.1473133048.000000000618D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directQ
Source: psiphon3.exe, 00000004.00000003.1473133048.000000000618D000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1472291031.000000000690D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directe
Source: psiphon3.exe, 00000004.00000003.1473133048.000000000618D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directe%
Source: psiphon3.exe, 00000004.00000003.1473133048.000000000618D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directeY
Source: psiphon3.exe, 00000004.00000003.1473133048.000000000618D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directeu
Source: psiphon3.exe, 00000004.00000003.1472291031.000000000690D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directh
Source: psiphon3.exe, 00000004.00000003.1472291031.000000000690D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directon
Source: psiphon3.exe, 00000004.00000003.1428442569.0000000005F1F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473726026.0000000006064000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473529864.0000000005987000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/faq.html
Source: psiphon3.exe, 00000004.00000003.1428442569.0000000005F1F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473726026.0000000006064000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473529864.0000000005987000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/index.html
Source: psiphon3.exe, 00000004.00000003.1473554166.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/index.htmlblegectede
Source: psiphon3.exe, 00000004.00000003.1471063667.000000000696E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/privacy.h
Source: psiphon3.exe, 00000004.00000003.1428442569.0000000005F1F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473726026.0000000006064000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/privacy.html#information-collected
Source: psiphon3.exe, 00000004.00000003.1473554166.0000000006DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/privacy.html#information-collectedI
Source: psiphon3.exe, 00000004.00000003.1473554166.0000000006DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/privacy.html#information-collectedr
Source: psiphon-tunnel-core.exe, 0000000C.00000002.2620195669.000000000A79A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/psiupload/
Source: psiphon-tunnel-core.exe, 0000000C.00000002.2620195669.000000000A79A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/web/mjr4-p23r-puwl/osl
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1664416805.000000000A4C6000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 0000000C.00000003.1611413530.000000000A45E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.coma248.e.akamai.net
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1611413530.000000000A45E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.coma248.e.akamai.netpsiphon.s3.amazonaws.coma248.e.akamai.netpsiphon.s3.amazona
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1530102055.000000000A462000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 0000000C.00000003.1539517853.000000000A460000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 0000000C.00000003.1543503944.000000000A45E000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 0000000C.00000003.1626362737.000000000A4C6000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 0000000C.00000003.1610820002.000000000A4A2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.comhttps://s3.amazonaws.coma248.e.akamai.net
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1530102055.000000000A462000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 0000000C.00000003.1539517853.000000000A460000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 0000000C.00000003.1543503944.000000000A45E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.comhttps://s3.amazonaws.coma248.e.akamai.netpsiphon.s3.amazonaws.coma248.e.akam
Source: psiphon3.exe, 00000004.00000003.1442580663.0000000001E16000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1471638538.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1475034526.0000000001E42000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1442092248.0000000005F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/a/17622706/729729
Source: psiphon3.exe, 00000004.00000003.1442580663.0000000001E16000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1471638538.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1475034526.0000000001E42000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1442092248.0000000005F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/24431054/float-right-and-float-left-in-absolute-container-ie7-ex
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1609386724.000000000A520000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 0000000C.00000003.1596099817.000000000A734000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.kindletterfaq.com/
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1609386724.000000000A520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.kindletterfaq.com/www.kindletterfaq.com:443
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1596099817.000000000A734000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.kindletterfaq.com/www.kindletterfaq.com:443104
Source: psiphon-tunnel-core.exe, 0000000C.00000002.2620195669.000000000A79A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.raceegguxdas.com/web/mjr4-p23r-puwl
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1526565471.000000000A5D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.systemsafariuniversitydebt.com/web/mjr4-p23r-puwl/server_list_compressed
Source: psiphon-tunnel-core.exe, 0000000C.00000003.1526565471.000000000A5D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.systemsafariuniversitydebt.com/web/mjr4-p23r-puwl/server_list_compressedhttps://www.syst

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

Code function: 0_2_00408DA3 SetWindowsHookExW 00000002,Function_00008D75,00000000,00000000

0_2_00408DA3

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe

Code function: 2_2_0040522D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_0040522D

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe

Code function: 2_2_00404605 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

2_2_00404605

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe

Code function: 2_2_10001571 GetWindowLongW,lstrlenW,lstrlenW,lstrlenW,GlobalAlloc,wsprintfW,CreateProcessW,GetLastError,GetDlgItem,GetDlgItem,SendMessageW,SendMessageW,GetDlgItem,SendMessageW,CreateProcessWithLogonW,GetLastError,GetLastError,FormatMessageW,MessageBoxW,LocalFree,GetLastError,GlobalFree,CloseHandle,EndDialog,SetWindowLongW,GetDlgItem,GetDlgItem,SendMessageW,SendMessageW,GetDlgItem,SendMessageW,LoadLibraryA,LoadImageW,GetDlgItem,SendMessageW,SendMessageW,DestroyWindow,

2_2_10001571

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe

Code function: 2_2_004039E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

2_2_004039E3

Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_00405C18	0_2_00405C18
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_0040B0D0	0_2_0040B0D0
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_0040B0D4	0_2_0040B0D4
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_0040A8F0	0_2_0040A8F0
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_00419943	0_2_00419943
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_0040A260	0_2_0040A260
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_0040D470	0_2_0040D470
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_0040AC10	0_2_0040AC10
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_00409C10	0_2_00409C10
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_0040ED00	0_2_0040ED00
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_00409DC0	0_2_00409DC0
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_004195D1	0_2_004195D1
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_004196AB	0_2_004196AB
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_00418F10	0_2_00418F10
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Code function: 2_2_0040761C	2_2_0040761C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Code function: 2_2_00407033	2_2_00407033
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Code function: 2_2_00404ADC	2_2_00404ADC
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Code function: 2_2_050D4120	2_2_050D4120
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Code function: 2_2_050D24DB	2_2_050D24DB
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488522	12_3_0A488522
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488522	12_3_0A488522
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488522	12_3_0A488522
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A485FB0	12_3_0A485FB0
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A485FB0	12_3_0A485FB0
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A485FB0	12_3_0A485FB0
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488522	12_3_0A488522
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488522	12_3_0A488522
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488522	12_3_0A488522
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A485FB0	12_3_0A485FB0
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A485FB0	12_3_0A485FB0
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A485FB0	12_3_0A485FB0
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488522	12_3_0A488522
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488522	12_3_0A488522
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488522	12_3_0A488522
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A485FB0	12_3_0A485FB0
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A485FB0	12_3_0A485FB0
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A485FB0	12_3_0A485FB0
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488522	12_3_0A488522
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488522	12_3_0A488522
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488522	12_3_0A488522
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A485FB0	12_3_0A485FB0
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A485FB0	12_3_0A485FB0
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A485FB0	12_3_0A485FB0
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488522	12_3_0A488522
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488522	12_3_0A488522
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488522	12_3_0A488522
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A485FB0	12_3_0A485FB0
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A485FB0	12_3_0A485FB0
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A485FB0	12_3_0A485FB0
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A488F5C	12_3_0A488F5C

Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: String function: 004029DB appears 44 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Code function: String function: 00406404 appears 58 times

Source: sVfXReO3QI.exe, 00000000.00000000.1333737152.0000000000423000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename" vs sVfXReO3QI.exe
Source: sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePsiphonPortable.exe4 vs sVfXReO3QI.exe

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: sVfXReO3QI.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.spyw.evad.winEXE@8/51@0/7

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

Code function: 0_2_004095EE wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_004095EE

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe

Code function: 2_2_10001A46 GetCurrentProcessId,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

2_2_10001A46

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

Code function: 0_2_0040122A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040122A

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe

Code function: 2_2_7026124C CreateToolhelp32Snapshot,GetLastError,

2_2_7026124C

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

Code function: 0_2_004092A9 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetWindowLongW,GetDlgItem,SetWindowLongW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow,

0_2_004092A9

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

Code function: 0_2_004020D2 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_004020D2

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\main[1]

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ServerListMutex-VPN
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Mutant created: \Sessions\1\BaseNamedObjects\PortableApps.comLauncherPsiphon-PsiphonPortable::Starting
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Mutant created: \Sessions\1\BaseNamedObjects\PortableApps.comLauncherPsiphon-PsiphonPortable
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{B88F6262-9CC8-44EF-887D-FB77DC89BB8C}
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ServerListMutex-CoreTransport
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2584:120:WilError_03

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

File created: C:\Users\user~1\AppData\Local\Temp\7ZipSfx.000

Jump to behavior

Source: sVfXReO3QI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sVfXReO3QI.exe	ReversingLabs: Detection: 44%
Source: sVfXReO3QI.exe	Virustotal: Detection: 44%

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

File read: C:\Users\user\Desktop\sVfXReO3QI.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sVfXReO3QI.exe "C:\Users\user\Desktop\sVfXReO3QI.exe"
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe"
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process created: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe C:\Users\user~1\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe --config "C:\Users\user\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\user\AppData\Local\Psiphon3\server_list.dat"
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process created: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe C:\Users\user~1\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe --config "C:\Users\user\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\user\AppData\Local\Psiphon3\server_list.dat"	Jump to behavior

Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: t2embed.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

File written: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\AppInfo\Launcher\PsiphonPortable.ini

Jump to behavior

Source: sVfXReO3QI.exe

Static file information: File size 6986755 > 1048576

Source:

Binary string: t:\untgz\MoreInfo\SRC\Release\MoreInfo.pdb source: PsiphonPortable.exe, 00000002.00000002.2609208112.0000000002882000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

Code function: 0_2_00402678 LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_00402678

Source: version.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x9f31
Source: registry.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0xa9c5
Source: psiphon3.exe.0.dr	Static PE information: real checksum: 0x67e6a2 should be: 0x6833b8
Source: System.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x116c6
Source: sVfXReO3QI.exe	Static PE information: real checksum: 0x22d33 should be: 0x6aab81
Source: UAC.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0xe6aa
Source: PsiphonPortable.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x23bb6

Source: version.dll.0.dr	Static PE information: section name: .code
Source: psiphon-tunnel-core.exe.4.dr	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_00419290 push eax; ret	0_2_004192BE
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Code function: 2_2_050D62A0 push eax; ret	2_2_050D62CE
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481404 push eax; retf	12_3_0A481405
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481404 push eax; retf	12_3_0A481405
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481404 push eax; retf	12_3_0A481405
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481404 push eax; retf	12_3_0A481405
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481404 push eax; retf	12_3_0A481405
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481404 push eax; retf	12_3_0A481405
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481404 push eax; retf	12_3_0A481405
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481404 push eax; retf	12_3_0A481405
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481404 push eax; retf	12_3_0A481405
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481404 push eax; retf	12_3_0A481405
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481404 push eax; retf	12_3_0A481405
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481404 push eax; retf	12_3_0A481405
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481404 push eax; retf	12_3_0A481405
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481404 push eax; retf	12_3_0A481405
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481026 push esp; iretd	12_3_0A481167
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481026 push esp; iretd	12_3_0A481167
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481026 push esp; iretd	12_3_0A481167
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481026 push esp; iretd	12_3_0A481167
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481026 push esp; iretd	12_3_0A481167
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481026 push esp; iretd	12_3_0A481167
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481026 push esp; iretd	12_3_0A481167
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481026 push esp; iretd	12_3_0A481167
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481026 push esp; iretd	12_3_0A481167
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481026 push esp; iretd	12_3_0A481167
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481026 push esp; iretd	12_3_0A481167
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481026 push esp; iretd	12_3_0A481167
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481026 push esp; iretd	12_3_0A481167
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481026 push esp; iretd	12_3_0A481167
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Code function: 12_3_0A481404 push eax; retf	12_3_0A481405

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\sVfXReO3QI.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\version.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File created: C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\registry.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File created: C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\UAC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Jump to dropped file
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File created: C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\newtextreplace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	File created: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File created: C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe

Code function: 2_2_100012F6 GetWindowLongW,GetModuleFileNameW,SendMessageW,lstrcatW,GetDlgItem,GetPrivateProfileIntW,GetPrivateProfileIntW,EnableWindow,GetPrivateProfileIntW,ShowWindow,

2_2_100012F6

Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe

Section loaded: OutputDebugStringW count: 401

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 4C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 5C90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 5E10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 5E30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 6FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 70B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 7370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 74E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 7540000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 7560000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 7580000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: AFF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: CA50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 4E90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 4ED0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 4F70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 4F90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 5030000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 50D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 50F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 5110000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 5130000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: CA70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: CC90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: CCC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: CCE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: CD60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: CD80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: CDA0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: CDF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: CE50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: CF60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: D0C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: D0E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: D100000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: D120000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: D160000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: D180000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: D1A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: D040000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: D060000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: D080000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: D0A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: D360000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: D380000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: D3A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: DAD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: DAF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: DB10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: DBD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: DBF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: DD00000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: DB30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: DB70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E030000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E0A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: DF20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E0C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E1B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E230000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E160000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E180000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E270000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E290000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E2D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E2F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E310000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E330000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E350000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: DD00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: DAF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E370000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E800000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: DAF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E650000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: DEE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E4D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: FDD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E430000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E450000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E470000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E7E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E930000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: CEF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: CF10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: CF30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E2B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E530000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E750000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E770000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E790000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E820000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E840000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E860000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E8C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E8E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E900000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: E950000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: EB50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: FDD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: FED0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: FEF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: FF10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: FF30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: FF50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: FF90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: FFB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: FFD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10370000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 108F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10390000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10910000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10930000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10950000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10970000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10990000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 109B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 109D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 109F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10A10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10A30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10A50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10A90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10AB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10AD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10C30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10C50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Memory allocated: 10EE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\registry.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\UAC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\newtextreplace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_0040372C GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040372C
Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Code function: 0_2_00403211 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00403211
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Code function: 2_2_00406436 FindFirstFileW,FindClose,	2_2_00406436
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Code function: 2_2_00406DFC DeleteFileW,CloseHandle,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00406DFC
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Code function: 2_2_00402E18 FindFirstFileW,	2_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	Code function: 2_2_050D5CE1 FindFirstFileW,FindClose,	2_2_050D5CE1

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe

API call chain: ExitProcess graph end node

graph_2-6914

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

Code function: 0_2_00402678 LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_00402678

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe

Code function: 2_2_1000268A _,CreateEventW,CreateEventW,CreateEventW,CreateFileMappingW,MapViewOfFile,GetLastError,CreateThread,GetLastError,WaitForSingleObject,GetExitCodeThread,GetCurrentProcessId,GetCurrentProcessId,GetCurrentThreadId,GetCurrentThreadId,SendMessageW,GetCurrentProcessId,GetCurrentThreadId,SetWindowLongW,GetCurrentProcessId,GetCurrentThreadId,wsprintfW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentThreadId,wsprintfW,GetLastError,GetCurrentProcessId,SetCurrentDirectoryW,GetCommandLineW,GlobalAlloc,GlobalFree,GlobalAlloc,GetModuleFileNameW,lstrlenW,GlobalAlloc,wsprintfW,SetForegroundWindow,ShellExecuteExW,GetLastError,UnhookWindowsHookEx,GetCurrentProcessId,GetCurrentThreadId,MsgWaitForMultipleObjects,GetExitCodeProcess,GetLastError,CloseHandle,FindCloseChangeNotification,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GlobalFree,

2_2_1000268A

Source: C:\Users\user\Desktop\sVfXReO3QI.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Process created: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe C:\Users\user~1\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe --config "C:\Users\user\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\user\AppData\Local\Psiphon3\server_list.dat"			Jump to behavior

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

Code function: 0_2_00402757 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00402757

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_00402490

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Queries volume information: C:\Users\user\AppData\Local\Psiphon3\psiphon.config VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

Code function: 0_2_00403A96 lstrlenW,GetSystemTimeAsFileTime,GetFileAttributesW,memcpy,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00403A96

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe

Code function: 2_2_100011A5 SendMessageW,GetUserNameW,wsprintfW,GetDlgItem,GetDlgItem,SendMessageW,SendMessageW,LoadLibraryA,LoadStringW,GetDlgItem,SendMessageW,

2_2_100011A5

Source: C:\Users\user\Desktop\sVfXReO3QI.exe

Code function: 0_2_00405C18 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,lstrlenW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,lstrlenW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00405C18

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	111 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Email Collection	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Valid Accounts	21 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	111 Input Capture	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Access Token Manipulation	1 Software Packing	NTDS	25 System Information Discovery	Distributed Component Object Model	1 Clipboard Data	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Process Injection	1 DLL Side-Loading	LSA Secrets	11 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
sVfXReO3QI.exe	45%	ReversingLabs	Win32.Trojan.RemoteManip
sVfXReO3QI.exe	45%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\version.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\UAC.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\newtextreplace.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\registry.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
bg.microsoft.map.fastly.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://jqueryui.com	0%	URL Reputation	safe
http://momentjs.com/guides/#/warnings/add-inverted-param/	0%	URL Reputation	safe
http://momentjs.com/guides/#/warnings/js-date/	0%	URL Reputation	safe
http://momentjs.com/guides/#/warnings/define-locale/	0%	URL Reputation	safe
https://psiphon3.com/faq.html#clear-windows-data	0%	Avira URL Cloud	safe
https://psiphon.ca/fr/license.html	0%	Avira URL Cloud	safe
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/faq.html	0%	Avira URL Cloud	safe
https://psiphon3.com/faq.html#clear?	0%	Avira URL Cloud	safe
https://psiphon3.com/faq.html#clear:	0%	Avira URL Cloud	safe
http://momentjs.com/guides/#/warnings/zone/	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://momentjs.com/guides/#/warnings/dst-shifted/	0%	URL Reputation	safe
http://momentjs.com/guides/#/warnings/min-max/	0%	URL Reputation	safe
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/index.htmlblegectede	0%	Avira URL Cloud	safe
http://api.psi.cash:443	100%	Avira URL Cloud	malware
https://psiphon3.com/faq.html#clear:	0%	Virustotal		Browse
https://psiphon.ca/fr/license.html	2%	Virustotal		Browse
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/faq.html	0%	Virustotal		Browse
https://psiphon3.com/faq.html#clear-windows-data	0%	Virustotal		Browse
https://psiphon3.com/faq.html#clear?	1%	Virustotal		Browse
https://psiphon3.com/faq.html#clearB	0%	Virustotal		Browse
http://api.psi.cash:443	0%	Virustotal		Browse
https://psiphon3.com/faq.html#clearB	0%	Avira URL Cloud	safe
https://psiphon3.com/fr/faq.html#clear-windows-data	0%	Avira URL Cloud	safe
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#direct	0%	Avira URL Cloud	safe
https://github.com/Psiphon-Labs/psiphon-tunnel-core.git	0%	Avira URL Cloud	safe
http://momentjs.com/guides/#/warnings/min-max/isDSTShifted	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
https://psiphon.ca/privacy.html	0%	Avira URL Cloud	safe
https://www.systemsafariuniversitydebt.com/web/mjr4-p23r-puwl/server_list_compressed	0%	Avira URL Cloud	safe
https://github.com/Psiphon-Labs/psiphon-tunnel-core.git	0%	Virustotal		Browse
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directh	0%	Avira URL Cloud	safe
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#direct	0%	Virustotal		Browse
https://www.systemsafariuniversitydebt.com/web/mjr4-p23r-puwl/server_list_compressedhttps://www.syst	0%	Avira URL Cloud	safe
http://momentjs.com/guides/#/warnings/min-max/isDSTShifted	0%	Virustotal		Browse
http://portableapps.com/jportable	0%	Avira URL Cloud	safe
http://eljvuop.net:8010471047	0%	Avira URL Cloud	safe
https://psiphon3.com/fr/faq.html#clear-windows-data	0%	Virustotal		Browse
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directe	0%	Avira URL Cloud	safe
https://psiphon.ca/privacy.html	3%	Virustotal		Browse
https://www.systemsafariuniversitydebt.com/web/mjr4-p23r-puwl/server_list_compressed	0%	Virustotal		Browse
https://stackoverflow.com/questions/24431054/float-right-and-float-left-in-absolute-container-ie7-ex	0%	Avira URL Cloud	safe
https://australiais.org/	0%	Avira URL Cloud	safe
https://psiphon.ca/faq.html#psicash-account	0%	Avira URL Cloud	safe
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directh	0%	Virustotal		Browse
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/privacy.html#information-collectedI	0%	Avira URL Cloud	safe
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directe	0%	Virustotal		Browse
https://psiphon.ca	0%	Avira URL Cloud	safe
http://portableapps.com/jportable	0%	Virustotal		Browse
https://psiphon3.co	0%	Avira URL Cloud	safe
https://stackoverflow.com/questions/24431054/float-right-and-float-left-in-absolute-container-ie7-ex	0%	Virustotal		Browse
https://my.psi.cash/?etc	0%	Avira URL Cloud	safe
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directon	0%	Avira URL Cloud	safe
https://psiphon3.com/faq.html#clear	0%	Avira URL Cloud	safe
https://psiphon.ca/faq.html#psicash-account	2%	Virustotal		Browse
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directe%	0%	Avira URL Cloud	safe
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directon	0%	Virustotal		Browse
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/privacy.html#information-collectedI	0%	Virustotal		Browse
http://c.pki.goog/r/r4.crl0	0%	Avira URL Cloud	safe
https://psiphon3.com/faq.html#clear	0%	Virustotal		Browse
https://psiphon3.co	0%	Virustotal		Browse
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directe%	0%	Virustotal		Browse
http://i.pki.goog/r4.crt0	0%	Avira URL Cloud	safe
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html	0%	Avira URL Cloud	safe
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/privacy.h	0%	Avira URL Cloud	safe
https://psiphon.ca	3%	Virustotal		Browse
http://eljvuop.net/217.138.199.186:80217.138.199.186:80P	0%	Avira URL Cloud	safe
http://i.pki.goog/r4.crt0	0%	Virustotal		Browse
http://c.pki.goog/r/r4.crl0	0%	Virustotal		Browse
http://sourceforge.net/projects/s-zipsfxbuilder/)	0%	Avira URL Cloud	safe
https://psiphon3.com/faq.html#clearinimize#heading	0%	Avira URL Cloud	safe
https://s3.amazonaws.com/psiupload/	0%	Avira URL Cloud	safe
https://psiphon3.com/faq.html#clearR	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
http://www.memoaiart.com/s	0%	Avira URL Cloud	safe
http://sourceforge.net/projects/s-zipsfxbuilder/)	0%	Virustotal		Browse
https://my.psi.cash/?etc	1%	Virustotal		Browse
https://psiphon3.com/faq.html#clearinimize#heading	0%	Virustotal		Browse
https://lrepacks.net/	0%	Avira URL Cloud	safe
https://www.kindletterfaq.com/www.kindletterfaq.com:443104	0%	Avira URL Cloud	safe
https://psiphon3.com/faq.html#clearR	0%	Virustotal		Browse
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html	0%	Virustotal		Browse
http://eljvuop.net:800	0%	Avira URL Cloud	safe
https://psiphon.ca/faq.html#psicash	0%	Avira URL Cloud	safe
https://psiphon.ca/fr/privacy.html	0%	Avira URL Cloud	safe
http://momentjs.com/guides/#/warnings/min-max/styczeD	0%	Avira URL Cloud	safe
http://c.pki.goog/r/gsr1.crl0	0%	Avira URL Cloud	safe
https://psiphon.ca/license.html	0%	Avira URL Cloud	safe
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/index.html	0%	Avira URL Cloud	safe
https://www.kindletterfaq.com/	0%	Avira URL Cloud	safe
https://australiais.org/australiais.org:443	0%	Avira URL Cloud	safe
https://psiphon3.com/faqT	0%	Avira URL Cloud	safe
https://psiphon3.com/faq.html#cleari	0%	Avira URL Cloud	safe
https://psiphon3.com/faq.html#clearies-to-lan#help-text	0%	Avira URL Cloud	safe
https://psiphon.ca/faq.html#psicashs	0%	Avira URL Cloud	safe
https://psiphon.ca/faq.html#psicashu	0%	Avira URL Cloud	safe
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/privacy.html#information-collectedr	0%	Avira URL Cloud	safe
https://psiphon3.com/faq.html#clearTB.n_	0%	Avira URL Cloud	safe
http://www.satzansatz.de/cssd/onhavinglayout.html	0%	Avira URL Cloud	safe
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directeY	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://australiais.org/	false	Avira URL Cloud: safe	unknown
http://eljvuop.net/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://psiphon.ca/fr/license.html	psiphon3.exe, 00000004.00000003.1463378975.0000000006717000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441730730.00000000066EC000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423852162.000000000E43C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1440610650.00000000066C3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427199405.000000001001F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1443713968.00000000066EF000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427392429.000000000E931000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1433159235.00000000066B9000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1426661379.000000000CB8E000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431997707.00000000066AB000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444349174.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1448518621.000000000E650000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1424314831.000000000E65E000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://psiphon3.com/faq.html#clear-windows-data	psiphon3.exe, 00000004.00000003.1426554413.000000000CB9E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://psiphon3.com/faq.html#clear:	psiphon3.exe, 00000004.00000003.1432123300.000000000664E000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1433349886.0000000006668000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1434437300.000000000667C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1443999867.0000000006681000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444907628.0000000006684000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/faq.html	psiphon3.exe, 00000004.00000003.1428442569.0000000005F1F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473726026.0000000006064000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473529864.0000000005987000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://psiphon3.com/faq.html#clear?	psiphon3.exe, 00000004.00000003.1473554166.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441784900.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/index.htmlblegectede	psiphon3.exe, 00000004.00000003.1473554166.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.psi.cash:443	psiphon-tunnel-core.exe, 0000000C.00000002.2621129777.000000000A94E000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://psiphon3.com/faq.html#clearB	psiphon3.exe, 00000004.00000003.1443066247.0000000006739000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://jqueryui.com	psiphon3.exe, 00000004.00000003.1442580663.0000000001E16000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473000987.0000000005EF9000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1474941291.0000000005F03000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1471827251.0000000005EF1000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1475034526.0000000001E42000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#direct	psiphon3.exe, 00000004.00000003.1428442569.0000000005F1F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473726026.0000000006064000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473529864.0000000005987000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://psiphon3.com/fr/faq.html#clear-windows-data	psiphon3.exe, 00000004.00000003.1445786011.000000000671D000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1463378975.0000000006721000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441730730.00000000066EC000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423852162.000000000E43C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1440610650.00000000066C3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427199405.000000001001F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1443713968.00000000066EF000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427392429.000000000E931000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1433159235.00000000066B9000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431997707.00000000066AB000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444349174.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1448518621.000000000E650000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1424314831.000000000E65E000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1426554413.000000000CB9E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Psiphon-Labs/psiphon-tunnel-core.git	psiphon-tunnel-core.exe, 0000000C.00000002.2608457403.0000000000F82000.00000002.00000001.01000000.00000017.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://momentjs.com/guides/#/warnings/add-inverted-param/	psiphon3.exe, 00000004.00000003.1428442569.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1422106316.000000000DF04000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500093045.000000000E144000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431710481.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500831334.000000000E14D000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500702174.000000000E145000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499493240.000000000E141000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499962191.000000000E143000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1421653832.000000000DB37000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500746423.000000000E146000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423035564.000000000DD3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://momentjs.com/guides/#/warnings/min-max/isDSTShifted	psiphon3.exe, 00000004.00000003.1500093045.000000000E144000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500831334.000000000E14D000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500702174.000000000E145000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499493240.000000000E141000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499962191.000000000E143000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500746423.000000000E146000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://.css	psiphon-tunnel-core.exe, 0000000C.00000002.2613588387.0000000001575000.00000004.00000001.01000000.00000017.sdmp	false	Avira URL Cloud: safe	unknown
https://psiphon.ca/privacy.html	psiphon3.exe, 00000004.00000003.1426554413.000000000CB9E000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.systemsafariuniversitydebt.com/web/mjr4-p23r-puwl/server_list_compressed	psiphon-tunnel-core.exe, 0000000C.00000003.1526565471.000000000A5D0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directh	psiphon3.exe, 00000004.00000003.1472291031.000000000690D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.systemsafariuniversitydebt.com/web/mjr4-p23r-puwl/server_list_compressedhttps://www.syst	psiphon-tunnel-core.exe, 0000000C.00000003.1526565471.000000000A5D0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://portableapps.com/jportable	PsiphonPortable.exe, 00000002.00000002.2609208112.0000000002882000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://eljvuop.net:8010471047	psiphon-tunnel-core.exe, 0000000C.00000003.1669467875.000000000A56D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directe	psiphon3.exe, 00000004.00000003.1473133048.000000000618D000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1472291031.000000000690D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://stackoverflow.com/questions/24431054/float-right-and-float-left-in-absolute-container-ie7-ex	psiphon3.exe, 00000004.00000003.1442580663.0000000001E16000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1471638538.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1475034526.0000000001E42000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1442092248.0000000005F16000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://psiphon.ca/faq.html#psicash-account	psiphon3.exe, 00000004.00000003.1426554413.000000000CB9E000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/privacy.html#information-collectedI	psiphon3.exe, 00000004.00000003.1473554166.0000000006DC3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://psiphon.ca	psiphon3.exe, 00000004.00000003.1472835924.0000000006913000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://momentjs.com/guides/#/warnings/js-date/	psiphon3.exe, 00000004.00000003.1428442569.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1422106316.000000000DF04000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431710481.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1421653832.000000000DB37000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423035564.000000000DD3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://psiphon3.co	psiphon3.exe, 00000004.00000003.1443066247.000000000682E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://my.psi.cash/?etc	psiphon3.exe, 00000004.00000003.1430222323.000000000EE41000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1428293155.000000000CEB6000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427675274.000000000CB19000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directon	psiphon3.exe, 00000004.00000003.1472291031.000000000690D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://psiphon3.com/faq.html#clear	psiphon3.exe, 00000004.00000003.1441784900.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directe%	psiphon3.exe, 00000004.00000003.1473133048.000000000618D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://c.pki.goog/r/r4.crl0	psiphon-tunnel-core.exe, 0000000C.00000003.1698239410.000000000A49E000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://momentjs.com/guides/#/warnings/define-locale/	psiphon3.exe, 00000004.00000003.1428442569.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444504743.000000000CD02000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444613286.000000000CD05000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1422106316.000000000DF04000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431710481.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444769779.000000000CD08000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444717984.000000000CD07000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1421653832.000000000DB37000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444570063.000000000CD03000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444674747.000000000CD06000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423035564.000000000DD3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://i.pki.goog/r4.crt0	psiphon-tunnel-core.exe, 0000000C.00000003.1698239410.000000000A49E000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html	psiphon3.exe, 00000004.00000003.1473554166.0000000006DC3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/privacy.h	psiphon3.exe, 00000004.00000003.1471063667.000000000696E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://eljvuop.net/217.138.199.186:80217.138.199.186:80P	psiphon-tunnel-core.exe, 0000000C.00000003.1634915231.000000000A49B000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sourceforge.net/projects/s-zipsfxbuilder/)	sVfXReO3QI.exe, 00000000.00000002.2605237204.0000000000AD5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://psiphon3.com/faq.html#clearinimize#heading	psiphon3.exe, 00000004.00000003.1432123300.000000000664E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiupload/	psiphon-tunnel-core.exe, 0000000C.00000002.2620195669.000000000A79A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://psiphon3.com/faq.html#clearR	psiphon3.exe, 00000004.00000003.1443066247.0000000006739000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473663652.0000000005373000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1428442569.0000000005F1F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1463554890.0000000005FA3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.memoaiart.com/s	psiphon-tunnel-core.exe, 0000000C.00000003.1669356126.000000000A64C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://momentjs.com/guides/#/warnings/zone/	psiphon3.exe, 00000004.00000003.1428442569.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1422106316.000000000DF04000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431710481.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1421653832.000000000DB37000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423035564.000000000DD3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://lrepacks.net/	psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473663652.0000000005373000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1428442569.0000000005F1F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1463554890.0000000005FA3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.kindletterfaq.com/www.kindletterfaq.com:443104	psiphon-tunnel-core.exe, 0000000C.00000003.1596099817.000000000A734000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://eljvuop.net:800	psiphon-tunnel-core.exe, 0000000C.00000002.2619227637.000000000A6CE000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 0000000C.00000003.1653730551.000000000A6C8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://psiphon.ca/faq.html#psicash	psiphon3.exe, 00000004.00000003.1473554166.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441784900.0000000006DC3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473554166.0000000006DC3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1445555358.0000000006621000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1443066247.0000000006739000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441784900.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://psiphon.ca/fr/privacy.html	psiphon3.exe, 00000004.00000003.1441948287.0000000006689000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1432123300.000000000664E000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423852162.000000000E43C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1433349886.0000000006668000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1443999867.000000000668B000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427199405.000000001001F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427392429.000000000E931000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1434437300.000000000667C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1426661379.000000000CB8E000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1448518621.000000000E650000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1424314831.000000000E65E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://momentjs.com/guides/#/warnings/min-max/styczeD	psiphon3.exe, 00000004.00000003.1500093045.000000000E144000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500831334.000000000E14D000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500702174.000000000E145000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499493240.000000000E141000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499962191.000000000E143000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500746423.000000000E146000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://c.pki.goog/r/gsr1.crl0	psiphon-tunnel-core.exe, 0000000C.00000003.1698239410.000000000A49E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://psiphon.ca/license.html	psiphon3.exe, 00000004.00000003.1426554413.000000000CB9E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/index.html	psiphon3.exe, 00000004.00000003.1428442569.0000000005F1F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473726026.0000000006064000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473529864.0000000005987000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.kindletterfaq.com/	psiphon-tunnel-core.exe, 0000000C.00000003.1609386724.000000000A520000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 0000000C.00000003.1596099817.000000000A734000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://australiais.org/australiais.org:443	psiphon-tunnel-core.exe, 0000000C.00000003.1666137802.000000000A7B2000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://psiphon3.com/faqT	psiphon3.exe, 00000004.00000003.1445335169.0000000006724000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1443713968.00000000066EF000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444349174.00000000066FF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	sVfXReO3QI.exe, 00000000.00000003.1339539570.0000000003123000.00000004.00000020.00020000.00000000.sdmp, PsiphonPortable.exe, 00000002.00000000.1342138864.0000000000408000.00000002.00000001.01000000.00000005.sdmp, PsiphonPortable.exe, 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmp	false	URL Reputation: safe	unknown
https://psiphon3.com/faq.html#cleari	psiphon3.exe, 00000004.00000003.1473554166.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441784900.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://psiphon3.com/faq.html#clearies-to-lan#help-text	psiphon3.exe, 00000004.00000003.1433582896.0000000006646000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://psiphon.ca/faq.html#psicashs	psiphon3.exe, 00000004.00000003.1444400608.00000000068C3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1445485486.00000000068E6000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1472291031.00000000068ED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://momentjs.com/guides/#/warnings/dst-shifted/	psiphon3.exe, 00000004.00000003.1428442569.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1422106316.000000000DF04000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500093045.000000000E144000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431710481.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500831334.000000000E14D000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500702174.000000000E145000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499493240.000000000E141000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1499962191.000000000E143000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1421653832.000000000DB37000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1500746423.000000000E146000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1423035564.000000000DD3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://psiphon.ca/faq.html#psicashu	psiphon3.exe, 00000004.00000003.1473554166.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441784900.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/privacy.html#information-collectedr	psiphon3.exe, 00000004.00000003.1473554166.0000000006DC3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.satzansatz.de/cssd/onhavinglayout.html	psiphon3.exe, 00000004.00000003.1442580663.0000000001E16000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1471638538.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1475034526.0000000001E42000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1442092248.0000000005F16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directeY	psiphon3.exe, 00000004.00000003.1473133048.000000000618D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://psiphon3.com/faq.html#clearTB.n_	psiphon3.exe, 00000004.00000003.1441784900.0000000006DC3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473554166.0000000006DC3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://psiphon.ca/faq.html#psicashZ	psiphon3.exe, 00000004.00000003.1473554166.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1441784900.0000000006D9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/privacy.html#information-collected	psiphon3.exe, 00000004.00000003.1428442569.0000000005F1F000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1473726026.0000000006064000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.raceegguxdas.com/web/mjr4-p23r-puwl	psiphon-tunnel-core.exe, 0000000C.00000002.2620195669.000000000A79A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://psiphon.ca/faq.html#psicashb	psiphon3.exe, 00000004.00000003.1432123300.000000000664E000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1433349886.0000000006668000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1434437300.000000000667C000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1443999867.0000000006681000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1444907628.0000000006684000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i.pki.goog/gsr1.crt0-	psiphon-tunnel-core.exe, 0000000C.00000003.1698239410.000000000A49E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/web/mjr4-p23r-puwl/osl	psiphon-tunnel-core.exe, 0000000C.00000002.2620195669.000000000A79A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.memoaiart.com/	psiphon-tunnel-core.exe, 0000000C.00000003.1669356126.000000000A64C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directQ	psiphon3.exe, 00000004.00000003.1473133048.000000000618D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.kindletterfaq.com/www.kindletterfaq.com:443	psiphon-tunnel-core.exe, 0000000C.00000003.1609386724.000000000A520000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://my.psi.cash/forgot?etc	psiphon3.exe, 00000004.00000003.1430222323.000000000EE41000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1428293155.000000000CEB6000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1427675274.000000000CB19000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://psiphon.ca/faq.html#psicashtion-TransactionAmountMismatch-title	psiphon3.exe, 00000004.00000003.1443999867.00000000066C6000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1440610650.00000000066C3000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1433159235.00000000066B9000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1431997707.00000000066AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/a/17622706/729729	psiphon3.exe, 00000004.00000003.1442580663.0000000001E16000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1415857707.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1471638538.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1475034526.0000000001E42000.00000004.00000020.00020000.00000000.sdmp, psiphon3.exe, 00000004.00000003.1442092248.0000000005F16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#directeu	psiphon3.exe, 00000004.00000003.1473133048.000000000618D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://momentjs.com/guides/#/warnings/min-max/	psiphon3.exe, 00000004.00000003.1423035564.000000000DD3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
217.138.199.186	unknown	United Kingdom	9009	M247GB	false
77.68.29.80	unknown	United Kingdom	8560	ONEANDONE-ASBrauerstrasse48DE	false
146.70.144.213	unknown	United Kingdom	2018	TENET-1ZA	false
217.160.34.195	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
45.128.38.162	unknown	Georgia	197328	INETLTDTR	false
37.46.119.50	unknown	Sweden	51430	ALTUSNL	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1496369
Start date and time:	2024-08-21 08:58:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sVfXReO3QI.exe renamed because original name is a hash value
Original Sample Name:	26e14ee776eacbbd45f8ee346dcecfcc.exe
Detection:	MAL
Classification:	mal68.spyw.evad.winEXE@8/51@0/7
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 103 Number of non-executed functions: 130
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe, UsoClient.exe
Excluded IPs from analysis (whitelisted): 23.57.90.70, 23.57.90.79, 2.19.126.154, 2.19.126.163, 93.184.221.240
Excluded domains from analysis (whitelisted): fs.microsoft.com, a2938.b.akamai.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, time.windows.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, a3731.na.akamai.net, wu-b-net.trafficmanager.net
Execution Graph export aborted for target psiphon-tunnel-core.exe, PID 8156 because there are no executed function
Execution Graph export aborted for target psiphon3.exe, PID 7536 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:59:15	API Interceptor	1935x Sleep call for process: psiphon3.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	https://umayendustriyel.com/n/?c3Y9bzM2NV8xX3NwJnJhbmQ9U2tKYWJGTT0mdWlkPVVTRVIxNDA4MjAyNFUyMjA4MTQ1NQ==N0123N#victimemail##	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://dl.dropboxusercontent.com/scl/fi/4owe58ovn1ed21kp09mar/Rechnung-201528807699-vom-30.07.2024.zip?	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://github.com/Runsim12/Cleodf/raw/main/Tran_ID-Details009192_End_Ids_58788719853478_Pdf.rar	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://doc.clickup.com/9014542322/d/h/8cmxzzj-434/d3ec30ee79aa63a	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	DonghwanPOGM210820242020032108174KR18190824pu.vbs	Get hash	malicious	GuLoader, Remcos	Browse	199.232.210.172
	https://benyera.com/workprojects/index.php	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://www.lusha.com/privacy_topic/control-your-profile/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://akashguptaji.github.io/netflix/	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	http://krakesnlogos.gitbook.io/us	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://navigate-loginscreen-att-102042.weeblysite.com/	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	fn.msi	Get hash	malicious	DanaBot	Browse	89.40.206.111
	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.dat-decoded.exe	Get hash	malicious	Remcos	Browse	206.123.138.32
	Shipping Documents.js	Get hash	malicious	Remcos	Browse	206.123.138.32
	2555 750.exe	Get hash	malicious	Remcos	Browse	172.111.244.162
	DOC101@%$#@!# (1).exe	Get hash	malicious	GuLoader, Remcos	Browse	172.111.244.137
	x86.elf	Get hash	malicious	Unknown	Browse	92.249.48.62
	192.142.102.239-x86-2024-08-14T23_28_18.elf	Get hash	malicious	Unknown	Browse	92.249.48.62
	SecuriteInfo.com.Linux.Siggen.9999.23751.27873.elf	Get hash	malicious	Mirai	Browse	193.160.72.150
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	168.80.203.80
	https://mytools.graphic.com.gh/Uoqgx	Get hash	malicious	Phisher	Browse	195.133.83.100
ONEANDONE-ASBrauerstrasse48DE	ExeFile (233).exe	Get hash	malicious	Emotet	Browse	74.208.45.104
	ExeFile (249).exe	Get hash	malicious	AZORult, PureLog Stealer	Browse	82.165.119.177
	ExeFile (260).exe	Get hash	malicious	Emotet	Browse	217.160.182.191
	ExeFile (267).exe	Get hash	malicious	Emotet	Browse	74.208.173.91
	ExeFile (278).exe	Get hash	malicious	Emotet	Browse	87.106.46.107
	ExeFile (305).exe	Get hash	malicious	Emotet	Browse	87.106.46.107
	ExeFile (317).exe	Get hash	malicious	Emotet	Browse	74.208.45.104
	ExeFile (323).exe	Get hash	malicious	Emotet	Browse	87.106.46.107
	ExeFile (333).exe	Get hash	malicious	Emotet	Browse	74.208.173.91
	ExeFile (347).exe	Get hash	malicious	Emotet	Browse	87.106.46.107
TENET-1ZA	Proof of Payment.exe	Get hash	malicious	Remcos	Browse	146.70.137.90
	sora.arm.elf	Get hash	malicious	Mirai	Browse	146.65.242.103
	teste.arm7.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	146.230.220.255
	45.66.231.213-mipsel-2024-08-09T11_47_09.elf	Get hash	malicious	Unknown	Browse	163.200.154.41
	mpsl.elf	Get hash	malicious	Mirai	Browse	146.236.61.218
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	146.238.134.127
	185.196.11.135-x86-2024-08-06T18_49_53.elf	Get hash	malicious	Mirai	Browse	146.236.61.249
	154.216.17.9-skid.x86-2024-08-04T06_23_12.elf	Get hash	malicious	Mirai, Moobot	Browse	146.69.37.143
	77.90.35.9-skid.sh4-2024-07-30T07_10_53.elf	Get hash	malicious	Mirai, Moobot	Browse	152.106.28.80
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	196.248.26.3

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\version.dll	Psiphon_3.179.msi	Get hash	malicious	HTMLPhisher	Browse
C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\System.dll	HolyTom980.exe	Get hash	malicious	Unknown	Browse
	https://xiuxiu.dl.meitu.com/pc_channel64/xiuxiu64_pc.exe	Get hash	malicious	Unknown	Browse
	ReimagePackage.exe	Get hash	malicious	Xmrig	Browse
	ReimagePackage.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.W32.PossibleThreat.20191.6097.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.iWin.17190.677.exe	Get hash	malicious	Unknown	Browse
	http://xiuxiu.dl.meitu.com/xiuxiu64_beta7.exe	Get hash	malicious	Unknown	Browse
	https://download.zotero.org/client/release/6.0.26/Zotero-6.0.26_setup.exe	Get hash	malicious	Unknown	Browse
	2Ir9YQkiGJ.exe	Get hash	malicious	Unknown	Browse
	theword-setup-en.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user~1\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1960
Entropy (8bit):	5.332766844549583
Encrypted:	false
SSDEEP:	24:YxphT/fCI3Rb+a0Lh7JWCxJAYDJAYQtqFsRt7RtNRtbRtZRtLRtFRtQ6RtaiRtQE:YxphjffB+NLTWKPfHvHk
MD5:	6759B6D9CAA66F4483FF25BBDFCA9E84
SHA1:	16233624AF89690D7D7EEF952CA3A3B8C68576D2
SHA-256:	16FD7DF6E68DA138D7A005C27E53049443F7AE05383719AC397E8ECA3CB6EE6C
SHA-512:	27559550181E393963CA768311AD44044080C3E6DC989885D2E3820433DFF81303084BC501FADC2F31F41807D29BD51DB4DF4DA617EAE4FB36FE80D19CAEAD92
Malicious:	false
Reputation:	low
Preview:	{"instance":{"instanceID":"instanceid_FAw7LhfdG7IOxhJyWBCiJGMxz7PDKe4OKk8Hnio5IibGpaOw","isLoggedOutAccount":false,"locale":"en-Latn-CH"},"user":{"accountUsername":"","authTokens":{"earner":{"Expiry":null,"ID":"token_tracker_earner_9c47b37948e0e55ff63f371d69ecd9aff8f0cc62149222c864cffade1fe2dea1"},"indicator":{"Expiry":null,"ID":"token_tracker_indicator_14c84dbe13ceb3625870048c7e594066803485557277d17111cf94ff9f7e3d61"},"spender":{"Expiry":null,"ID":"token_tracker_spender_c4940f756c336c2330379a7645142e35764ab32f8f7846f37c2edc8676eb9a97"}},"balance":90000000000,"cookies":"AWSALB=0PHmaQIRJlBjghB6Sf3vn/VBxJBpCi1i/M/h99zJXoyzPDze/I2chYPybipeHakTKmw20VhARSU8FgKWcaNvf1XugAjXFZha8sxV+fRfyZEZjxCqJkgl0PIYes2b; AWSALBCORS=0PHmaQIRJlBjghB6Sf3vn/VBxJBpCi1i/M/h99zJXoyzPDze/I2chYPybipeHakTKmw20VhARSU8FgKWcaNvf1XugAjXFZha8sxV+fRfyZEZjxCqJkgl0PIYes2b","isAccount":false,"purchasePrices":[{"class":"speed-boost","distinguisher":"1hr","price":100000000000},{"class":"speed-boost","distinguisher":"2hr","pric

C:\Users\user~1\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.commit (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1960
Entropy (8bit):	5.332766844549583
Encrypted:	false
SSDEEP:	24:YxphT/fCI3Rb+a0Lh7JWCxJAYDJAYQtqFsRt7RtNRtbRtZRtLRtFRtQ6RtaiRtQE:YxphjffB+NLTWKPfHvHk
MD5:	6759B6D9CAA66F4483FF25BBDFCA9E84
SHA1:	16233624AF89690D7D7EEF952CA3A3B8C68576D2
SHA-256:	16FD7DF6E68DA138D7A005C27E53049443F7AE05383719AC397E8ECA3CB6EE6C
SHA-512:	27559550181E393963CA768311AD44044080C3E6DC989885D2E3820433DFF81303084BC501FADC2F31F41807D29BD51DB4DF4DA617EAE4FB36FE80D19CAEAD92
Malicious:	false
Reputation:	low
Preview:	{"instance":{"instanceID":"instanceid_FAw7LhfdG7IOxhJyWBCiJGMxz7PDKe4OKk8Hnio5IibGpaOw","isLoggedOutAccount":false,"locale":"en-Latn-CH"},"user":{"accountUsername":"","authTokens":{"earner":{"Expiry":null,"ID":"token_tracker_earner_9c47b37948e0e55ff63f371d69ecd9aff8f0cc62149222c864cffade1fe2dea1"},"indicator":{"Expiry":null,"ID":"token_tracker_indicator_14c84dbe13ceb3625870048c7e594066803485557277d17111cf94ff9f7e3d61"},"spender":{"Expiry":null,"ID":"token_tracker_spender_c4940f756c336c2330379a7645142e35764ab32f8f7846f37c2edc8676eb9a97"}},"balance":90000000000,"cookies":"AWSALB=0PHmaQIRJlBjghB6Sf3vn/VBxJBpCi1i/M/h99zJXoyzPDze/I2chYPybipeHakTKmw20VhARSU8FgKWcaNvf1XugAjXFZha8sxV+fRfyZEZjxCqJkgl0PIYes2b; AWSALBCORS=0PHmaQIRJlBjghB6Sf3vn/VBxJBpCi1i/M/h99zJXoyzPDze/I2chYPybipeHakTKmw20VhARSU8FgKWcaNvf1XugAjXFZha8sxV+fRfyZEZjxCqJkgl0PIYes2b","isAccount":false,"purchasePrices":[{"class":"speed-boost","distinguisher":"1hr","price":100000000000},{"class":"speed-boost","distinguisher":"2hr","pric

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	data
Category:	dropped
Size (bytes):	49120
Entropy (8bit):	0.0017331682157558962
Encrypted:	false
SSDEEP:	3:Ztt:T
MD5:	0392ADA071EB68355BED625D8F9695F3
SHA1:	777253141235B6C6AC92E17E297A1482E82252CC
SHA-256:	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
SHA-512:	EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\banner[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	PNG image data, 400 x 100, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	16484
Entropy (8bit):	7.967953919787607
Encrypted:	false
SSDEEP:	384:4C9TxGWrQCK4MHC5cYEN3NWQBNDE1GNMur6fa8F89CI:4C9TxXrQC2HPYEN91HwGNXOfZqcI
MD5:	08B36B5183A2F59EA4B945E69D1DC56F
SHA1:	69B17763145A4F6A92493CFE57A7132C80AB2D0C
SHA-256:	F1F61A3FDE6BEAF0F24AC19A729D6E596AB305BDFE2E0F75A69C5157F2495101
SHA-512:	2E1618B6E9D5EC3FBEEDFD0C9A93E71E7A0DED26D22EFC359E5D887FAB47A77EE5E57DDD88E70A5DA22E9D89D31A0F197B0D843C419887B3685FD83187E7DDA0
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.......d.......fw....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.paint.net 4.0.5e.2e..?.IDATx^.w..U.._..n2.i. .C.. J.r...(`D.(......].( .......(...q..kX.D......4]m.S5....<....T..U..7.....@.....A...M,nX.7.A9.....]...........hy9r$......X..g..c%....jb..`..-/.@(............~..f\|.5.k-/...`......,x....!v...MP..Bu9B.w%......iy...8:t....-J.T..n(...\|-/.......\..#.....Z^.A=vBm-..J(.^-=.....Z......G.K......<G..&........s.H6<{'.~..g.......R..:.<.?.7....U.jy..u....<.L...^..$.....^.z!.......jy..u.....<.TBa..}Z.0.n.f..K.....t..x...`..Z~..../..j)...r.H%<..........-.o.;>...#....<;S...l{-/S..V.O%-...V...i.l(.5..4-?[..g.t..Z.92...K.3...T./c:_....$tS..<;O.V.9._.fz&A=.!.A....Y.\|....8J;..P......MP..P.....x.....~...-P..$!3..!.P..%s...!.Y8.Tq...,....b.<&.P...Z...(......s.H.<.C.Z^6A.dZ.....9.R.....H-O..A.CC".9\|..!#..z...Z^E..D"".yl....}U_...(.LX....Nx.....\|...-P.w..n.a.*(Du..kT........H;&.P..P..U.% ...<..'V(.!.G...(.qR.h....n

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\speed-boost-button-1-week[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	PNG image data, 388 x 404, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	9910
Entropy (8bit):	7.936235772936234
Encrypted:	false
SSDEEP:	192:hutEWj6HAM/fW7Xl5zsWCLDJgDxJpyaniP9KtYPan0Jf90YOvEF8:hutEghyfMV5j2EpJi1ZuC1Dw
MD5:	E708E1E407BF824652BA72FC682D113C
SHA1:	3A069826F16E1F8485410A6B414311DA843A912D
SHA-256:	620E079BD083BCF3F4A31653BDB37335ED319BCC1C61D0F0CAB5E76140498C09
SHA-512:	58A3FC0D57493E2C988E7963EC14E213CCBD13B278126EA780696EE928B57E498462DBC6DD8C8E2DA284CD2BA8C1438FB5857A641C848D9E4377D2E667036D19
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................z....PLTE.............................{.......F..:ks.1.....=...............z..w....y.c.lKr..0!3.x.<)>8#D.........q......z...b..[.._..]..........V..Z....X..`....d.....U..Y..e..g..T.Hj..............S.....c..0..i..d..j..k.....j.....l.Kn....Fh.......Bf......'...........Z....+.........@d............A'..k.....Yw....\|....1...c......s.H..FN....f.&..7....m..!..6a."+......#~...hi..`..x..X..!..m..8.v9....&T.....S..^.{..b2.V..Vk..G....p7..=.......>.........U.........^.\c..g.SZ........h..O.J.Tu.....V.C.<D.5=.:=.....i.......o.....b^.NN........j......?......t..Y~..i.ti.....b..S.:W.........F......(.}d.........29.ek......Fk.i.....pv.......".VF..M....\.............y..\..G.u{.jf....lG.3......to.........ys...b....2K....K...'tRNS...."O<&^Yg.FTTF.F3.DX...T.p.dS...........#PIDATx...Yj.0...L{ .l.6H.....C..I..3.".B......i......m..^....n.K.>}...2.\|..]......A...b.....#.C..xlP......>.)Z./B.....\|....qD...$.m:#x........$.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\turtle[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	7704
Entropy (8bit):	7.9508788532251655
Encrypted:	false
SSDEEP:	192:Z1d9Mzx8Ljf+kQpHbkKYibZp6KUjVNQZcC/7sUzv:Z5Mzx8Ljf+zk2pWVNhwv
MD5:	286219B85A1E164CA230105DD4A8BEDE
SHA1:	90764C281427876BD4181D9A131E66E855D24A45
SHA-256:	3517D9C2EEC3B0255E04C464575D0AD0124C5A14DE087007E5F083978EDC718D
SHA-512:	BD191F75A45C0559301CD9C9E2CBB586643ECD1855B5A6709AD8E0FB1F5C576029D2412B05E3FF8C884814296184326366DA429B6C72B84F67BABA3E48A2F598
Malicious:	false
Preview:	.PNG........IHDR..............>a.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..]I...y...}.......e.#..B#.F9.9.1..`.b....p .h...O......B....... . .F..)v..M.2....}_+.......b.~.k..^.....y....1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..-.....,\$/.....S...I.......j:a. ..J^.$-...7I.f.a..@.:G^X..;.~.D .O.p.P....(~..\!m...:.&..-.....g.u8.. .....-...1..Q.....i.L...=....%.e..{.&..._'/...GK.....Z..5.I.k5...:...A.J..#\|.......x...c.v...Y.D..J.=.......!.Y......'..-Yaw.J.......}J..S>Z...{_.G...../O}...I.]...........`..G1...3.............7..?......F. ..e.....J%......#s[...k..;..to....EG.......Wd._[[../..!..G...y.v...R)..W"_.L.J./.U .D..]C.G...j.;.G../8.<.....t{ee.^..uY.,...{....P+............^I...B.......@.....)b...\|.l...../..o...\|...wI.<....}...f .\7.;..@.&.p..=.....Q.lp..MJ..dyyY>...Z.....JDY"..d.x0..)m....;........ .@.@.s#H..........e....5..Z....<...e.E.=..5..._.6F..8..3.8w.\W..`......:.....U.[.........X.....J.x..Vr..%.......,w}..Q...0.7..I.n..xb]G.~..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\flags32[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	PNG image data, 32 x 7904, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	52207
Entropy (8bit):	7.969320259594288
Encrypted:	false
SSDEEP:	1536:jwygiH5MKBCrf6n2QlITH+TvEMCFDM/e5lbV:FZNCiEHQn0bV
MD5:	722CEB7B1F4A8E338CA9582B10CED8D3
SHA1:	C3E49967B8ED69AB9EC6A9F927B529CBC479ED73
SHA-256:	9A97CA877033652187DC9BB105D1A6CB7E041B9779982ADD3576EEB8DFA2701F
SHA-512:	4B902307444F4DCFFCCB214D6ED07E35343D9D5C014A0B9ED75B8DAF97B91F3DC57774DBD656ABAD6601F48B75AC4D0AF44D880CC3EBAA3A554828205AD2ED6F
Malicious:	false
Preview:	.PNG........IHDR... .........b.s.....sRGB.........gAMA......a.....PLTE...................................)..2... $..."........T.X\.....$...uz.......mr.OU...l.}.....#(..Y.CH$.[.....d.fi..!.......3..:>.Q...LX...w3..M..t.15Jf..HO...H.r.$~..=.]fY..u........N....,5.j..).....:..-.~..A...x..t..'.......Uj..Vt.NQ...[%%}P.}.......J.IIIp..jk....A^....`..)J.F...t.FH..~#.....i.W.Z.$ ! w..5S.~.......01.s..d..fee)..tv..'<.Ug...k..]_.H...f.......trt.......K...2.@.b{....o....M....\........4F.....@w....WVV......+.......!6A.gs...ma..\...V/n.......og...e;........M.AU5;.2110.X........x...c...W.....b.....:...}..`K{O....q.t%c.>>=....n..D.....Tn....f4S.!.^Z.qpC<...HW......d........Y.....EF.._......a.b.9#....kx.:..~..B.H<q.Z.a3.t@i_.>.=.hu.....!.f......%..$...H.....K^..?.k-8....#tT97in82E@..~.'..}.c^Y2..z.Hs...U..c.2X.Y.F.....tRNS.D..Y".'.......p.,.j...qIDATx...X.W.?........O....ADPH.+".8F. "...n.7@..><*.4..F.../..F7...k)..E..../..."..ou.V....m...h.]w7..$3.\|rf&0.9.\|o.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\icomoon[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	Embedded OpenType (EOT), icomoon family
Category:	dropped
Size (bytes):	25544
Entropy (8bit):	6.2856527324339
Encrypted:	false
SSDEEP:	768:8AQHnyHsqQ/wFJ+AwV4UPxHMjKiM3C4R+qwogeeZq7g8Y:8AQHnyMqI6GPy63rEogeeZq7g8
MD5:	79CE7E9887A670AB6A18EAF59CAB7FA7
SHA1:	0C3C11723E52BC35F8A69C5ACD37AEA959A3E2B7
SHA-256:	24F0C91CD083494F5475C9DDE62F4477EA9FAE06DF25C398949781FF879FCD83
SHA-512:	95E2686590CBBD8BA86D006590EFF3E83CC5E29CEAE2342C949673A53B1CBC8B9A1E309742572BB67B49A2E03FBAEEB746A0C8132F379D08C5DB008C28039A27
Malicious:	false
Preview:	.c..$c............................LP.........................3$i....................i.c.o.m.o.o.n.....R.e.g.u.l.a.r.....V.e.r.s.i.o.n. .1...0.....i.c.o.m.o.o.n................0OS/2...Q.......`cmap.8.g........gasp............glyf..........\\|head..V.._<...6hhea......_t...$hmtx"..].._....,loca...4..`.....maxp.].%..a\... name.J....a\|....post......c.... ...........................3...................................@.........@...@............... .....................................\.@....... ...r.... ....7.....................,.4.7.:.E.K.W.Y.\.c.\|..................... ...r.........7.....................,.2.6.9.D.J.T.Y.[.b.y.~.......................a.....]...................~.H.E.C.!.........................................`........................................................................................................................79..................79..................79...............".U..."&'..7.>.38.12.......&'...#".....#.#"&=.#...+."&5.4632.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\main[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	HTML document, ASCII text, with very long lines (35110)
Category:	dropped
Size (bytes):	3096216
Entropy (8bit):	5.538652298715578
Encrypted:	false
SSDEEP:	49152:DnabrCjlQyjRO6U231I788BIOxF0alPPrRYmSWrp7uniB1RNOoLqWIaN7ldtF4xH:QOxCEtwhcSdyT
MD5:	AC29386BFB2CD747D4E4F4C6ACB02D1C
SHA1:	B1A25A6AC9CFADD39C2A4BC8A10C71398B32732C
SHA-256:	22C54BDBC15BB3F4D84A7FFEAFD310ADF6A0DE9C6DA45952EAD449FCF5B80258
SHA-512:	92FC1328CB86F98A87B792385776A0B9D2BE81F7ABC846D7C9C0F928B66C08AF3518FBB886D69E2ED5B2FAA73FA024FBA7F29576DCDB78FA3C05CC6173D09F02
Malicious:	false
Preview:	<!doctype html><html class="no-js" lang="en"><head><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta charset="utf-8"><meta name="viewport" content="width=device-width,user-scalable=no,initial-scale=1,minimum-scale=1,maximum-scale=1"><title></title><link href="data:text/css;base64,LmNsZWFyZml4IHsKICAqem9vbTogMTsKfQouY2xlYXJmaXg6YmVmb3JlLAouY2xlYXJmaXg6YWZ0ZXIgewogIGRpc3BsYXk6IHRhYmxlOwogIGNvbnRlbnQ6ICIiOwogIGxpbmUtaGVpZ2h0OiAwOwp9Ci5jbGVhcmZpeDphZnRlciB7CiAgY2xlYXI6IGJvdGg7Cn0KLmhpZGUtdGV4dCB7CiAgZm9udDogMC8wIGE7CiAgY29sb3I6IHRyYW5zcGFyZW50OwogIHRleHQtc2hhZG93OiBub25lOwogIGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50OwogIGJvcmRlcjogMDsKfQouaW5wdXQtYmxvY2stbGV2ZWwgewogIGRpc3BsYXk6IGJsb2NrOwogIHdpZHRoOiAxMDAlOwogIG1pbi1oZWlnaHQ6IDMwcHg7CiAgLXdlYmtpdC1ib3gtc2l6aW5nOiBib3JkZXItYm94OwogIC1tb3otYm94LXNpemluZzogYm9yZGVyLWJveDsKICBib3gtc2l6aW5nOiBib3JkZXItYm94Owp9CkAtbXMtdmlld3BvcnQgewogIHdpZHRoOiBkZXZpY2Utd2lkdGg7Cn0KLmhpZGRlbiB7CiAgZGlzcGxheTogbm9uZTsKICB2aXNpYmlsaXR5OiBoaWRkZW47Cn0KLnZpc2

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\speed-boost-button-1-month[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	PNG image data, 388 x 404, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	9178
Entropy (8bit):	7.933402073105207
Encrypted:	false
SSDEEP:	192:S+0F3jedyxpqMmr97ll0QBRjxKyzRSqdAwAIWARfnIIOEDxkZeZrw:gjyyDqxr97ll0QBRjxFzDoIWARvII9a7
MD5:	54A1016B9972EB3212C0C46148C57EB8
SHA1:	C766CB1A2CDD7390873F4C6AEF6A868B53C8E331
SHA-256:	BC35AA6BA249B5E9BA38A0345E354589450751CE63AA5455567B8062A37C7597
SHA-512:	C6289A72361AEEDCA179CA22DA8B6D632356A68AD660E5A1C59472792F6D762E52CE907DAB9A7C9425AEC5679F3AF7AD17E4A3AF45E7ACB131D086F3E4DE7819
Malicious:	false
Preview:	.PNG........IHDR................z....PLTE.............................z...u....E..:.].u...Oj.@d.Hx.....x~..p....xPm.b..w..\}...z.............#..$.....!....!..%...... ..Hj."........%................... ...............'..$.......&.... ...."..$..............0.......)..........(....(..........+.....m..,..'..-..l..,...~...n.....o..Jm.Be....n......+........-....o......./...'....Xy.....p......+.}..........v..!......C.H..Dy...~U...'.9....I..k..e..c.....6..5.0...p.#,........T..E....GO.......=c. ....M.."..^e..<.0.....2...&~"....f.......6>.8..3.......da.6..0\.!Q....H..`..U...~.............o.......2..;...`.h..A..[..~....MM.8;.q.....4.....=...........qw...@G.......r..%....."..T[.}u...............-..W.P..d..A..n.X..Ef.y..<Z...-m....RY..........w..6Q.~.)>.......p..u.9S....tRNS....!O&^<.g.FTF.TTE3.......g.... pIDATx...Ij.@....A..........1I....S....>....^...=..F.z.6...N..:.q..N...1p...m.s`.....I.....\...z..`..p).B...A....{.1.b\|.B.n. =.[...(..F!..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\logo[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	PNG image data, 200 x 200, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	4283
Entropy (8bit):	7.754381978494951
Encrypted:	false
SSDEEP:	96:qc/7kHkCHEHjXan7z/gOOJj66jNBWxfyJBOlfCSh+Yl:qcTokBXan7UOGLjKxfeBUnPl
MD5:	4E73FC2EE755F35BC816F07CF640B2A2
SHA1:	B16CF6588D9A31463121829955AE010447DB2F10
SHA-256:	0E9458EB26515B4AFF8769E3E9D67836110824CD4E016C18E571DAB20A6A53FE
SHA-512:	C5893B8497BEDDE2919DFDB2799F06E4E8AE6029B39218737F11E47E953E62CE027AB6423C3BFC40A601482553F80BC8CF07B379807297B895A7ACC5642D3291
Malicious:	false
Preview:	.PNG........IHDR...............^.....PLTE.:&.<.{#.............>.....kV...I-.cR._H................ZL.......aI.C+y#....^O.L<....o`.\|o.zm.......iV....vd........hU.....eS..8..S:.R:.s.gU....[M.YK.7$.?).bQ.6..mW..z.xe.\N.sb....}...ze.nW._P.UC.;..:..<..<..>..8..5..=..<..7..4..7..:..:..1..8..8.....3..2..5../....;..:..9..2..7..:..7..8..5..=..5..1../..4..4..+..2..2..1..).....(..-..-..-..;..nW.6..8..5....-......)....&..bI.J-.4..4..(..%..2..&....0..&...../.......+....s.+..,...+..).\|$...}%.....'..V;.{e..~%..>..........{$.....s..;..;..s.<..ze...<..=..\M...<.._O.....8....bI......9..2..4..=......ZL...V;.4.......:.........hZ.VD.XE...`P.M8.fY..p.....6..qa.r...F,......m_.@0.....H5.B1.G4.]G.kW........]N.<...........;.....q.]G.........eT.5......9.......tRNS...................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\psicash_coin[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	PNG image data, 90 x 90, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2661
Entropy (8bit):	7.909873530373701
Encrypted:	false
SSDEEP:	48:3ERCUYUEogSlvqERAphLnF4AnbI3eXvtoRqQwObJxlyLixVEpkX12:3fz3omNHnFDIO/tmzDl4ijEpi12
MD5:	CBA396707A4339C9EAD9AC6DDE96F93D
SHA1:	9CF1CB627B595C90783E781F2698176001848AD8
SHA-256:	558CBA644707914E8172333E6D8B8D73EAD464E93C2D1EDE5DD20BD64BD108C8
SHA-512:	913D703B0A5E8191E6A8659AE7496CCEEBAD2D0EC3629EB1F99F9B67DEDF6ED985012F35F602205DFF27D9F8A0697C580691B2460BC3F28D2B09770FA271CE74
Malicious:	false
Preview:	.PNG........IHDR...Z...Z.....8.A....,IDATx..][l....V....."^MpJH)...R.4)AJ..M/B.I..>..R..&&N.]#..R.....C.%.B.p..ZH.!..d..e..0..C:3.;....YK.hl..........g...O&S.'...h.,.......bhK...Ob0....[...P.s.....<dI/S...\|...w.]...1.6..\|..`.l.l..P.S..uP.;.H.e...t....i....g.^...N...,...P.' K#.%+,..Qy.........T\|3.o{...:d.#..+Y3.p'..y.x.o{pf.K..F....^.".M...y"....Y&.MP..P.v.@.#...q..<]..@i..9...t..TL+.nb^.g.qNZ.......r(.}..&&....rZS.@n."......`79k......yP..P$u..<F.&Z.P....q)......x...E..HTHu\|x(.1..5:.{..=).3.......Eg.n...2.3/.x.Y...6....].m.W....F..w........k..8...\|=..`p..../m.q.........`....hL.....1.kg;.TW...l.n...<..+..=......i..+....."..0p.TXq.....N>....j..Q..&...9i.H...O.K.V..aPz'..g.4.8...%P......xN..x ^.....D...1..6...V.z.:...4?i...<./.SXq.zvX..lV..c..}.0.aM.....x"..PF.[.A.5.M.~P..,..G...R.6..y#...n6..=...D.A..:nEd.(5/`^...e..x..]...g.........&.x...#.D...eU..N.. ..;..f....8.D..Q.}Y&.... ..#F6...d7...q..B;...9...L.....Z.i#....S..X/..#]..T

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\rocket[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5977
Entropy (8bit):	7.93144509027021
Encrypted:	false
SSDEEP:	96:fk3KslG8wrzhAZGoBb89gTsjues61+zOKF+/oLqC8fiVm2nJIA51xgI5xnTQZtIy:cNlOlAZvBw91KeX1HRC86VXuA51xgWxY
MD5:	8D890C253C374EA27981CBCA386D69D7
SHA1:	612FEACFBE10780D685B12AC450346BA8AA85DEC
SHA-256:	EFE61D586AFF065712F15AB38AC602447B625B0FB21BB8E3FACF14AE453BB431
SHA-512:	34D05BD9DFEB63B6FE56FF9CD0FFD686806B72C08A22808D4A68C580DD058C8EF52FC43A736EC14456B93A6CEA3DD2317F058581C2630CE8216E3813F69426E9
Malicious:	false
Preview:	.PNG........IHDR..............>a.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..]{l\ev?.~.5vl.y..M..D.IYbv..e.X..hH....V.&j..J.B..@.iW.m.m.`i.E1....aix.....).<.$~..y?{.}.w.....H_......~..;.;.c..1c..3f.1c..3f.1c..3f.l&..s.~........?3..P..w`.`[-<......a.#....Ch.e.O.."..b.(o.......t.y..E....&+...........l2...=.GzN.4.a...x{.t.>F..N..(.v..&.L....\f3.....E..'NxL#.-?...e.F.b..K..7......P......Ob.6MLhw2.]e.@.6..xiW..`.......7.Sj...kJ.......#...O....I.,]..4r..FY'.g.\|.......}.t....hF......\|9X=x[ 0#.S4.R....J..w..#...\..^^WW.5.N! ... ...3.w%..8..P\|.ps........=.....^...w..1.D...V.03.u.........WWW..+.....V..:5..\|.^.x0.....b....[...x..z.......v.A..2.A..q3$..W%.;.....s...2{.w6.^/.......].._.\|...u...@L..pW..F.B...&.?L.....f.'.P.W..r.(.1Lp$(....c..i.c.<..[..555R.W......?...<[.....NA..g".x..9.Z..z.-..v...:......kb....9.@h...5S#...y..G.....yAg.E..k....j..o..,..iI.@."..yI.7.\|S.\|).,..%.p8t....1.C.i...!....u...o....E.[ZZ.x.g)...S..\A..{.Lm7.....Y.Q....'

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\speed-boost-button-1-day[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	PNG image data, 388 x 404, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	8974
Entropy (8bit):	7.933153833231728
Encrypted:	false
SSDEEP:	192:8tZFs49sYdbdIBzQT8Rnd4mA0XJn3U8Gm3hIzRmFgtLu:eN6kIRnd4g3/GNzQFg8
MD5:	F5459AA2192521674679ECDC0C477666
SHA1:	F0079A87768102419ADF3651105EC447026F48AC
SHA-256:	AD47922C22F8FFA5FA7EF32F16E431DB4BB7ACF5646E2FC5191A6C455602C950
SHA-512:	3D597FF722BCF23CB271CC59D08B5A477D20C3AD1CC38F2ED21879948776057BECFB393E9321E252681C2912952A06B716FF2AE4F74C5A8EA50DC3BAA971890C
Malicious:	false
Preview:	.PNG........IHDR................z....PLTE.......................{.....Fm.E..:...#`.t.......~............u.J..y..wi.Bj.E\.;L.0..u.8..< ...b.?..{...F.-T.7..z{.P{.N.....F.1...F.3F.5E.9H.(z.TG.{.RI..E.6...E.8G.,G./G./G.-G..Hj.I.!J..E.:H.&H.'..3z.VI."I.#..I.$H.%E.;D.=./.D.@C.DD.>z.WC.BC.F..B.HF.=K..H.&D.AJ..H.$J..B.JC.GJm.Eh.@d............(........3..........i.@......q.HXx.b.7..y._eV.)(0....$...hBJ.Q..c......s^}..=.'..7.....Y./.9p..o.Ml...........d.J..:.FQ.#5`.F..s....... w.Rh?.@.I.SY.`].qw.....Cm,.X6.KE.;...BD...]Y.A............G...D.J>.A&V.z....s"mbK.0Iq.........yg._L.+C.k%v_(.[6.X@.V........E.~B.CQ.5..........?.K...........*.Y0.Q<\.H..{t.Pr....'<...]d.v.j........E..J.U...Hw....H~.G...s.F.....'./.]\..<...V.ck.!..,..C.f6r.f......K.v{.......#.....H.....}.P{.c....~....&tRNS...$O<^YgF.T.TF...4.Y..s....SD.............IDATx...1..0.@..QD.".daa........j;.[.+\|9..`R.=.3F.M..Pq.a...B.&."....d......;0U45.s..c1....%.W.v..,.v.c......'.....a. ..J.-.$^#%.K.F..H

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\flag_unknown_64[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2374
Entropy (8bit):	7.8360684332624135
Encrypted:	false
SSDEEP:	48:3FjMaBL+KcpcHSqLjxaRzjXLdqKOn6GQaE7/rRmgKmNS1Lx:3FLx+57X0KF/cgej
MD5:	9A4EC70981F8350743001D2FC21E7167
SHA1:	B661690CF4E61F16445D29BBAEB16A1D4184C2EB
SHA-256:	524ADB0EF98AA34A4FFFFE2F4B9476443E78FF8C001752D114B1598C57C401F2
SHA-512:	75F1927286D586E2756DD59B16B59ACA421A380DC54F068AD0D4BD0F7C11007D7DE147069240CC5A59CFAB1AEDBF2CCA2E6FB5A99BB230F0F1DE8CEE9E2B76D2
Malicious:	false
Preview:	.PNG........IHDR...@...@......iq.....gAMA......a.....pHYs..........(J.....IDATx..ZkoT..].>..x..x.....%..Q.Q5.U.VJ.j%.Q...)....K.J)".ThP......P.$-i.Bp....3c{^.uN...G.+..0....a..^{........z.........@....t.Y...b....J........c@.@i..^.1 ..^..........V.7>...p?...\|.as....\|...k....u.a...Y,A..Ca........3.{.oh.....u.N.....J2.gOA.&.\..Uk......"...G..o...x.s..E8S..C.0.h).$R.0@X....s..f.{....E.O....=..H....Q....\......g..zs.&.o.b.....l.....w..a.K..p.k...v...'.C.>..^.....l.........j..{....2.....ob.".....a.{.F........ @X..?:...........?\|F.e....=e......c.".q3.e-....$Fu._..?......."n..;.."r.Z.D.G5O....,J{^@...../.Q......V.1..........i....@..H.Y.....g.......aB./ K.....]..0.%.my.......#.w......y...^.6.....G9;..~.....?..&.R..g.+v=........s.WQ.\|.A...I..@.XBe....'...F..j.......u...../D.6}.V ..6.V....HA.@......?y....:.f...../~c.........v..........y..}.t....%.'I.B.7.M.o..u.....0S..n...WP;...R{jy*..l.F.....3u.V.6.@..q..J?y..tW..'.X.]..FuN_n>.b.R..y.v..[...WaH..D.^.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\logo-bw[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	PNG image data, 200 x 200, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	4272
Entropy (8bit):	7.743484127474195
Encrypted:	false
SSDEEP:	96:Jk8phHc8z0TqlWnB6yM/WGeUgdJAl1iC3l0HiXYp2IMYiS4:GKc8z0elWq/WG7gPu1iYl0CopBMYU
MD5:	87630D356AACE4ED1E3E7EC10BBB5D51
SHA1:	589818500FE5A27B5FE68F234211998DF129BDFB
SHA-256:	AE15FFBB69FD4D367D02F6678E475E0A65ADBF5AC9E919F0AC13A59E31D9ECFA
SHA-512:	01323EFFBF4B92052288F6D8C0FAD98FF196B7A602C7524DAB536840DAE17CFE091205ED20523950C0987394086E2EBC064A689A60207F57AF707BA48237FCEF
Malicious:	false
Preview:	.PNG........IHDR...............^.....PLTEopr............vwy...)).........ppr...z{}......................................uuw....rrt........bbb.........}}..........dde...~...........fgilmojknklnijmijl`acefhmnpghjmnq\]_bcedegcdfabdhik^_aZ[]norSTVaacRRT_`bWWY]^`YY[UVXLLNPPRNNP...XXZ[\^LMOHHJZZ\JJLVWYCCETUWOOQ>>@MMO......KKMIIKGGI889xy{...SSU...QQS..........FFH...335EEGDDF...BBD@@A112==?;;=<<>...noq::<...99;--.778446224.....001//0../...,,-.........*,...&&'............''(.........wx{...nnpjjkjkm...]]_...........\\]......``b.........klocce......yz{...kklnnoggiffh...ccdiij............jjlOOPkkm...VVV...TTVyyzWXZ......VVX..............^^_...............ffg...............]]^lln{\|~......abc...........^^`__`__a......aab.....NNOeee...............mmnoop......[[]........................................y....tRNS...................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\psicash_coin_grey[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	PNG image data, 90 x 90, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1528
Entropy (8bit):	7.691689024830226
Encrypted:	false
SSDEEP:	24:ZqwbCHZlyUAu5CKzjaDEO5kzauUis5Lw6Qnbc23ixI/X8/mYsS4KM09Vtwc:nCHeUAu5qIO5kzXA1wXboI/X8/lcstZ
MD5:	ADCA537524989B256039E986AC1A0809
SHA1:	F586F5FFBB617DA85BB0E07F87F420848DB9ACC9
SHA-256:	2D1B7D277C1D6DD780C343D3A4F11FBB1A17B734740C753C97DE42567DAE742B
SHA-512:	E11FB750715859CA77308CE8549F29C5CB644AD717961721275787D4F502BCE47DA8C0E450B83B1A89E6FBDF11B029109FDFFD09FF373346911B12D8DA27FD06
Malicious:	false
Preview:	.PNG........IHDR...Z...Z......v.0....PLTE......................................................................................................................NNN...PPP...WWW...vvv.........aaahhhfff......oooTTTsss......\|\|\|lll___........ZZZ..................[[[...........yyy.......5....'tRNS..........{mQD'..............d:93/#....6{.....IDATX..yW.0..CK....}.....V...0.:...4s.j_..[..5..w^n.{.}.PKm.z...(.....T[!.C...^..MF.HY7.....x5...d%_..'..b9E2.HRr......2}..t=..%........Ee..h../...4.)Y<..r<e.V*...y...g.d....q3.Q.T....3...N..p...[....xx.lC\sC......S....._i..gypw2.......u...}.]..,P.^u...L]IbK^X....[.T:.0:.=......=i..;.t.`ba..&..w...H1..;.:s...93..y.......s...}...tC...Q.?J.L...t...H.&.n...=.57%j...\|A.oI.$.nzM.>O.9 {.....>.v....v........=....P.!..D.[c ..I....<\.Z:.+..m...Rr....L.e.....7e.L.B.]...+......'z......H...].h.....z..[.@6,;.o.C.......D.+..b ..e.-S...z.:.:<...CMA..z.....hF?.I.+..^..;=...Un!5...X..=...hG....TDEM.].].'hw ....s.5.6Md.N......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\speed-boost-button-1-hour[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	PNG image data, 388 x 404, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	8982
Entropy (8bit):	7.926043864342521
Encrypted:	false
SSDEEP:	192:GEn9rIFZz0XhujinuvsFGugE+lq6OK+D9M+fYHLDooN:GewchuWnSyLgE+lqioMnHLh
MD5:	9C42A720E237967BE8E37D4D511C7E48
SHA1:	0CA0B333DB0586226EBCFA9EC1B9542938D5741E
SHA-256:	2384C8153041EC891D716F43AA7015334360A002F2142C7A81E78838D045ADC9
SHA-512:	6E636295067F013A1972CDB42833E1C91F5BE15F605540969FBDB58C5218F032333F5EC3B66B6433FDADEAFE2A31F23CD37403D8067F70D3D672292B992C304F
Malicious:	false
Preview:	.PNG........IHDR................z....PLTE................................{..E..:....j,$.4,..\|........y..w...eblNK.^Z8('.....}y..u9%/.......{.so..z...`L.aL.bL...._L.^L....\L.[L.....ZL._L.]L.ZM...Hj..cL.eL.YL.dL..^M.0..gL.......^MAe.Fh.Kn......(..............A=.cC.F>.K?.kD...YL.^B.oEXw.........^R....R@...[A.O@.gC.XA..x........x...#+.t8e.....!....UAFN..n^I........7....WS.yn.;.....k..!.u.<%q.RV.E......8A.G)n.qf6`....uY.k.dW&T.......- s.cQ.....zi.D^.NX...U..{...ma.cX........\c.f3h.I[.T@...jh.g.SZ......zh.]..f..<bid..fz.bk.gV......Rk....o..tz.8;...ss..fi.....@a...Yj.?..f.^..>f..........f......~v.XV.IJ....:V..,........cd.g^.t]n...1........ek...y..dD..P..U\|O.....@>....L.*9......z.............................~...{....m..........%tRNS..$...O<^gYFT..TF.2..s..TFg...D.......)....IDATx...9r.0..AC..B...LT..........;........2...yy.......X^$H....Zz.`\.N........G...Sm.9...W....M.o..M.......(DK.B...A..Q...\|O.l?....(.:...

C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb

Download File

Process:	C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe
File Type:	data
Category:	modified
Size (bytes):	524288
Entropy (8bit):	3.2354772061451076
Encrypted:	false
SSDEEP:	3072:S/Xqa6fP95a/vmSoa+pm9epL6xAP19JD3+TleAf+Ckmvt5BfxyWr6gj5lCXRONQe:qH69YbEPpxy7GCkhFBQqLwTV4Yvn
MD5:	7757AC4BCF123A2CCD158D5B35331F60
SHA1:	DBF54A51C3C0135524B3EDF60EBCBEE2F29F9C93
SHA-256:	DDF78707886BDF6A1B18AED2D5A96F959FBBCACFC3D02B5F472D4ACD6C53BE08
SHA-512:	BF8678BD368D0C1282F8D47294CA5D637D7436019AD759B96C500673E2D06EDC7AD34EC734DFF29C9D67D63B95BA3A62F4D69BD675A5D3B6D0AB257243DB455A
Malicious:	false
Preview:	........................................................\.......\|......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.temp

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	JSON data
Category:	modified
Size (bytes):	1960
Entropy (8bit):	5.332766844549583
Encrypted:	false
SSDEEP:	24:YxphT/fCI3Rb+a0Lh7JWCxJAYDJAYQtqFsRt7RtNRtbRtZRtLRtFRtQ6RtaiRtQE:YxphjffB+NLTWKPfHvHk
MD5:	6759B6D9CAA66F4483FF25BBDFCA9E84
SHA1:	16233624AF89690D7D7EEF952CA3A3B8C68576D2
SHA-256:	16FD7DF6E68DA138D7A005C27E53049443F7AE05383719AC397E8ECA3CB6EE6C
SHA-512:	27559550181E393963CA768311AD44044080C3E6DC989885D2E3820433DFF81303084BC501FADC2F31F41807D29BD51DB4DF4DA617EAE4FB36FE80D19CAEAD92
Malicious:	false
Preview:	{"instance":{"instanceID":"instanceid_FAw7LhfdG7IOxhJyWBCiJGMxz7PDKe4OKk8Hnio5IibGpaOw","isLoggedOutAccount":false,"locale":"en-Latn-CH"},"user":{"accountUsername":"","authTokens":{"earner":{"Expiry":null,"ID":"token_tracker_earner_9c47b37948e0e55ff63f371d69ecd9aff8f0cc62149222c864cffade1fe2dea1"},"indicator":{"Expiry":null,"ID":"token_tracker_indicator_14c84dbe13ceb3625870048c7e594066803485557277d17111cf94ff9f7e3d61"},"spender":{"Expiry":null,"ID":"token_tracker_spender_c4940f756c336c2330379a7645142e35764ab32f8f7846f37c2edc8676eb9a97"}},"balance":90000000000,"cookies":"AWSALB=0PHmaQIRJlBjghB6Sf3vn/VBxJBpCi1i/M/h99zJXoyzPDze/I2chYPybipeHakTKmw20VhARSU8FgKWcaNvf1XugAjXFZha8sxV+fRfyZEZjxCqJkgl0PIYes2b; AWSALBCORS=0PHmaQIRJlBjghB6Sf3vn/VBxJBpCi1i/M/h99zJXoyzPDze/I2chYPybipeHakTKmw20VhARSU8FgKWcaNvf1XugAjXFZha8sxV+fRfyZEZjxCqJkgl0PIYes2b","isAccount":false,"purchasePrices":[{"class":"speed-boost","distinguisher":"1hr","price":100000000000},{"class":"speed-boost","distinguisher":"2hr","pric

C:\Users\user\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.temp

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1960
Entropy (8bit):	5.332766844549583
Encrypted:	false
SSDEEP:	24:YxphT/fCI3Rb+a0Lh7JWCxJAYDJAYQtqFsRt7RtNRtbRtZRtLRtFRtQ6RtaiRtQE:YxphjffB+NLTWKPfHvHk
MD5:	6759B6D9CAA66F4483FF25BBDFCA9E84
SHA1:	16233624AF89690D7D7EEF952CA3A3B8C68576D2
SHA-256:	16FD7DF6E68DA138D7A005C27E53049443F7AE05383719AC397E8ECA3CB6EE6C
SHA-512:	27559550181E393963CA768311AD44044080C3E6DC989885D2E3820433DFF81303084BC501FADC2F31F41807D29BD51DB4DF4DA617EAE4FB36FE80D19CAEAD92
Malicious:	false
Preview:	{"instance":{"instanceID":"instanceid_FAw7LhfdG7IOxhJyWBCiJGMxz7PDKe4OKk8Hnio5IibGpaOw","isLoggedOutAccount":false,"locale":"en-Latn-CH"},"user":{"accountUsername":"","authTokens":{"earner":{"Expiry":null,"ID":"token_tracker_earner_9c47b37948e0e55ff63f371d69ecd9aff8f0cc62149222c864cffade1fe2dea1"},"indicator":{"Expiry":null,"ID":"token_tracker_indicator_14c84dbe13ceb3625870048c7e594066803485557277d17111cf94ff9f7e3d61"},"spender":{"Expiry":null,"ID":"token_tracker_spender_c4940f756c336c2330379a7645142e35764ab32f8f7846f37c2edc8676eb9a97"}},"balance":90000000000,"cookies":"AWSALB=0PHmaQIRJlBjghB6Sf3vn/VBxJBpCi1i/M/h99zJXoyzPDze/I2chYPybipeHakTKmw20VhARSU8FgKWcaNvf1XugAjXFZha8sxV+fRfyZEZjxCqJkgl0PIYes2b; AWSALBCORS=0PHmaQIRJlBjghB6Sf3vn/VBxJBpCi1i/M/h99zJXoyzPDze/I2chYPybipeHakTKmw20VhARSU8FgKWcaNvf1XugAjXFZha8sxV+fRfyZEZjxCqJkgl0PIYes2b","isAccount":false,"purchasePrices":[{"class":"speed-boost","distinguisher":"1hr","price":100000000000},{"class":"speed-boost","distinguisher":"2hr","pric

C:\Users\user\AppData\Local\Psiphon3\psiphon.config

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	17515
Entropy (8bit):	6.084162051969243
Encrypted:	false
SSDEEP:	384:USAassmiG11fLTEwwxH718TlSnwuybsyPluUeUMucv:UJau11fLT+CRdZ3IUeUMucv
MD5:	B9D0B5C921D8078F37B20793ED2A32D4
SHA1:	12B8F4F54C13398D2698BEE2CBDFECD0FE8B0857
SHA-256:	1AB6FEDEE71957840BCC3B741BBA296BA52B8970DDEBF8AE3AE26C383C7D17D5
SHA-512:	B6E9BAEA7A7FD7B5BB4F089305F5CA74067BCA7D5255D75B4FD429D06A76A51ACF417672C9EEF9ECC8479F505C35840ED3B9EB6373323FB8D1DAA968B2A2D95D
Malicious:	false
Preview:	{"AdditionalParameters":"NJNroWGMVg6IIKFUAcvLxHtpfq6EmEJpOrs4Fg4YsOncHmCxEEWPhXr6pFfsKhNljAmIOUc9QWqHuWgsq03oto3UeQZ1ZM42FpZe+VFHQfQFqaFtkZ00Y+qQPAiX8dS86x32jzNzPnYospbHq+sOQPPc1m68Rafd9EQHQSbeoNEQNFCi9RmCki6EuX08U+NSROcYq0neAnqCCZcGDK+Py4idFb6BRgbLf2UOgkW2EDkuZQqQoId/wd2+SV2ZHAmBsw+FEN4S3ddZ5z7zr0Pc/rYRs654grLl0JZI0UzCMx6RncXl1Vyb5w5HaHOvEBNFniQyOaYIgQp2r4sCqpOZ5agz1BpRAUsjKLIx78ljyLSIWQuI7+mSdU7Eb9wH+q85RpGqDA9tcc80PyoTu/9W81Tmc1y+yzq/e7cOvMg59HSqjAYoc4n1yO3ggNbA25WEY3HC6LIkwESpi+u4VyJ0h5Frc0yYuvv+ZDd5/HUgnr73BfkNkafVGYsgT0Qb76PWMbWU0dtUeQigDE9C25hnIBK9PMNo0mw3Env8YLVmczWDFIuSyw/mB4+NJM6882VxcPoyp7XNSLmr9adSQo7Xd/jLnIoHSC1EYy6QGoLhTYaipNvISL83fw6btoBP21NZB04Vc6/oMHas9xbaxOqDSTY3nlBfs76r0MxTDDJXIPCtUMkx40FSceVN/iYpelWj3VXViWJ9+cbuOOlzhpugm6bsctCZf47N5cKxcQjAmEXU7mjabLm9q3XBJDjIqJ6gEpUweX2VxmkXBef9zf+iM490fpauLKZiHKTWdDQaKUI18CLZvu08aqIz1LhFkXgEix/3TsRNSYVLtbhFPB7ImxlxNmUuZLaNijPAsLfoE36UpZWFc091bnIYGsEWKVOW8qunBeWH4OLfRAV8fA7vuWk4/dR3qD22BGOKgkruFS1ZsiLQAofnQl3reYqW1yndyEPDVlSSwCLE5tI

C:\Users\user\AppData\Local\Psiphon3\server_list.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	ASCII text, with very long lines (5604)
Category:	dropped
Size (bytes):	334122
Entropy (8bit):	3.4749666152199548
Encrypted:	false
SSDEEP:	1536:CXTmAlHem/HempllPHqTzL6rx0s6ffAQPlSUGS8PowI1iNncn/jBMkFbHpA2eFxd:k3gf4eumWxCAEX5nI
MD5:	A9D437CF9D3621F5D5E9C42996837CFA
SHA1:	79FEDD8F8270394FDEA5B9A7F62A3E2E355FFA1E
SHA-256:	C98E3DA6781419BF9A0A466389FCAD0350526643228FC631D3BCF3A5F5CABF0B
SHA-512:	7D201B70A540A9E097551EA6CB74E90292A8052E4828EE3BCE21E3DA78641E518153EDB75818F6353CFDBAB597FADB7F7CC37B3FE346A8CC1B90A6781F9447D0
Malicious:	false
Preview:	30203020302030207b226361706162696c6974696573223a5b227373682d6170692d7265717565737473222c22535348222c224f535348222c22554e46524f4e5445442d4d45454b2d53455353494f4e2d5449434b45542d504153535448524f5547482d7632222c22515549437631225d2c22636f6e66696775726174696f6e56657273696f6e223a302c22697041646472657373223a2234352e37392e3231322e313739222c226d65656b436f6f6b6965456e6372797074696f6e5075626c69634b6579223a224865385236306355637057454c564a5449756955464c6b6e68342f34596f4b3138393065486978584e51453d222c226d65656b4f6266757363617465644b6579223a2265326433656336353466613737306163613635386331613031653233323239383965386132616236346135353730396534656265346636653839393163666566222c226d65656b536572766572506f7274223a3434332c2270726f76696465724944223a2236364641354146453546333934444531222c22726567696f6e223a225553222c227369676e6174757265223a22544d4c594762415866314735666f73356642576e6679743277547553504748726335534e34523838496f7a796847674d455a4252762b5653535049434c314754624759344744663776424d763563637753724679557a2b

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\AppInfo\AppIcon.ico

Download File

Process:	C:\Users\user\Desktop\sVfXReO3QI.exe
File Type:	MS Windows icon resource - 4 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 48x48, 32 bits/pixel
Category:	dropped
Size (bytes):	32093
Entropy (8bit):	7.008386947240903
Encrypted:	false
SSDEEP:	384:Ma+spcaaW1qorW9O4p0xmBdE818j1G2ZBu9cb4pE6KZsMeSnmJBz3JJIgSzwlV:MaICVrWA41UFjrZ49SRnqzvV
MD5:	69ACA4895E720268EF658026D7EA04BD
SHA1:	8F1DC29E3B1D5B5826BE277FCAAE2B7C3B71EBE7
SHA-256:	52A1B391DC8C5489E679704CDE4299DC1F0508C00B96143991E565E1300EC2D0
SHA-512:	293E07A5874BD11F2AAD03955C199E9756D75D45EB855AF0B01637900194F8DEB7BBD2311BFE8CF500CBC834FE050E8EDA199221E99DCB83A8DE3289EFA61CA3
Malicious:	false
Preview:	............ ._B..F...00.... ..%...B.. .... .....Mh........ .h....x...PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx..y\|[W...9.n.Z,..n..6..6....-.B..\|......N..-..t:i.3Ca ].E.N..5.......t...M.8..;."/..Kw;.?d;.-.te...G"..<....{..<...l`.........g#j....j...u4..].U.'8.S....N..@y....j.d....SU.J2.......(..6p...@.gw.Ru.S.F.p.gP.....#..u....q/o.....]......+5.....BJm.Ev...!&N.I\|.V.kmz,.E...X...>..l(I.c....BEf..cE..P... ..$..0..M..r..f?....N...^....y..?zO..b..0.ya..".1F.}...Fb.....%......a.3.V.k>]Q$......(.(..".aNv.r..4o........r..5...!.6+.6.......#G...K..iI...K.B......Xt..)....`.-...,....k...x../8.]..xY.zv.[...r.%.......}...;V......+.p.r=.^..c5LS.E.g/(....*J..n?+yk..v........G....aBHe.."..."...3r...-..B-..Z...G.-...`..o?.! <.q.}........gK..rK...o....P<....t..)..^n..9yy...WJht...60M.+..p..mrXp....5..u.............X.P...Bw?......F....#...H..P..r..B9..rXtW...5;....i.`....EJmZ%`.....x.9..uax..=...Wk...#..-./.........\|/.\|.....k...{...z.m+W,..#.1z.

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\AppInfo\AppInfo.ini

Download File

Process:	C:\Users\user\Desktop\sVfXReO3QI.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	189
Entropy (8bit):	4.860217916689107
Encrypted:	false
SSDEEP:	3:MrEWN9EVsu1L9N9Eo6TEocyMtovAdYrHGQW7yhBztsW7yyv9oeTiHJjv:MrEnG0r1yA2rH13wyv9BTkJT
MD5:	69796A5E260347ECC2917779F72C632A
SHA1:	2F255A7E708CC5BCAECA801B0683F22480021CBF
SHA-256:	7B1943E9E970AC8226A0F7282998966BADF5697C7E9BCF615510FF89F1675A21
SHA-512:	E37B27BBBE22875662CF969730CC4C72767DCB864262E4515AC3993936F0CEB0E153C040238EDDBD83084097F9DDC4A85BC242A295A597D3FF67DAA85DD899E8
Malicious:	false
Preview:	[Details]..Name=Psiphon..AppId=Psiphon..Publisher=LRepacks..Language=Multilingual....[Version]..PackageVersion=3.183..DisplayVersion=3.183....[Control]..Icons=1..Start=PsiphonPortable.exe..

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\AppInfo\Launcher\PsiphonPortable.ini

Download File

Process:	C:\Users\user\Desktop\sVfXReO3QI.exe
File Type:	Generic INItialization configuration [Activate]
Category:	dropped
Size (bytes):	666
Entropy (8bit):	5.081537570413563
Encrypted:	false
SSDEEP:	12:M8tYof061ct9eKR2/epJT7yk2/epababe2/ep2J:JqG0/t9ec2aJHyk2aababe2a0
MD5:	13A80331AE779ADDF158DA5D51515B3F
SHA1:	5CCE658366CC5CD8FAC1F5287D3E15B1AE5C5CF8
SHA-256:	D463E2CE20E25B2ED290DCF6DC1C01DCC60B5DDA71E932CCFA9F5DDF53E81910
SHA-512:	59849A3E60A4075C1A743C67109916213112A1BC494DC47B4E85E621BCA8CA4554A155A24F07104846227100C06C7C16BF157E7FC97EB5F00F8121C1B341E2C9
Malicious:	false
Preview:	[Launch]..ProgramExecutable=Psiphon\psiphon3.exe..RunAsAdmin=force..DirectoryMoveOK=yes....[Activate]..Registry=true....[RegistryKeys]..Psiphon="HKCU\Software\Psiphon3"....[DirectoriesMove]..Psiphon=%LOCALAPPDATA%\Psiphon3....[FileWrite1]..Type=Replace..File=%pal:DataDir%\Settings\Psiphon.reg..Find=%APPDATA%\\Psiphon3..Replace=%pal:DataDir:doublebackslash%....[FileWrite2]..Type=Replace..File=%pal:DataDir%\Settings\Psiphon.reg..Find=%PAL:LastPortableAppsBaseDir:DoubleBackslash%\\..Replace=%PAL:PortableAppsBaseDir:DoubleBackslash%\\....[FileWrite3]..Type=Replace..File=%pal:DataDir%\Settings\Psiphon.reg..Find=%PAL:LastDrive%\\..Replace=%PAL:Drive%\\............

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\DefaultData\Psiphon\ca.psiphon.PsiphonTunnel.tunnel-core\upgrade.183.part.etag\upgrade.179.part.etag

Download File

Process:	C:\Users\user\Desktop\sVfXReO3QI.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.4632805178108113
Encrypted:	false
SSDEEP:	3:Aa6YHCn:AbeCn
MD5:	F634A661107AD3303B6C42887318FF85
SHA1:	51BE496B367DFBEFAB957B0EBA53E498844451FB
SHA-256:	CAC5507771A6A6A3A71B552098FD37E820D751C1A0FDE1CFF3D312005ED27004
SHA-512:	20FE17F5FCB2B42687E241F66D9836C0FD45CDAC721DF590202F056E57E0E1794ED0EBA36BDCC99F21B79F5B41C8CCB4C2344E0DB9A25F41536AFBB317D522F0
Malicious:	false
Preview:	upgrade.179.part.etag

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\DefaultData\Psiphon\ca.psiphon.PsiphonTunnel.tunnel-core\upgrade.183.part\upgrade.179.part

Download File

Process:	C:\Users\user\Desktop\sVfXReO3QI.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.5
Encrypted:	false
SSDEEP:	3:Aa6YR:Ab8
MD5:	AE02494532CAA325B95B23B58D56CC18
SHA1:	35C3D82AB347B01975B2465DFF8FFDCA462F777E
SHA-256:	9D56B6ED246603EF44C4DA904BDEB4024ACF83D988644966CDE63FAB9992515E
SHA-512:	1DA4136FE03965C33CCEF2C67DBD838E9EB0E3E229E6D70E71B079D7C5E7B89460263C42ADA716BBF8E71F9E3955C1022223DA8589A2C2426D68984D97358F6E
Malicious:	false
Preview:	upgrade.179.part

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\DefaultData\Psiphon\ca.psiphon.PsiphonTunnel.tunnel-core\upgrade.184.part.etag\upgrade.178.part.etag

Download File

Process:	C:\Users\user\Desktop\sVfXReO3QI.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.4632805178108113
Encrypted:	false
SSDEEP:	3:Aab+t9Cn:AUE9Cn
MD5:	7EFC8FB32656E400472EC1AA98959673
SHA1:	F9E3C3FD377207E602F540BBC2FAD0DDF5C3762A
SHA-256:	652F69AFF55876DD5D441F06B96AA66426B908D1F3CB764701C8AFEC6F2537CB
SHA-512:	B49A76F6AD098E03E2EE52A5F9143EEF8C38C46DA67CE519D65DF785AB98520DE880C41B59C373A9D083260B1DA7EBE0BDC13F4CDEBE481020CF92C604EFC78D
Malicious:	false
Preview:	upgrade.178.part.etag

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\DefaultData\Psiphon\ca.psiphon.PsiphonTunnel.tunnel-core\upgrade.184.part\upgrade.178.part

Download File

Process:	C:\Users\user\Desktop\sVfXReO3QI.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.5
Encrypted:	false
SSDEEP:	3:Aab+R:AUu
MD5:	8AF4C040E9B9024C1CD6998B2354CACB
SHA1:	A305105C6FFC98C0831A8F53EEAD26FF9A28852C
SHA-256:	2B1136D17ED408182B73F5CEA14BEB99A9A52667FA3CD48EDB5AF0B952AB8B33
SHA-512:	C24B9CA42F94CB0F6FE2E4989D4ED7A0DF0ED670B10222156F945A22C27DE9BD1C40446F0D4CB3E1C42724204334C9CF5CCFF18FD9E93D09FFBE6EDBB294BDF6
Malicious:	false
Preview:	upgrade.178.part

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\DefaultData\settings\Psiphon.reg

Download File

Process:	C:\Users\user\Desktop\sVfXReO3QI.exe
File Type:	Windows Registry little-endian text (Win2K or above)
Category:	dropped
Size (bytes):	452
Entropy (8bit):	3.5443803979975903
Encrypted:	false
SSDEEP:	6:Qyk+SkWCiiCRroZ6IJl5qIlgCVlEEORaJIkAl8aoCinKPQ1/YlFMeQWlQlHOlP+q:Qy5hVZtrRNEELimCaaoYVjlQlHamEV
MD5:	E2A203CA6E155D6960F4D7E7E741893B
SHA1:	A8737102C5A5AABD5B59A29907FBBBC05DF3A9BD
SHA-256:	863DF7402E7283F531331F0F97381B81700F745E6B312A1977EF5AE2170FF8E9
SHA-512:	D6C37C12F1F463E0602D603423A0A3AC6C8F088305B020F97F938F33265ADBF24CEAD308639F69DA82ED3083A26C51A9601E9604D3B21CADFCE145A38BCE9D03
Malicious:	false
Preview:	..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.C.U.R.R.E.N.T._.U.S.E.R.\.S.o.f.t.w.a.r.e.\.P.s.i.p.h.o.n.3.].....".S.k.i.p.B.r.o.w.s.e.r.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.1.....".S.k.i.p.P.r.o.x.y.S.e.t.t.i.n.g.s.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.0.....".S.k.i.p.A.u.t.o.C.o.n.n.e.c.t.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.0.....".D.i.s.a.b.l.e.D.i.s.a.l.l.o.w.e.d.T.r.a.f.f.i.c.A.l.e.r.t.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.1.

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe

Download File

Process:	C:\Users\user\Desktop\sVfXReO3QI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	6794456
Entropy (8bit):	7.99770676130868
Encrypted:	true
SSDEEP:	98304:x54LpW0sXlQoonh/CxEQ3JFIkWEwaVARl39Bbe5lEf6r6hDkwpaypJG9GH9h:b4dsJondUvrFwaVARBbez6hDkwp1cO
MD5:	03F2D4B132FC5802F9739F4B91C86C25
SHA1:	FD853D7313520F72B7173C066ED89FAF22DF92C8
SHA-256:	9840CC8259705E96D4D95E70D691E56D38DE9DBA393957B6DE6165E19C7D6364
SHA-512:	717BA1F2B72C72726C8199C5F84142C564B3DDBE94FC06D4CB44A9EAF504DB858B99996047F2F11924567E11D7E0FC2249C218366D52600C27AE9F4F58F091E7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......:.4 ~.Zs~.Zs~.Zs...sg.Zs...s.Zs...sW.Zs.z.s..ZsE.Yrg.ZsE._r..ZsE.^rX.Zs.z.su.Zs.z.s_.Zs~.[s.Zs..^rh.Zs.._rv.Zs..Sr0.Zs..s..Zs..Xr..ZsRich~.Zs................PE..L...c..f..................d...........w.......w...@..........................pz.......g...@.................................<\z.......w.<.............g..&..._z.0............................w.......w.\...........................................UPX0....................................UPX1......d.......d.................@....rsrc.........w.......d.............@..............................................................................................................................................................................................................................................................................................................................................4.21.UPX!....

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe.orig\psiphon3.exe.orig

Download File

Process:	C:\Users\user\Desktop\sVfXReO3QI.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	6
Entropy (8bit):	2.2516291673878226
Encrypted:	false
SSDEEP:	3:w:w
MD5:	B7128C256A94922983A22977737A726B
SHA1:	3F67A4AE9B0AAB40AE1C91B0364192EA1524514B
SHA-256:	61D753E79C2F36DAAF2B6D837B1AF1CE2D36AF8879C7528B701305A9AB5E7F5E
SHA-512:	540BFCBAF2CF9C9B98E767777F04674FBA75578228DE905E6A1D05171A0DD98B463E6BDB54753AF794DAD588E0D0268B7E5FF37D0B5A958660D9D4F48623077F
Malicious:	true
Preview:	STOPIT

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\version.dll

Download File

Process:	C:\Users\user\Desktop\sVfXReO3QI.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9216
Entropy (8bit):	5.216751569597583
Encrypted:	false
SSDEEP:	192:Zbw+BKv4xIY6JPnWbBmKmckVPxIiTOPX79t+:Zb7IYUqRmckVPxIiTOT9t
MD5:	F914B2A70CA7E92ACF60B631011996B1
SHA1:	CF94DE13FAADE5DA312AEF875ADC44A9B1FB3C3A
SHA-256:	6A646BBF2DE020EDD636C9140726C9F843174BE8199DE5568CB3AE10FF71CEE3
SHA-512:	75D83FF6008AB0B645537C8FBA67D38C11AB2ADB282D067B5A32D85E1D532A67016D6A145432B3C5FAA935FE3B0A8AA4955649BEA3CCC9DDF4DB0D233575F41F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Psiphon_3.179.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a...........!...2.....................0...............................`.......................................0..+....@..<............................P..p...................................................XA...............................code............................... ..`.text...}.... ...................... ..`.rdata..;....0......................@..@.data........@......................@....reloc..p....P......."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\PortableApps.comLauncherRuntimeData-PsiphonPortable.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	5.05137212792698
Encrypted:	false
SSDEEP:	3:WB/Wy2KJXMihMIm1erbJSRE2J5xAIjh:WpxXzfIe0i23fjh
MD5:	6BFD2BB0AFBCF2DB0238451598AFD388
SHA1:	A5838D100B10092CF229F108BFB522807B08BA3D
SHA-256:	32DE6941791958CE778E83A07C132713C11163F3680644B560B588CEDE84798C
SHA-512:	E4D852A7056F2322AF0E0A560F35D353E76BA0B9EC03EEEF64ABC860E99663E408E2E948731FA381CD446E75B9470874DA15E89FEABC8024954F9C6FBA0D237E
Malicious:	false
Preview:	[PortableApps.comLauncher]..PluginsDir=C:\Users\user~1\AppData\Local\Temp\nsc1E86.tmp..

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\Psiphon\ca.psiphon.PsiphonTunnel.tunnel-core\upgrade.183.part.etag\upgrade.179.part.etag

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.4632805178108113
Encrypted:	false
SSDEEP:	3:Aa6YHCn:AbeCn
MD5:	F634A661107AD3303B6C42887318FF85
SHA1:	51BE496B367DFBEFAB957B0EBA53E498844451FB
SHA-256:	CAC5507771A6A6A3A71B552098FD37E820D751C1A0FDE1CFF3D312005ED27004
SHA-512:	20FE17F5FCB2B42687E241F66D9836C0FD45CDAC721DF590202F056E57E0E1794ED0EBA36BDCC99F21B79F5B41C8CCB4C2344E0DB9A25F41536AFBB317D522F0
Malicious:	false
Preview:	upgrade.179.part.etag

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\Psiphon\ca.psiphon.PsiphonTunnel.tunnel-core\upgrade.183.part\upgrade.179.part

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.5
Encrypted:	false
SSDEEP:	3:Aa6YR:Ab8
MD5:	AE02494532CAA325B95B23B58D56CC18
SHA1:	35C3D82AB347B01975B2465DFF8FFDCA462F777E
SHA-256:	9D56B6ED246603EF44C4DA904BDEB4024ACF83D988644966CDE63FAB9992515E
SHA-512:	1DA4136FE03965C33CCEF2C67DBD838E9EB0E3E229E6D70E71B079D7C5E7B89460263C42ADA716BBF8E71F9E3955C1022223DA8589A2C2426D68984D97358F6E
Malicious:	false
Preview:	upgrade.179.part

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\Psiphon\ca.psiphon.PsiphonTunnel.tunnel-core\upgrade.184.part.etag\upgrade.178.part.etag

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.4632805178108113
Encrypted:	false
SSDEEP:	3:Aab+t9Cn:AUE9Cn
MD5:	7EFC8FB32656E400472EC1AA98959673
SHA1:	F9E3C3FD377207E602F540BBC2FAD0DDF5C3762A
SHA-256:	652F69AFF55876DD5D441F06B96AA66426B908D1F3CB764701C8AFEC6F2537CB
SHA-512:	B49A76F6AD098E03E2EE52A5F9143EEF8C38C46DA67CE519D65DF785AB98520DE880C41B59C373A9D083260B1DA7EBE0BDC13F4CDEBE481020CF92C604EFC78D
Malicious:	false
Preview:	upgrade.178.part.etag

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\Psiphon\ca.psiphon.PsiphonTunnel.tunnel-core\upgrade.184.part\upgrade.178.part

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.5
Encrypted:	false
SSDEEP:	3:Aab+R:AUu
MD5:	8AF4C040E9B9024C1CD6998B2354CACB
SHA1:	A305105C6FFC98C0831A8F53EEAD26FF9A28852C
SHA-256:	2B1136D17ED408182B73F5CEA14BEB99A9A52667FA3CD48EDB5AF0B952AB8B33
SHA-512:	C24B9CA42F94CB0F6FE2E4989D4ED7A0DF0ED670B10222156F945A22C27DE9BD1C40446F0D4CB3E1C42724204334C9CF5CCFF18FD9E93D09FFBE6EDBB294BDF6
Malicious:	false
Preview:	upgrade.178.part

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe
File Type:	Windows Registry little-endian text (Win2K or above)
Category:	dropped
Size (bytes):	452
Entropy (8bit):	3.5443803979975903
Encrypted:	false
SSDEEP:	6:Qyk+SkWCiiCRroZ6IJl5qIlgCVlEEORaJIkAl8aoCinKPQ1/YlFMeQWlQlHOlP+q:Qy5hVZtrRNEELimCaaoYVjlQlHamEV
MD5:	E2A203CA6E155D6960F4D7E7E741893B
SHA1:	A8737102C5A5AABD5B59A29907FBBBC05DF3A9BD
SHA-256:	863DF7402E7283F531331F0F97381B81700F745E6B312A1977EF5AE2170FF8E9
SHA-512:	D6C37C12F1F463E0602D603423A0A3AC6C8F088305B020F97F938F33265ADBF24CEAD308639F69DA82ED3083A26C51A9601E9604D3B21CADFCE145A38BCE9D03
Malicious:	false
Preview:	..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.C.U.R.R.E.N.T._.U.S.E.R.\.S.o.f.t.w.a.r.e.\.P.s.i.p.h.o.n.3.].....".S.k.i.p.B.r.o.w.s.e.r.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.1.....".S.k.i.p.P.r.o.x.y.S.e.t.t.i.n.g.s.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.0.....".S.k.i.p.A.u.t.o.C.o.n.n.e.c.t.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.0.....".D.i.s.a.b.l.e.D.i.s.a.l.l.o.w.e.d.T.r.a.f.f.i.c.A.l.e.r.t.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.1.

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\PsiphonSettings.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	204
Entropy (8bit):	4.952668860847125
Encrypted:	false
SSDEEP:	6:Cb30o6+ucNwi23fbWpCmapZ1fpbAcNwi2Yn:CG+YZjEclb+ZYn
MD5:	3C0CB2D2F2126AE97754F04E27D7B575
SHA1:	6B3F3445F529D5BA77F3D44FD4D8EAF639B43320
SHA-256:	37B2F8C01030B1CB301A55FA1D662BCEB46D25DE726ECE80975110DE9E5DD8DA
SHA-512:	24AF85452C40F4F6458FD8B592175AF25BA25469621034066FA667E4E0460CB1FBF539F95968A1D10B78FC4385435D5315434F9680F04EDA2F594927987E87F4
Malicious:	false
Preview:	[PsiphonSettings]..LastDrive=C:..LastDirectory=\Users\user\AppData\Local\Temp\7ZipSfx.000..[PortableApps.comLauncherLastRunEnvironment]..PAL:LastPortableAppsBaseDir=C:\Users\user\AppData\Local..

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe

Download File

Process:	C:\Users\user\Desktop\sVfXReO3QI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	145722
Entropy (8bit):	7.3156807643139325
Encrypted:	false
SSDEEP:	3072:YqeqOYEUXPnDSwPK4u1I0KzpFKFpcVDxCtODy:jEUXP7u1WpF/Dy
MD5:	49BF9DCA0C8EAFF957F62F0F3CEF0BA5
SHA1:	C15AD261CF8E2E33FE36C9B69ABFDC29BAC3D19D
SHA-256:	CC7C4ACA06452689CD8BE37AB8BA2285F6B977FFA7473812713190BF3F2996D4
SHA-512:	CE352F7C82AEE9A464D4F452ECAFEBEAEB7DB87BFE5F8818A7E2354FE66208DBDF69C2FBDEF197D41FBFEACDB7238B1447C188F24AD6AB03D86F3882CA4B2D64
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................p.......B...9............@.......................................@.................................d............R...........................................................................................................text....o.......p.................. ..`.rdata...*.......,...t..............@..@.data....~..........................@....ndata...P...0...........................rsrc....`.......T..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PsiphonTemp\dat3A1A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	Embedded OpenType (EOT), icomoon family
Category:	dropped
Size (bytes):	25544
Entropy (8bit):	6.2856527324339
Encrypted:	false
SSDEEP:	768:8AQHnyHsqQ/wFJ+AwV4UPxHMjKiM3C4R+qwogeeZq7g8Y:8AQHnyMqI6GPy63rEogeeZq7g8
MD5:	79CE7E9887A670AB6A18EAF59CAB7FA7
SHA1:	0C3C11723E52BC35F8A69C5ACD37AEA959A3E2B7
SHA-256:	24F0C91CD083494F5475C9DDE62F4477EA9FAE06DF25C398949781FF879FCD83
SHA-512:	95E2686590CBBD8BA86D006590EFF3E83CC5E29CEAE2342C949673A53B1CBC8B9A1E309742572BB67B49A2E03FBAEEB746A0C8132F379D08C5DB008C28039A27
Malicious:	false
Preview:	.c..$c............................LP.........................3$i....................i.c.o.m.o.o.n.....R.e.g.u.l.a.r.....V.e.r.s.i.o.n. .1...0.....i.c.o.m.o.o.n................0OS/2...Q.......`cmap.8.g........gasp............glyf..........\\|head..V.._<...6hhea......_t...$hmtx"..].._....,loca...4..`.....maxp.].%..a\... name.J....a\|....post......c.... ...........................3...................................@.........@...@............... .....................................\.@....... ...r.... ....7.....................,.4.7.:.E.K.W.Y.\.c.\|..................... ...r.........7.....................,.2.6.9.D.J.T.Y.[.b.y.~.......................a.....]...................~.H.E.C.!.........................................`........................................................................................................................79..................79..................79...............".U..."&'..7.>.38.12.......&'...#".....#.#"&=.#...+."&5.4632.

C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	18710232
Entropy (8bit):	6.406575727466805
Encrypted:	false
SSDEEP:	98304:8MWhYnBg1t4oUyi2D5jyW/bxkHWvlS0mTK8/WNMtz9f/BILO9qT798Oit/bkR9vH:bWGl814NjONUWeiHit/bcVsuBg07pbAg
MD5:	77F9FB45FA91FBC0B2105900F7AF30DF
SHA1:	42695C5D1E42FF3745BEDF32A2E1CDF417E7BE55
SHA-256:	B04B5C42FE5664B1C176E9258131D29B4D81C8D1C47DF96FB1A7E04548939475
SHA-512:	F7D1697B817B05E58D4839D0E8772F19498912AE25D6A3477EA4559E7F6705295254D9F3D839A6B791E2DA40FCDBEE0244D94D98843B601466B7BE385C57BBE9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V...............>..........p........p....@...........................!.....W.....@..........................................................X...&.......R...................................................}...............................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data........p.......\..............@....idata..............................@....reloc...R.......T..................@..B.symtab......p!......V.................B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\System.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.729426875863261
Encrypted:	false
SSDEEP:	192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
MD5:	BF712F32249029466FA86756F5546950
SHA1:	75AC4DC4808AC148DDD78F6B89A51AFBD4091C2E
SHA-256:	7851CB12FA4131F1FEE5DE390D650EF65CAC561279F1CFE70AD16CC9780210AF
SHA-512:	13F69959B28416E0B8811C962A49309DCA3F048A165457051A28A3EB51377DCAF99A15E86D7EEE8F867A9E25ECF8C44DA370AC8F530EEAE7B5252EABA64B96F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: HolyTom980.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: ReimagePackage.exe, Detection: malicious, Browse Filename: ReimagePackage.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.PossibleThreat.20191.6097.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.PUA.iWin.17190.677.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 2Ir9YQkiGJ.exe, Detection: malicious, Browse Filename: theword-setup-en.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..............]..............XP......Xd......XU......XS.....Rich............PE..L.....GO...........!................('.......0...............................`............@..........................3.......1..P............................P.......................................................0..\............................text...1........................... ..`.rdata.......0......."..............@..@.data...@....@.......&..............@....reloc..L....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\UAC.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.952191493801213
Encrypted:	false
SSDEEP:	192:qP6KdXy+Yo7e1J8qC25a5mDFmCLGUCVGpU6uNck87I0S/TDqwyTq+:q/q3Pgd5mx6VkEck87ILCTN
MD5:	A88BAAD3461D2E9928A15753B1D93FD7
SHA1:	BB826E35264968BBC3B981D8430AC55DF1E6D4A6
SHA-256:	C5AB2926C268257122D0342739E73573D7EEDA34C861BC7A68A02CBC69BD41AF
SHA-512:	5EDCF46680716930DA7FD1A41B8B0426F057CF4BECEFB3EE84798EC8B449726AFB822FB626C4942036A1AE3BB937184D1F71D0E45075ABB5BF167F5D833DF43A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^.O.0.O.0.O.0.O.1...0..m.D.0.....L.0.6.N.0.4.N.0.RichO.0.................PE..L...m.AK...........!.....&...........-.......@...............................p.......................................5..<.......x....P.......................`..........................................................P............................text....%.......&.................. ..`.data...H....@.......*..............@....rsrc........P......................@..@.reloc..\|....`.......0..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\launcher.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe
File Type:	Generic INItialization configuration [Activate]
Category:	dropped
Size (bytes):	666
Entropy (8bit):	5.081537570413563
Encrypted:	false
SSDEEP:	12:M8tYof061ct9eKR2/epJT7yk2/epababe2/ep2J:JqG0/t9ec2aJHyk2aababe2a0
MD5:	13A80331AE779ADDF158DA5D51515B3F
SHA1:	5CCE658366CC5CD8FAC1F5287D3E15B1AE5C5CF8
SHA-256:	D463E2CE20E25B2ED290DCF6DC1C01DCC60B5DDA71E932CCFA9F5DDF53E81910
SHA-512:	59849A3E60A4075C1A743C67109916213112A1BC494DC47B4E85E621BCA8CA4554A155A24F07104846227100C06C7C16BF157E7FC97EB5F00F8121C1B341E2C9
Malicious:	false
Preview:	[Launch]..ProgramExecutable=Psiphon\psiphon3.exe..RunAsAdmin=force..DirectoryMoveOK=yes....[Activate]..Registry=true....[RegistryKeys]..Psiphon="HKCU\Software\Psiphon3"....[DirectoriesMove]..Psiphon=%LOCALAPPDATA%\Psiphon3....[FileWrite1]..Type=Replace..File=%pal:DataDir%\Settings\Psiphon.reg..Find=%APPDATA%\\Psiphon3..Replace=%pal:DataDir:doublebackslash%....[FileWrite2]..Type=Replace..File=%pal:DataDir%\Settings\Psiphon.reg..Find=%PAL:LastPortableAppsBaseDir:DoubleBackslash%\\..Replace=%PAL:PortableAppsBaseDir:DoubleBackslash%\\....[FileWrite3]..Type=Replace..File=%pal:DataDir%\Settings\Psiphon.reg..Find=%PAL:LastDrive%\\..Replace=%PAL:Drive%\\............

C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\newtextreplace.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.663962361333402
Encrypted:	false
SSDEEP:	192:GGhRfigbU26niqo9m+9k15AA1NrW0QfaDx3nxNLr6s+:GIwgSnhv/IaDx3n6X
MD5:	B5358341DF2CB171876A5F201E31A834
SHA1:	DF34750EA5504274BE5FF8DDD306B49E302D04F9
SHA-256:	156B9B583399FAF13C4D46B89339FB0F7F38DC847AC2D7872178D8E3998B9734
SHA-512:	821DC42E24FA2D44A1D4D16B26C3DA2688DAC0FA44A266E38DA2AFF706C91440D83A87ABC74131930E6C38A44A0C5E627DB2D045375FDE147E0EDD3276F4B014
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+kK...........#...8.....*..."...........0....0d................................!......... ......................................................................................................................................................text...L...........................`.P`.data...$....0......."..............@.0..rdata..h....@.......$..............@.0@.bss..... ...P........................@..edata...............&..............@.0@.idata...............(..............@.0..reloc...............,..............@.0B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\registry.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29696
Entropy (8bit):	5.935941891777929
Encrypted:	false
SSDEEP:	768:HsKZwhFkGOr0Ga4+8DFFHR4mmw5+64fuKwX13:HLKmGOr0Ga4+8DFFHRrmw5+m
MD5:	2880BF3BBBC8DCAEB4367DF8A30F01A8
SHA1:	CB5C65EAE4AE923514A67C95ADA2D33B0C3F2118
SHA-256:	ACB79C55B3B9C460D032A6F3AAF6C642BF8C1D450E23279D091CC0C6CA510973
SHA-512:	CA978702CE7AA04F8D9781A819A57974F9627E969138E23E81E0792FF8356037C300BB27A37A9B5C756220A7788A583C8E40CC23125BCBE48849561B159C4FA3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$...J...J...J.*.D...J.A.@...J......J...Y...J...K...J.A._...J.A.N...J.Rich..J.........................PE..L...;4.K...........!.....T..........GK.......p...............................0.......................................s.......p..P............................ ..d....................................................p...............................text....R.......T.................. ..`.rdata.......p.......X..............@..@.data................^..............@....reloc..T.... .......h..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsc1E86.tmp\runtimedata.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	5.05137212792698
Encrypted:	false
SSDEEP:	3:WB/Wy2KJXMihMIm1erbJSRE2J5xAIjh:WpxXzfIe0i23fjh
MD5:	6BFD2BB0AFBCF2DB0238451598AFD388
SHA1:	A5838D100B10092CF229F108BFB522807B08BA3D
SHA-256:	32DE6941791958CE778E83A07C132713C11163F3680644B560B588CEDE84798C
SHA-512:	E4D852A7056F2322AF0E0A560F35D353E76BA0B9EC03EEEF64ABC860E99663E408E2E948731FA381CD446E75B9470874DA15E89FEABC8024954F9C6FBA0D237E
Malicious:	false
Preview:	[PortableApps.comLauncher]..PluginsDir=C:\Users\user~1\AppData\Local\Temp\nsc1E86.tmp..

C:\Users\user\AppData\Local\Temp\nsh1DBA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe
File Type:	data
Category:	dropped
Size (bytes):	375152
Entropy (8bit):	3.9038534404528633
Encrypted:	false
SSDEEP:	3072:wNVewYrhdh+Y8QDz5BqBsN5CJKg1hs1DvoXROcHUfOxeI1eXNuNXDYDDGToMyM2v:wNVwTBBq2uM3GToM/Z6Or02FSwAt2U
MD5:	3B5138064ADB93E9D0340A8D21312703
SHA1:	A901AB66A1ECDCD83BCB6EA29A8DEB9D4D2C436F
SHA-256:	F6748266A3016492B1A8DC45102A33DBAC73A1405462523B40A8A219CB05A770
SHA-512:	476340AC5FC6425AA4B004B62D14E1170DE43214652A0C1A98293089032E9374EFA7EDB8938B2C42082D29E784A7586DBA855D6A12FEEB1DF0D4C7E61518C2E5
Malicious:	false
Preview:	LK......,.......,.......LA......(W.......4......LK..............................................................B...............................................................................................................................................................................................................I.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.997861978508547
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sVfXReO3QI.exe
File size:	6'986'755 bytes
MD5:	26e14ee776eacbbd45f8ee346dcecfcc
SHA1:	6a61a3987cb37df8d9f143fa384206c45260db1e
SHA256:	d79890b31d4d7ae839054794768e2f238a28506673591cafe5b1b82ed157e146
SHA512:	870ca2bb42ba2a4c70ddcc91d9d63a6797472c49b9481597e5a6ca6f21e51fc822e75bd4092a5b6d4ed9c7cf7ce2014ec7e8c2f61fad6629498c6ff8704c219b
SSDEEP:	196608:7gZ/EXLoy4dJrMfiQotB2fXZA93ypZ+3F:7gBEbydJrMfiQotofSJyU
TLSH:	A56633AA7543C5F5E5DA29B31A3F528090640E401B264EC7877D3C2B8EB7D93E13B729
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L......P............................/.............@.................................3-......................................t........0...O.................

File Icon


Icon Hash:	1761d9c969692917

Static PE Info

General

Entrypoint:	0x41942f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x50E0DE9B [Mon Dec 31 00:38:51 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f6baa5eaa8231d4fe8e922a2e6d240ea

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0041C470h
push 004195C0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0041A1E0h]
pop ecx
or dword ptr [00422DE4h], FFFFFFFFh
or dword ptr [00422DE8h], FFFFFFFFh
call dword ptr [0041A1E4h]
mov ecx, dword ptr [00420DCCh]
mov dword ptr [eax], ecx
call dword ptr [0041A1E8h]
mov ecx, dword ptr [00420DC8h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0041A1ECh]
mov eax, dword ptr [eax]
mov dword ptr [00422DE0h], eax
call 00007F9CFD699B32h
cmp dword ptr [0041E950h], ebx
jne 00007F9CFD699A1Eh
push 004195B8h
call dword ptr [0041A1F0h]
pop ecx
call 00007F9CFD699B04h
push 0041E070h
push 0041E06Ch
call 00007F9CFD699AEFh
mov eax, dword ptr [00420DC4h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00420DC0h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041A1F8h]
push 0041E068h
push 0041E000h
call 00007F9CFD699ABCh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c974	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0x4f84	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a000	0x36c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18dde	0x18e00	0c04e49d78a3c453186c916e6f29540d	False	0.6056257851758794	data	6.6740241210126	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1a000	0x3bca	0x3c00	1eff757b36a6b7a599236ac8b1b35b4d	False	0.4557291666666667	data	5.713391866788319	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x4dec	0xa00	21d5c7a8ba54658b1e07909bf1045c79	False	0.50703125	data	4.450978418041827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x23000	0x4f84	0x5000	82c4c1cf655e3d0184b71be26225f0a6	False	0.325048828125	data	5.032889691557307	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x23250	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	Russian	Russia	0.2579268292682927
RT_ICON	0x238b8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	Russian	Russia	0.3803763440860215
RT_ICON	0x23ba0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 384	Russian	Russia	0.4344262295081967
RT_ICON	0x23d88	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Russian	Russia	0.46621621621621623
RT_ICON	0x23eb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia	0.2679460580912863
RT_ICON	0x26458	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia	0.3834427767354597
RT_ICON	0x27500	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.6560283687943262
RT_GROUP_ICON	0x27968	0x30	data	Russian	Russia	0.9375
RT_VERSION	0x27998	0x2a4	data	English	United States	0.4349112426035503
RT_MANIFEST	0x27c3c	0x346	ASCII text, with CRLF line terminators	English	United States	0.5071599045346062

Imports

DLL	Import
COMCTL32.dll
SHELL32.dll	SHGetSpecialFolderPathW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteExW
GDI32.dll	CreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid, CheckTokenMembership
USER32.dll	GetWindowLongW, GetMenu, SetWindowPos, GetWindowDC, ReleaseDC, GetDlgItem, GetParent, GetWindowRect, GetClassNameA, CreateWindowExW, SetTimer, GetMessageW, DispatchMessageW, KillTimer, DestroyWindow, SendMessageW, EndDialog, wsprintfW, GetWindowTextW, GetWindowTextLengthW, GetSysColor, wsprintfA, SetWindowTextW, MessageBoxA, ScreenToClient, GetClientRect, SetWindowLongW, UnhookWindowsHookEx, SetFocus, GetSystemMetrics, SystemParametersInfoW, ShowWindow, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, IsWindow, EnableMenuItem, GetSystemMenu, CreateWindowExA, wvsprintfW, CharUpperW, GetKeyState, CopyImage
ole32.dll	CreateStreamOnHGlobal, CoCreateInstance, CoInitialize
OLEAUT32.dll	VariantClear, SysFreeString, OleLoadPicture, SysAllocString
KERNEL32.dll	GetFileSize, SetFilePointer, ReadFile, WaitForMultipleObjects, GetModuleHandleA, SetFileTime, SetEndOfFile, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, GetSystemDirectoryW, GetCurrentThreadId, SuspendThread, TerminateThread, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetCurrentDirectoryW, GetDriveTypeW, CreateFileW, GetCommandLineW, GetStartupInfoW, CreateProcessW, CreateJobObjectW, ResumeThread, AssignProcessToJobObject, CreateIoCompletionPort, SetInformationJobObject, GetQueuedCompletionStatus, GetExitCodeProcess, CloseHandle, SetEnvironmentVariableW, GetTempPathW, GetSystemTimeAsFileTime, lstrlenW, CompareFileTime, SetThreadLocale, FindFirstFileW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, ExpandEnvironmentStringsW, WideCharToMultiByte, VirtualAlloc, GlobalMemoryStatusEx, lstrcmpW, GetEnvironmentVariableW, lstrcmpiW, lstrlenA, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, LoadLibraryA, GetProcAddress, GetModuleHandleW, ExitProcess, lstrcatW, GetDiskFreeSpaceExW, SetFileAttributesW, SetLastError, Sleep, GetExitCodeThread, WaitForSingleObject, CreateThread, GetLastError, SystemTimeToFileTime, GetLocalTime, GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetStartupInfoA
MSVCRT.dll	??3@YAXPAX@Z, ??2@YAPAXI@Z, memcmp, free, memcpy, _wtol, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, memset, _wcsnicmp, strncmp, wcsncmp, malloc, memmove, _purecall

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 21, 2024 08:59:37.426496983 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:37.426512003 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:37.431361914 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:37.431401014 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:37.434534073 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:37.434653044 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:37.435000896 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:37.436356068 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:37.439832926 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:37.439924002 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:37.441458941 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:38.002526045 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:38.039395094 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:38.049770117 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:38.091003895 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:38.135320902 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:38.194389105 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:39.058331013 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:39.063534975 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:39.258241892 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:39.263490915 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:39.364341974 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:39.364386082 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:39.364651918 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:39.369283915 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:39.369297028 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:39.370424986 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:39.373712063 CEST	49731	443	192.168.2.7	77.68.29.80
Aug 21, 2024 08:59:39.373744011 CEST	443	49731	77.68.29.80	192.168.2.7
Aug 21, 2024 08:59:39.387195110 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:39.387353897 CEST	49731	443	192.168.2.7	77.68.29.80
Aug 21, 2024 08:59:39.387609005 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:39.392502069 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:39.397650003 CEST	49731	443	192.168.2.7	77.68.29.80
Aug 21, 2024 08:59:39.397670031 CEST	443	49731	77.68.29.80	192.168.2.7
Aug 21, 2024 08:59:39.397804022 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:39.397907019 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:39.402760029 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:39.402820110 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:39.402847052 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:39.402856112 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:39.402865887 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:39.402869940 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:39.402997017 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:39.467047930 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:39.515990973 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:39.562829018 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:39.605149984 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:39.701167107 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:39.705984116 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:39.724183083 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:39.724251986 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:39.728986025 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:39.729079962 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:39.745915890 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:39.745958090 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:39.746309042 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:39.750782013 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:39.750794888 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:39.752713919 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:39.794981003 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:39.799858093 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:39.906966925 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:39.907030106 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:39.907078981 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:39.923273087 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:39.939707041 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:39.966773033 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:39.982355118 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:40.013832092 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:40.058816910 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:40.078960896 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:40.078979969 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:40.078991890 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:40.079003096 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:40.079046965 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:40.079086065 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:40.088702917 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:40.088751078 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:40.088762045 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:40.088773012 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:40.088813066 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:40.124586105 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:40.124779940 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:40.124990940 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:40.127082109 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:40.127171040 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:40.129609108 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:40.129623890 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:40.130268097 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:40.132114887 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:40.132126093 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:40.132581949 CEST	49733	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:40.132615089 CEST	443	49733	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:40.132704973 CEST	49733	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:40.142996073 CEST	49733	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:40.143012047 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:40.143017054 CEST	443	49733	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:40.147846937 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:40.203916073 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:40.208842993 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:40.230833054 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:40.235635996 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:40.266314030 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:40.271691084 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:40.288510084 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:40.293313026 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:40.295001984 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:40.311604023 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:40.318810940 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:40.323504925 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:40.324516058 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:40.324911118 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:40.328572989 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:40.328896999 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:40.329674006 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:40.333823919 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:40.342971087 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:40.343344927 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:40.343628883 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:40.348077059 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:40.348469973 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:40.350487947 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:40.372108936 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:40.377110004 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:40.485368013 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:40.519395113 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:40.523581028 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:40.531608105 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:40.574024916 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:40.574038029 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:40.722647905 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:40.783860922 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:40.804008961 CEST	443	49733	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:40.847192049 CEST	49733	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:40.915213108 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:40.915446997 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:40.915621996 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:40.920213938 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:40.920411110 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:40.920435905 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:40.929347038 CEST	49733	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:40.929358006 CEST	443	49733	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:40.929924011 CEST	49733	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:40.929929972 CEST	443	49733	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:40.931309938 CEST	443	49733	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:40.931375980 CEST	49733	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:40.934954882 CEST	49733	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:40.935038090 CEST	443	49733	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:40.950907946 CEST	49733	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:40.950928926 CEST	443	49733	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:40.950989962 CEST	49733	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:40.971510887 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:40.992535114 CEST	443	49733	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:41.000057936 CEST	49733	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:41.016844988 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:41.046844959 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:41.051762104 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:41.110066891 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.110100985 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.110119104 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.110131979 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.110160112 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.110208035 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.110934973 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.110946894 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.110961914 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.110989094 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.111706972 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.111725092 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.111736059 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.111761093 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.111778975 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.112590075 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.112608910 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.112688065 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.112950087 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:41.133559942 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:41.171513081 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:41.176688910 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:41.208277941 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.208364010 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.208375931 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.208409071 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.208420992 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.208432913 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.208446026 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.208468914 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.208518028 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.209253073 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.209265947 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.209276915 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.209286928 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.209300995 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.209326982 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.209887981 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.209945917 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.209956884 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.209968090 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.209990978 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.210016012 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.210686922 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.210697889 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.210709095 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.210719109 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.210735083 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.210761070 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.211543083 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.212166071 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.212265015 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:41.245235920 CEST	443	49733	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:41.245287895 CEST	443	49733	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:41.245392084 CEST	443	49733	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:41.245445967 CEST	49733	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:41.245445967 CEST	49733	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:41.298715115 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:41.342219114 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:42.125130892 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:42.125719070 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:42.125756025 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:42.125807047 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:42.125823975 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:42.125850916 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:42.125869989 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:42.125889063 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:42.125925064 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:42.125941992 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:42.126029015 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:42.126045942 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:42.129251957 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:42.129282951 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:42.129528046 CEST	49733	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:42.129553080 CEST	443	49733	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:42.129573107 CEST	49733	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:42.129580975 CEST	443	49733	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:42.130284071 CEST	49734	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:42.130312920 CEST	443	49734	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:42.130387068 CEST	49734	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:42.135462999 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:42.136332989 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:42.136347055 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:42.136357069 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:42.136529922 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:42.136678934 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:42.136688948 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:42.136698008 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:42.136768103 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:42.136799097 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:42.136951923 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:42.137228966 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:42.137454987 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:42.143363953 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:42.143914938 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:42.148597956 CEST	49734	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:42.148614883 CEST	443	49734	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:42.154778957 CEST	49731	443	192.168.2.7	77.68.29.80
Aug 21, 2024 08:59:42.158003092 CEST	49734	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:42.158102989 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:42.158102989 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:42.158267021 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:42.164561987 CEST	53	49729	192.155.93.29	192.168.2.7
Aug 21, 2024 08:59:42.164577961 CEST	22	49727	45.128.38.162	192.168.2.7
Aug 21, 2024 08:59:42.164587021 CEST	80	49730	217.138.199.186	192.168.2.7
Aug 21, 2024 08:59:42.164621115 CEST	49729	53	192.168.2.7	192.155.93.29
Aug 21, 2024 08:59:42.164652109 CEST	49730	80	192.168.2.7	217.138.199.186
Aug 21, 2024 08:59:42.164695978 CEST	49727	22	192.168.2.7	45.128.38.162
Aug 21, 2024 08:59:42.200500011 CEST	443	49731	77.68.29.80	192.168.2.7
Aug 21, 2024 08:59:42.204492092 CEST	443	49734	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:42.425448895 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:42.467593908 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:42.816102982 CEST	443	49734	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:42.816195011 CEST	443	49734	37.46.119.50	192.168.2.7
Aug 21, 2024 08:59:42.816270113 CEST	49734	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:42.816270113 CEST	49734	443	192.168.2.7	37.46.119.50
Aug 21, 2024 08:59:44.185739994 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:44.191072941 CEST	22	49728	217.160.34.195	192.168.2.7
Aug 21, 2024 08:59:44.201370001 CEST	49728	22	192.168.2.7	217.160.34.195
Aug 21, 2024 08:59:57.311168909 CEST	49731	443	192.168.2.7	77.68.29.80
Aug 21, 2024 08:59:57.311183929 CEST	443	49731	77.68.29.80	192.168.2.7
Aug 21, 2024 09:00:12.411293030 CEST	49731	443	192.168.2.7	77.68.29.80
Aug 21, 2024 09:00:12.411305904 CEST	443	49731	77.68.29.80	192.168.2.7
Aug 21, 2024 09:00:27.421124935 CEST	49731	443	192.168.2.7	77.68.29.80
Aug 21, 2024 09:00:27.421139002 CEST	443	49731	77.68.29.80	192.168.2.7
Aug 21, 2024 09:00:42.512546062 CEST	49731	443	192.168.2.7	77.68.29.80
Aug 21, 2024 09:00:42.512564898 CEST	443	49731	77.68.29.80	192.168.2.7
Aug 21, 2024 09:00:57.568883896 CEST	49731	443	192.168.2.7	77.68.29.80
Aug 21, 2024 09:00:57.568893909 CEST	443	49731	77.68.29.80	192.168.2.7
Aug 21, 2024 09:01:12.622401953 CEST	49731	443	192.168.2.7	77.68.29.80
Aug 21, 2024 09:01:12.622412920 CEST	443	49731	77.68.29.80	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 21, 2024 08:59:37.436537027 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:37.653834105 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:37.653882027 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:38.015894890 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:38.015928984 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:38.030148983 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:38.216099024 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:38.216420889 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:38.416721106 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:38.416735888 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:39.016324043 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:39.016349077 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:39.058727980 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.365369081 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.374275923 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:39.374363899 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.374443054 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.379718065 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.379791975 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.379791975 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.379791975 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.379894018 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.379906893 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.379906893 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.379906893 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.380049944 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.380109072 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.398871899 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:39.399209023 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:39.407294035 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:39.407324076 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:39.575963020 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:39.580938101 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:39.581068993 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:39.581738949 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:39.597366095 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:39.597491026 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:39.597506046 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:39.597548008 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:39.597558975 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:39.597568989 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:39.597579956 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:39.598870993 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:39.607302904 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:39.607363939 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:39.701004028 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:39.702136993 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.703649044 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.703696966 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.708312035 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:39.714801073 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:39.714843035 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.714864016 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.714910984 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.715049982 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.715099096 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.715156078 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.715173006 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.715243101 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.715270042 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.715327024 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.716317892 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.716353893 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.716464996 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.717319012 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.717379093 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.717490911 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.718082905 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.718112946 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.718164921 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.718215942 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.718645096 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.719291925 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:39.724216938 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:39.725186110 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:39.743136883 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:39.743458986 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:39.747987032 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:39.748501062 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:39.751123905 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:39.754904032 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:39.756144047 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:39.756856918 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:39.757642031 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:39.757695913 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:39.757735968 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:39.757747889 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:39.757759094 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:39.758291960 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.758343935 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.760636091 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.764816999 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:39.776768923 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:39.795207977 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:39.809442997 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:39.821898937 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:39.860156059 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:39.872205973 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:39.920874119 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:39.925656080 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:40.130485058 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:40.130574942 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.176182985 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.183083057 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.193512917 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.199588060 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.207117081 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.207190037 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.207199097 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.208436012 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.208775997 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.232969999 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.240803957 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.243525028 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.261836052 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.288430929 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.292414904 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.292634010 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.295489073 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.295566082 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.295811892 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.313442945 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.319780111 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.319791079 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.323616028 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.330928087 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.331404924 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:40.336131096 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.339510918 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:40.339510918 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.347914934 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.350662947 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.371989965 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.373589039 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.376646996 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.377578974 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.379564047 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.380132914 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.401628017 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.402781010 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.402910948 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.403114080 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.415395021 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.419775963 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.420192003 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.426862955 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.427172899 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.427228928 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.427628994 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.427858114 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.428002119 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.436433077 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.436533928 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.437982082 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.439758062 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.443300962 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.443517923 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.445605993 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.447856903 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.450251102 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.450414896 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.451594114 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.452471018 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.457227945 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.457390070 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.457483053 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.459331989 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.460055113 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.460105896 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.460155010 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.460165977 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.460222006 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.460233927 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.460243940 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.460257053 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.460350990 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.460362911 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.460511923 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.460764885 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.460865974 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.460865974 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.460954905 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.460954905 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.461118937 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.461195946 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.461654902 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.461766958 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.461965084 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.462100029 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.463068008 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.465327024 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.465488911 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.467763901 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.467777967 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.467791080 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.467961073 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.469192028 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.469379902 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.472585917 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.472873926 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.473942041 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.474488974 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.476218939 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.477315903 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.477541924 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.478275061 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.478435040 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.478602886 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.480745077 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.481748104 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.481764078 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.481812000 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.482007980 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.482826948 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.484591007 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.484735012 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.484795094 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.500622988 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.500637054 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:40.506078959 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.540925980 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:40.562525034 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.640568972 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.896939039 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.896953106 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.914648056 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.915216923 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:40.930608988 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.931256056 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.931339979 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.940210104 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.941003084 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.941370964 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.941370964 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.941370964 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.941397905 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.949343920 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:40.950274944 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.950397015 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.952573061 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.958137035 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.958800077 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:40.966352940 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.968983889 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.976258039 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:40.980237007 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:41.000236034 CEST	53	64150	146.70.54.146	192.168.2.7
Aug 21, 2024 08:59:41.116281986 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:42.128963947 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:42.158435106 CEST	64151	554	192.168.2.7	146.70.144.213
Aug 21, 2024 08:59:42.338990927 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:42.342653990 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:42.342744112 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:42.342753887 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:42.342765093 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:42.342849016 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:42.342859983 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:42.342890024 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:42.342907906 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:42.342993021 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:42.343004942 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:42.350218058 CEST	554	64151	146.70.144.213	192.168.2.7
Aug 21, 2024 08:59:42.963460922 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:42.963598967 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:42.963676929 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:43.003305912 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:43.005165100 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:43.005179882 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:43.005192041 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:43.005203009 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:43.005215883 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:43.005228996 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:43.005240917 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:43.005253077 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:43.005575895 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:43.005636930 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:43.005850077 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:43.005850077 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:43.005850077 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:43.012499094 CEST	64150	53	192.168.2.7	146.70.54.146
Aug 21, 2024 08:59:43.012550116 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:43.052490950 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:43.809391975 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:43.809406042 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:44.183049917 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:44.185925007 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:44.186029911 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:44.186089039 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:44.186148882 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:44.222899914 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:44.225558043 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:44.250904083 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:44.251054049 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:45.069720030 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:45.550488949 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:45.592861891 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:45.592881918 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:45.592894077 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:45.592905998 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:45.594438076 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:45.594590902 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:45.594736099 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:45.594789982 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:45.600903988 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:45.634172916 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:45.640860081 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:45.641069889 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:45.641421080 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:45.662996054 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:45.681142092 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:45.727629900 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:45.832617044 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:45.832631111 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:45.832640886 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:45.836196899 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:45.836266041 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:45.836807013 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:45.876241922 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:45.937392950 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:46.003519058 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:46.006233931 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:46.029906988 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:46.075953960 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:46.075978041 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:46.075990915 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:46.085722923 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:46.085722923 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:46.085902929 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:46.091758013 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:46.131314993 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:46.131732941 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:46.161094904 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:46.172383070 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:46.212649107 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:46.337799072 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:46.337867975 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:46.337887049 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:46.337898016 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 08:59:46.340240002 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:46.340475082 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:46.340475082 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 08:59:46.379908085 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:01.380140066 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:01.420864105 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:05.301233053 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:05.365993977 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:05.597923994 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:05.599781036 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:05.664654016 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:05.824625015 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:05.824655056 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:05.824700117 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:05.832945108 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:05.833055973 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:05.833097935 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:05.833410978 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:05.844886065 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:05.884732962 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.065458059 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.065609932 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.124131918 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.124255896 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.161247015 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.164269924 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.226176977 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.381143093 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.382291079 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.382369995 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.382498980 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.382620096 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.382627010 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.382694960 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.382702112 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.382713079 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.382745981 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.382751942 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.382757902 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.384726048 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.388789892 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.389781952 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.393054962 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.566899061 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.566926956 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.566945076 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.566965103 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.566973925 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.566984892 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.566991091 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.566997051 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.567011118 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.567017078 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.568631887 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.571968079 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.670358896 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.670506954 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.670583963 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.670712948 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.670917988 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.670917988 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.670917988 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.671406984 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.671576023 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.671971083 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.672568083 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.672769070 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.672966003 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.673182011 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.673255920 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.673321009 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.673377991 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.673995018 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.673995018 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.674015999 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.674427986 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:06.710386992 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.712378025 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:06.713804007 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:07.007672071 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:07.047589064 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:07.103950977 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:07.529860973 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:07.597052097 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:07.822062969 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:07.822973013 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:07.887588024 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.056869984 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.056880951 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.056891918 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.058460951 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.059345961 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.059408903 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.059448957 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.059462070 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.059676886 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.059737921 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.059798956 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.059983015 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.060457945 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.060457945 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.060457945 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.062932968 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.062978029 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.063086033 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.063093901 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.063278913 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.063393116 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.063500881 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.063694954 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.063694954 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.063711882 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.066576004 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.066586018 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.066596985 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.067080021 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.067209005 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.070228100 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.070235014 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.070246935 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.070527077 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.073745966 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.073755980 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.073769093 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.078437090 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.078447104 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.080543995 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.082221985 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.085287094 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.085374117 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.085504055 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.085727930 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.085747004 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.085747004 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.085938931 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.088074923 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.090286016 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.092531919 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.095916033 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.097033024 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.099402905 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.100123882 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.101902962 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.102296114 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.103091955 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.103826046 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.104130030 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.104295969 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.104712009 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.104768991 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.104892015 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.105447054 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.106729031 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.108620882 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.109947920 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.111757040 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.113964081 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.115216017 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.116331100 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.117285967 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.117291927 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.117404938 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.117569923 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.117569923 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.117748022 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.118397951 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.118932962 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.120070934 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.121862888 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.123114109 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.124711037 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.124819040 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.125201941 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.125956059 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.126986027 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.127861023 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.128231049 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.128798008 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.129638910 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.130701065 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.131967068 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.132193089 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.132240057 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.133440971 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.134584904 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.135740995 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.135777950 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.136173964 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.137020111 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.137339115 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.138467073 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.139420033 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.140574932 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.141803980 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.144232988 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.144639969 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.144807100 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.144920111 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.157203913 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.171778917 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.184382915 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.250336885 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.250346899 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.250359058 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.251111984 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.251234055 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.251435041 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.252907038 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.252913952 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.256259918 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.256268978 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.256341934 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.256351948 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.257838011 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.257904053 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.258034945 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.258325100 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.258460045 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.258749008 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.258789062 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.258810997 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.259975910 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.260014057 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.260025978 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.260819912 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.260819912 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.261029005 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.263624907 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.266777039 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.266973972 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.267046928 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.267116070 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.267123938 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.268826962 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.268942118 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.269340038 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.269355059 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.269376993 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.270586967 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.270684004 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.270689964 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.274290085 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.274313927 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.274317026 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.274322987 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.276791096 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.276840925 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.277215004 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.277215004 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.277215004 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.277364016 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.277364016 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.277611017 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.277614117 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.277630091 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.277704000 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.277918100 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.279282093 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.279463053 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.279746056 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.279839039 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.279839039 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.281579971 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.281588078 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.281609058 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.281896114 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.281896114 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.282078981 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.284713984 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.284840107 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.284853935 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.284867048 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.285080910 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.285171032 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.285248995 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.285362959 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.285402060 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.285402060 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.288288116 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.288358927 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.288517952 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.288525105 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.288697004 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.288758039 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.288852930 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.289055109 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.289055109 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.289055109 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.291894913 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.291912079 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.292058945 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.292068005 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.297609091 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.297748089 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.297843933 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.297981977 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.298111916 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.298111916 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.298173904 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.300632000 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.308736086 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.308793068 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.308832884 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.308839083 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.309144974 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.309293985 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.316696882 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.316968918 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.317919970 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.317979097 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.318017006 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.318025112 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.318207026 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.318207026 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.318296909 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.318409920 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.318454027 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.318454027 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.319228888 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.324651003 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.326766014 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.326802015 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.326976061 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.326992035 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.327024937 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.327111006 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.327246904 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.327269077 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.327689886 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.329351902 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.329359055 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.329366922 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.329605103 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.329653025 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.329754114 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.332153082 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.332176924 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.332263947 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.332334042 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.332364082 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.332413912 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.332504034 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.332693100 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.332693100 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.335648060 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.335740089 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.335828066 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.335834026 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.336338043 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.336596012 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.337070942 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.337232113 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.337233067 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.337368965 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.337882996 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.339241028 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.339276075 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.339317083 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.339330912 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.341206074 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.341339111 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.341619015 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.341619015 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.341655016 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.341655016 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.342886925 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.342930079 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.342967033 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.343411922 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.343489885 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.343528032 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.343657970 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.346415997 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.346487999 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.346494913 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.346921921 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.346976042 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.347091913 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.349950075 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.349996090 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.350068092 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.350076914 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.350666046 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.351037979 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.351193905 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.351193905 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.351360083 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.357891083 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.367240906 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.372016907 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.376586914 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.381161928 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.383089066 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.390594006 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.416716099 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.443516016 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.443533897 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.443543911 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.443550110 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.446094036 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.446139097 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.446147919 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.447978020 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.448178053 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.448227882 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.448235035 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.451077938 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.451122999 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.451133013 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.451139927 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.453491926 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.453660965 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.453711987 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.453747034 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.453883886 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.454268932 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.454298019 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.454325914 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.454346895 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.454399109 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.454406023 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.455272913 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.455341101 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.455681086 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.455847025 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.455986023 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.456037045 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.456444025 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.456670046 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.456940889 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.456940889 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.457010984 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.457010984 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.457139969 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.457180977 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.457808971 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.457815886 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.457822084 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.460103035 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.460108995 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.460120916 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.460927963 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.461066008 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.461142063 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.461185932 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.461430073 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.463136911 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.463145018 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.463156939 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.466092110 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.466176033 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.466181993 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.468153954 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.468184948 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.468302011 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.468493938 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.468672991 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.469136000 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.469170094 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.469178915 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.472166061 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.472183943 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.472191095 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.473596096 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.473865032 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.473982096 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.474253893 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.475260973 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.475266933 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.475279093 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.475315094 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.475315094 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.478293896 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.478301048 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.478311062 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.481167078 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.481184006 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.481235981 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.481242895 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.481257915 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.481810093 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.481966019 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.482141972 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.482544899 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.482681036 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.484169960 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.484190941 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.484200954 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.484677076 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.484890938 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.487065077 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.487159967 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.487245083 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.487307072 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.487376928 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.487495899 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.487586975 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.487865925 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.487865925 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.487865925 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.490246058 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.490255117 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.490268946 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.493072033 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.493828058 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.495450974 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.496531010 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.496572971 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.496705055 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.496817112 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.497206926 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:08.500564098 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.507915020 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.513463020 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.521327019 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.522120953 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.527236938 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:08.544790030 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:23.565247059 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:23.695398092 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:23.695431948 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:23.917037964 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:23.917037964 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:24.348376989 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:24.348376989 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:24.368797064 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:24.369209051 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:24.369213104 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:24.369590998 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:24.369596004 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:24.370359898 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:24.370363951 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:24.402024984 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:24.402121067 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:24.402121067 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:24.405389071 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:24.410260916 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:24.411648989 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:24.434684038 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:38.493319035 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:38.586348057 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:38.586358070 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:38.771924019 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:38.772512913 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:38.805497885 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:38.808537006 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:38.808634043 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:38.870383978 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:38.872395039 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:45.851963997 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:00:45.891602993 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:00:45.927828074 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:01:00.904675007 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:01:00.969532013 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:01:15.944353104 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:01:16.037666082 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:01:16.037683010 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:01:16.224821091 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:01:16.224834919 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:01:16.597706079 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:01:16.597721100 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:01:17.343102932 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:01:17.343120098 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:01:18.262377977 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:01:18.262618065 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:01:18.262651920 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:01:18.262671947 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:01:18.262742043 CEST	64149	53	192.168.2.7	196.196.218.27
Aug 21, 2024 09:01:18.834125996 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:01:18.834189892 CEST	53	64149	196.196.218.27	192.168.2.7
Aug 21, 2024 09:01:18.834614992 CEST	64149	53	192.168.2.7	196.196.218.27

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 21, 2024 08:59:42.339062929 CEST	192.168.2.7	146.70.144.213	e3c6	(Port unreachable)	Destination Unreachable

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 21, 2024 08:59:04.859134912 CEST	1.1.1.1	192.168.2.7	0xa067	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Aug 21, 2024 08:59:04.859134912 CEST	1.1.1.1	192.168.2.7	0xa067	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

australiais.org

eljvuop.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49730	217.138.199.186	80	8156	C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe

Timestamp	Bytes transferred	Direction	Data
Aug 21, 2024 08:59:39.397804022 CEST	551	OUT	POST / HTTP/1.1 Host: eljvuop.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Content-Length: 6454 Content-Type: image/tiff Cookie: ak_cuscartcart=x0es792JsQU9UiGh7qdRQDsg5TsEs1HHQ2gwlakxB8UhHggMKVMQdiNuU8Gh5XnZb+oMIqtQMgSvdauo9ZtoxB6SqgdSq4hwcCbvlBsyWyajNGqqaC+OACxPDbrqt0yXtUqRfWHt1wweFCP9qluLkHrPxC7K6jXt5KpBFbXpzbYcsD4EopkXOWo9VfrZnxTsVNiicS/3YBH04pQoialfFQI84WWIi0eoQdd8jij0s8Zc8Rtev9OUkNVMfJKlymNKdwVyC/GKLgT57lP5yWUe9dgw0u+75BrcgY5V Accept-Encoding: gzip
Aug 21, 2024 08:59:39.397907019 CEST	6454	OUT	Data Raw: f7 b6 41 0c 3b 7c a5 64 7f 17 06 a6 69 52 73 6e 06 84 bd e2 ac a8 de 35 71 27 5a e9 10 21 76 8b 12 8f df 9f 10 e7 f4 c6 54 95 80 2e ce 24 41 4c be da 05 08 fb cc ce d2 83 12 c7 bf 32 bc d4 12 0a 53 b4 c7 fa 4a b8 77 30 d5 b1 1e 31 0b d5 e5 9c f9 Data Ascii: A;\|diRsn5q'Z!vT.$AL2SJw01[:Ojp:<O/+~.'1\jTbsS3nR\|H6N}J)CC>rm8y'2AT{B\]M#/N,)
Aug 21, 2024 08:59:40.078960896 CEST	1236	IN	HTTP/1.1 200 OK Set-Cookie: ak_cuscartcart=vWR4wVcczUw/qsqsg1H1zg Date: Wed, 21 Aug 2024 06:59:39 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Data Raw: 31 63 35 35 0d 0a 19 02 7a ad 42 8d 8d d1 49 73 35 28 35 98 3b 07 09 f7 18 39 2a 5a aa 00 63 3f 9b 78 78 88 d9 9e 65 89 1d 41 77 03 d8 1b 96 4a a3 b1 73 25 2a 8f a9 c1 0c 01 c9 41 c1 aa 46 86 c5 aa a6 ff 68 30 07 79 de 71 97 0d 4f 9f 55 1f 86 c2 0d 04 aa 79 cf 25 61 60 db bb 71 82 f5 32 34 ae 4e 3a 66 8b ba 10 6b 04 26 01 71 d3 62 1c d9 82 71 9f 5b 78 8a d7 1e 3f 1e 19 46 f9 8c 12 6d 87 39 8f 33 9f 28 3c 2b 7d 98 45 1f 17 dd c6 74 d3 eb 14 0c 6e 1e 40 60 a0 09 15 42 bc 71 54 66 b3 36 fe f7 db 77 0f 8a 7e fe bb 12 69 1e da 0c 68 e3 fc 1f 8c 69 fa e5 a6 b3 fc f6 f5 02 9b 28 c1 95 77 66 bc e4 79 45 92 df f2 c1 4c 0e 10 cf 2f 28 04 f8 c5 c4 41 44 87 8d 98 6c bb 4e 4b 82 4b b1 24 93 70 98 69 68 ea 65 41 51 59 d7 08 19 f8 8b 7e 1e e9 ee a6 1b d9 00 93 cc 11 5e 1d e0 39 81 88 75 c0 0c ba 10 32 88 3f 6f a5 9f a9 69 68 bd a7 6f 9b b5 67 00 ce 84 0e 61 f1 2e 72 11 1c 96 5e e7 16 c8 b4 17 aa c8 3b 50 32 42 13 db 47 29 88 5a 3c f4 30 c9 59 54 7c 60 d0 2c a8 0a 40 d0 83 64 c9 ef 00 c7 3d cb 56 75 9b 13 a3 74 60 [TRUNCATED] Data Ascii: 1c55zBIs5(5;9Zc?xxeAwJs%AFh0yqOUy%a`q24N:fk&qbq[x?Fm93(<+}Etn@`BqTf6w~ihi(wfyEL/(ADlNKK$piheAQY~^9u2?oihoga.r^;P2BG)Z<0YT\|`,@d=Vut`0@(LyNjYXR@t3Yo0WYqm(1S9[o-'ACmxXtG d/a//Y/S.sM.BY;\|mb3bCP6M~$Ye\keil(vi@k/`Py9NL4SI;Q%ca$(wO4bCQ:8tOhzG0Y5hLk.Fn[(YEA^+~Yjd(+9FFF$td8GIS-0Q&pe9k"'OU;O?10:I 9UV]m'XLh+LY/*)gxZ{x!T)V>Ah#aPL7-wS26YJnf7@mq#F7I_]8"L},H5cs21"T7 [TRUNCATED]
Aug 21, 2024 08:59:40.078979969 CEST	1236	IN	Data Raw: a3 8b 5f 87 d4 cf 0b 77 ca 79 98 da 06 01 17 f8 0f b9 be 17 76 f0 da 36 f0 3a f8 ae 96 3e 3a d5 1a c9 d2 60 5c dd ed 66 ac a1 20 b2 10 20 93 b5 b3 b7 98 50 b2 5e a2 0f 92 85 40 c0 2d 58 8b 3f 37 bc db 91 b8 39 ba a9 a1 c2 af cc 69 b6 d6 5e 77 a1 Data Ascii: _wyv6:>:`\f P^@-X?79i^w{a92c[r'l~oLk^}(g\v6bOn<X\|.y#$4VKfq)M/wMQrp{ro10nIxrL8(b@']!`7&>"PPi
Aug 21, 2024 08:59:40.078991890 CEST	1236	IN	Data Raw: 98 7a ef b3 69 96 8e 1f e6 d0 b5 52 ca 91 4d 83 a2 8d ed c3 4e cf 09 ae 42 a0 4e 12 10 72 25 82 89 47 6e 64 a9 8f d9 a8 a0 72 05 a5 57 fa 39 34 82 af 24 5c 32 77 9d 68 1c 0f 54 86 28 6a 80 61 22 db 55 01 34 ab 45 9d 5f c2 80 5f 24 95 e1 bf c6 6b Data Ascii: ziRMNBNr%GndrW94$\2whT(ja"U4E__$kb2CQ;3i+g?5HB2&uYQ'5}ufA14G3n$0\Nr0l~^M`kG*On@i[: WuR65_\jtq!wG1(Vs5e
Aug 21, 2024 08:59:40.079003096 CEST	388	IN	Data Raw: 3d 2b 32 4e 1c 4f 32 e2 48 e2 c1 5e b0 e1 77 b6 e6 fd 68 d3 08 94 6a 71 cc c2 0b 75 e7 24 63 76 19 e0 0e 68 46 41 47 64 0b 24 e3 6c 3b 07 1b 50 e6 9d d2 5c 9a fa 3d 6b 99 bc 03 da cf eb f9 22 2f 9d 00 ae 1d 29 2f c6 e9 83 51 e2 ed 5f 02 bd c7 a9 Data Ascii: =+2NO2H^whjqu$cvhFAGd$l;P\=k"/)/Q_)r@<'Rb6nM"c1,in6SWi1x"1nBFoP l8eZ%2U{ej 7qq%\vZ_LKD\kQ>&^zv
Aug 21, 2024 08:59:40.088702917 CEST	1236	IN	Data Raw: 4b 21 e8 bc ad d1 83 b8 87 78 ed 00 d9 e4 65 cb 74 06 ac 9b b2 33 76 fc 95 6e cf db 56 58 a0 28 81 a2 40 0f 5e b8 e4 b8 a6 80 f6 90 cf c9 ee 34 2d 7e 2a ca 0a a2 d8 e8 e3 2f 06 8c 9a 57 3d f7 6a db 01 34 2f f0 d9 41 97 24 5f a6 52 94 92 44 02 87 Data Ascii: K!xet3vnVX(@^4-~/W=j4/A$_RDDZ%z4H-Vp2Eicw]>dqO\|rMq\O]&1.HwId"C\|\1CeM<7DZpaIIebJ`HTc
Aug 21, 2024 08:59:40.088751078 CEST	1236	IN	Data Raw: b8 a2 73 e1 6b 9a a2 76 64 fa e2 de 0f 46 9e 50 c7 60 f9 59 96 14 2e 53 31 af da d5 cd b2 2a ac 2c 17 ae b2 1a 94 44 21 67 bc 36 22 6b 18 49 3e f8 2a 35 2b 49 a2 0d 4e a6 d7 c6 b0 82 b0 8b 48 90 81 80 c3 a7 f5 1b c6 db d7 6c 32 d3 72 38 65 60 e1 Data Ascii: skvdFP`Y.S1,D!g6"kI>5+INHl2r8e`#~i_>"mpjEm$N&$@9/}pLuS"sX\gVmX{H*+azmzkSR==1ZUR
Aug 21, 2024 08:59:40.088762045 CEST	1236	IN	Data Raw: 90 53 db 80 99 4a b7 f3 63 73 35 3f 57 31 ab 0c fa b9 86 30 33 97 20 2c 86 2c c9 cf bf f8 35 66 c0 ae da 30 9e 1f 4d 35 21 7f 4e 3d e7 f7 53 95 14 46 0c e0 bc 07 eb 70 2d c2 8e ab 55 b1 5f a7 4e c0 db 98 e4 5e fa c7 1d 42 4e 85 98 33 eb 66 31 13 Data Ascii: SJcs5?W103 ,,5f0M5!N=SFp-U_N^BN3f1R(Q\|w7H]2!Y-WAu:)K+8j(EYK cCjjqfCbUS!^hn^I=m=>0!eQ>Dq!-QQvkSX/N
Aug 21, 2024 08:59:40.088773012 CEST	500	IN	Data Raw: 91 72 ed b5 a5 b0 74 fe 2d 43 9e 9f 66 ec e0 55 eb 6c 30 d6 db 75 01 14 94 bb 6c 88 e7 1a 05 81 d9 f9 6b 94 6a 2d 11 5e 44 a0 70 fd 9d fd c4 14 6d c7 14 c3 a2 d9 46 b4 1c dc 4a de 2e c6 a2 06 98 9f eb 37 e1 ac 4e d5 62 60 0b d7 93 98 73 f1 64 14 Data Ascii: rt-CfUl0ulkj-^DpmFJ.7Nb`sdnG{C6+)Ty?h@*:=fG0&bf.N^2Y-c5}bSW.Z@rN.a8'!(\|'2!rm
Aug 21, 2024 08:59:40.124990940 CEST	278	OUT	POST / HTTP/1.1 Host: eljvuop.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Content-Length: 0 Content-Type: image/tiff Cookie: ak_cuscartcart=vWR4wVcczUw/qsqsg1H1zg Accept-Encoding: gzip
Aug 21, 2024 08:59:40.342971087 CEST	75	IN	HTTP/1.1 200 OK Date: Wed, 21 Aug 2024 06:59:40 GMT Content-Length: 0
Aug 21, 2024 08:59:40.343344927 CEST	281	OUT	POST / HTTP/1.1 Host: eljvuop.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Content-Length: 1047 Content-Type: image/tiff Cookie: ak_cuscartcart=vWR4wVcczUw/qsqsg1H1zg Accept-Encoding: gzip
Aug 21, 2024 08:59:40.343628883 CEST	1047	OUT	Data Raw: 4d 8d b0 b0 38 b9 49 bd 00 8d 58 92 e6 66 a5 86 d3 b2 d2 99 78 25 ff d5 52 0f 67 ce 96 8c 8c af bc 2e b3 ee 04 06 8d c2 4b d6 1f d9 e4 ec 50 08 c6 43 62 c5 f3 40 2b b0 bf 89 af 82 73 fa 16 ab 52 5d 83 7f 67 01 11 4b da c2 35 9d f9 51 af 43 fa 1c Data Ascii: M8IXfx%Rg.KPCb@+sR]gK5QC^I8a`-\4Zw}Q;89MC.z/lPy\|cj1I~0\|=4,!T`[qeyV`"SKKu:Nm>B1qR(+T?$dj*40
Aug 21, 2024 08:59:40.722647905 CEST	904	IN	HTTP/1.1 200 OK Date: Wed, 21 Aug 2024 06:59:40 GMT Content-Length: 787 Content-Type: application/octet-stream Data Raw: 3b c8 43 23 18 67 51 70 af 25 ea 51 26 08 a6 b5 e7 a4 fd 9e 48 40 aa b2 49 43 27 4a 0b d8 1f 46 c5 fc 8c b8 b5 d5 a2 c3 91 59 55 50 8d 54 09 f0 d4 1d 7e 1c bb a7 e7 7a 05 d5 df 9a fd be 85 f4 57 e8 3a 36 0d 76 ba b7 48 ff 3b 5e 53 38 b9 17 e2 b7 5c c4 d4 94 10 5e 9a 23 2a 0d a5 67 30 01 ea ea be 24 13 b4 64 df af 59 b5 95 6e fb 79 e3 b7 ca 65 3b 6e dd 43 96 c8 a9 e8 d7 23 80 eb a6 63 77 3a a9 0b 05 a7 75 68 3a 96 21 61 8f 35 4d d2 88 db e8 67 6b a9 e7 bc 11 99 fe 91 ce 61 97 93 0c 97 3d d9 2c 93 c4 65 9f a5 c1 62 53 a4 70 9b 12 52 9f 84 43 8d 62 6e 12 99 c1 e8 90 71 42 f5 57 1a 72 93 a2 bb f6 33 e7 f4 2a 03 7a d0 b7 c6 39 38 a6 32 e9 c7 ed 06 64 92 d2 f8 05 82 25 31 da e1 32 3f 50 2d 4d a1 44 8f ac ea c4 2a 59 2d 62 e0 57 a3 30 77 86 d8 d1 b4 10 db 3a b4 29 33 64 12 3e 26 33 0b 41 7c 43 3a 30 8d ac 88 76 a2 f1 04 69 01 de 6b 21 9f 92 0c e2 71 2c 16 a1 cd 42 f0 49 e2 77 46 39 94 3b fd 04 f8 f6 f1 ee 26 e7 72 65 2a 0f 7f 55 d0 97 b4 f9 af 50 ca 80 90 48 7c f3 ea 59 cb 53 d0 a0 b9 12 e6 90 de e2 1c 9c [TRUNCATED] Data Ascii: ;C#gQp%Q&H@IC'JFYUPT~zW:6vH;^S8\^#g0$dYnye;nC#cw:uh:!a5Mgka=,ebSpRCbnqBWr3z982d%12?P-MDY-bW0w:)3d>&3A\|C:0vik!q,BIwF9;&reUPH\|YS?U-.'fBi8A=\;+o4{ueG?)zZYMp@Rf&VFkg.aE!7pFlLS0:cjsSr`i0/zzaE"+GpujwSw.h,W^:%P)5MS=rr"hPfh^6pZ[;.xAhbDgiUJHB6=+fWm^~NyKC`lA{,$R<Vnbceyu/;[2olX>6+_7_@"ZO\|u7ZI[JJ(8nuRGG2U7HRs~3NF2E\mfMRwTY?
Aug 21, 2024 08:59:40.915621996 CEST	278	OUT	POST / HTTP/1.1 Host: eljvuop.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Content-Length: 0 Content-Type: image/tiff Cookie: ak_cuscartcart=vWR4wVcczUw/qsqsg1H1zg Accept-Encoding: gzip
Aug 21, 2024 08:59:41.133559942 CEST	75	IN	HTTP/1.1 200 OK Date: Wed, 21 Aug 2024 06:59:41 GMT Content-Length: 0
Aug 21, 2024 08:59:42.129251957 CEST	280	OUT	POST / HTTP/1.1 Host: eljvuop.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Content-Length: 143 Content-Type: image/tiff Cookie: ak_cuscartcart=vWR4wVcczUw/qsqsg1H1zg Accept-Encoding: gzip
Aug 21, 2024 08:59:42.129282951 CEST	143	OUT	Data Raw: eb c1 01 9a 45 4d c9 18 a8 23 ed 0e 32 6b 0f c4 3b 7a 88 6c ea 41 ed 5a c5 40 19 35 23 fa 42 ff ac 01 a4 c7 37 ab d1 f5 ae 1f 1e 83 97 55 8b cc f0 f2 53 93 eb a1 d8 28 b2 54 be fd 45 fa b3 45 4b 7e 6d 7b 1f 1d 47 2e 9c ee ca 5e de 13 3a ea 24 27 Data Ascii: EM#2k;zlAZ@5#B7US(TEEK~m{G.^:$')[jS'/bo>"z/YmZ&~1@

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49733	37.46.119.50	443	8156	C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-21 06:59:40 UTC	448	OUT	POST / HTTP/1.1 Host: australiais.org User-Agent: Go-http-client/1.1 Content-Length: 963 Content-Type: audio/mpeg Cookie: D=wkKgjSLUI1gWvAYywhTgWpudEpBrwCoEQ3X9G6bxZHDby1xaL+8oLoh9t6Tzo05eXwhOQ2egrkD4eLLYHfMuziuR2UF5WDjej7e4aCjldZD6zAa+Gsv3hKxjVQ5mG45MrhtDzAGTeiACJEVc9qs+44nACu4kwjBkYsaIF0EHxko+O/HaT44tmx/TAg+g+htD0hoHU6a/ieTPWBUl0WTsgGtrqEZPDlBr/6/t+j+tb0HtcZeQtNrebO9f4zocrCdVXMtu7S3T8hfRXU+l2Vlp63KVpSu449YoGW4V Accept-Encoding: gzip
2024-08-21 06:59:40 UTC	963	OUT	Data Raw: 79 2b 8a bf cc fa 15 0b 69 f1 ae 07 6f 3d 68 88 d9 c0 e1 07 f8 ca 08 fb 52 fb 7a 68 1a 7b 3c 45 a8 46 cd 15 0f 2f 7d bb d4 54 71 33 37 c1 82 28 33 d7 7f f5 b2 1a dc 0c 41 90 df c7 06 7f 27 68 d4 db 2c 88 74 81 9b 15 af 91 57 c5 23 c2 8f d0 24 f2 c5 63 33 59 40 15 7f db 38 0d fd 64 0b e2 03 9a b1 97 fc 9d 7b 2d 96 3f 65 05 c7 e0 1b 97 67 e4 dc 92 4a b3 d3 09 64 4b db 32 3e ae ec 8f 18 a7 ab d7 eb aa 32 96 96 da b1 2a 78 cc e6 47 dc 05 05 a5 87 c3 95 20 cc 78 ee 14 d4 9c 52 f2 45 89 c2 c8 86 0f b8 64 d0 e4 8b b6 8b 23 f0 a2 33 e0 ea 4d 3c 7e 99 87 8f ce cf d2 d8 2f 07 a5 9f 71 6b b9 17 28 34 36 9c 74 6c d1 20 ba da d4 c6 b5 03 64 5c c5 d4 8b f8 ef 7e fc 8e 25 96 c0 af 0f ea 5b c9 ee 01 25 47 4b a3 bf 1c f0 db 4e a2 3e 39 03 33 26 01 68 c8 b9 94 19 69 51 cb Data Ascii: y+io=hRzh{<EF/}Tq37(3A'h,tW#$c3Y@8d{-?egJdK2>2*xG xREd#3M<~/qk(46tl d\~%[%GKN>93&hiQ
2024-08-21 06:59:41 UTC	177	IN	HTTP/1.1 200 OK Set-Cookie: D=6PJFPolsTIsiw35Anw Date: Wed, 21 Aug 2024 06:59:41 GMT Content-Type: application/octet-stream Connection: close Transfer-Encoding: chunked
2024-08-21 06:59:41 UTC	1009	IN	Data Raw: 63 30 37 0d 0a 8c 05 4d 6d 15 de 60 ad 7a 82 92 fd 4b eb 35 88 63 19 5e 4f db 8c ce 5a 6e 29 cc 20 95 52 dd 0c bc a5 3e 3a 78 65 75 01 4d 98 d4 0a d0 e5 8a 10 e2 1a 96 9e ef 6c 2c da 8b 99 ca 56 f8 7e 6e ce d8 2d 60 78 76 ea 99 4c ff 34 d8 41 d8 f2 09 35 55 10 56 fc 4d 8d c4 20 44 7f 67 58 ff b5 1a 58 9d a7 4e 44 84 c5 ea d6 67 4d 43 0d d6 53 84 99 9c fa ab 62 9f d3 70 6b cc 93 14 83 dc 6e 58 a1 d6 50 3a d2 f4 d5 72 45 12 2e d4 05 13 fa 3c 79 ae ef f7 28 b0 e2 4d 1d 16 1a f1 5a f5 77 47 6d d4 42 15 55 f8 46 59 67 1e 49 76 b7 94 c2 44 89 ee ec ac 39 0f 49 d0 8b 61 19 16 49 44 1f a9 af 36 90 d6 f5 8f 5e 2a ae 42 29 51 b0 ed 65 44 c0 c5 42 0b 7e 84 3a 0e 38 b8 d1 d8 2e 2f 7b d9 13 06 a8 de c6 8c 49 c6 aa 76 36 87 fb 6a e9 74 25 71 ac b0 4f ff 66 7e 46 43 cf Data Ascii: c07Mm`zK5c^OZn) R>:xeuMl,V~n-`xvL4A5UVM DgXXNDgMCSbpknXP:rE.<y(MZwGmBUFYgIvD9IaID6^*B)QeDB~:8./{Iv6jt%qOf~FC
2024-08-21 06:59:41 UTC	2372	IN	Data Raw: f4 6c d2 c4 70 02 5b 89 4f 35 32 dd 9b 2f 7b 22 06 df 3d 50 75 b4 08 cd 29 e4 80 1c c7 c5 b5 55 b2 d9 26 39 2f 18 41 bc 6d f4 51 df a4 06 39 1a 99 7a c0 40 00 26 59 b3 a2 01 9a a7 78 96 69 0d 05 bd 0f 4f 7d c0 98 fb 1d 4d 7b 18 e3 2e 41 63 fc 28 2f 9e 7b f4 18 9a 87 29 60 26 a9 0c 1f 6e fa 9b 1f 75 98 6b ac 92 e5 93 28 af 33 8d 05 60 d4 df a4 e0 73 12 9a 58 be 7f 4a 24 d7 70 fc 59 77 5e 35 f2 d9 b7 5d 3f 73 1c 14 d4 ff ee 6f 8c ed c7 81 f2 85 0b 88 f7 8c 7d 63 9e 03 8a ed c4 e1 aa ad 5d 25 ad 0f 81 3d 38 95 a7 da 4c 77 7b 2e 88 a0 14 42 f3 62 1f a0 5f 71 97 c3 61 b9 4d 03 b9 69 f9 a6 03 3a 01 01 b6 6f 9f 10 99 d2 d8 95 e4 7e e6 20 5e 0c 05 2b 2d d0 c8 0b 25 d8 e2 fd 06 ed 53 5c 12 85 da 5b 0f 2b 5b 50 05 54 e9 35 37 83 d7 5c 95 04 fb 6b a9 15 38 64 dc 8f Data Ascii: lp[O52/{"=Pu)U&9/AmQ9z@&YxiO}M{.Ac(/{)`&nuk(3`sXJ$pYw^5]?so}c]%=8Lw{.Bb_qaMi:o~ ^+-%S\[+[PT57\k8d
2024-08-21 06:59:41 UTC	437	IN	Data Raw: 6b 08 a6 f0 ed 0e 61 71 d2 d3 ac 65 1a 3b 1a e9 f1 89 16 56 4a 3c 80 a8 0f 79 5f 31 eb a7 20 43 0a 22 ca b8 11 20 65 5e 38 59 e9 0a 5e 86 a9 55 ac c8 e1 04 c2 48 23 98 29 b5 df 15 58 ac 2d 21 95 38 74 fd b5 c5 d2 f9 16 4e 81 0f 6c 1a 4b 4b fb 5a d0 a4 51 27 1c ac f0 38 c9 4b 09 dd c2 92 9a 33 3c a4 9c 00 7e 1e 25 53 69 61 e9 8f 00 7b 41 b8 3c 58 e6 0c 0f 1c 4e e9 db 61 cb 0c 4f 9d 09 82 4d 49 a4 99 bc 33 3b b4 f8 ce db 66 73 09 68 af 93 8c 54 bb 9f bc 80 a5 ec 86 62 f6 fe e5 a9 9c 58 ef c2 da 46 87 6a 17 95 91 a5 3d 5d c3 a8 c7 de b6 98 7e f5 d2 54 7e e8 48 21 be 56 f6 42 7f 9d 0f 66 c3 47 bf 03 86 23 5c 85 db e2 2f 2b bf 1b 6f ff cb 73 0a 3e 88 6f 27 90 29 a0 d2 68 b8 cc 98 18 d6 51 a9 46 d4 0b 15 96 b3 31 e6 38 0a b1 e4 4a c3 94 56 b8 8e 81 bb 18 67 39 Data Ascii: kaqe;VJ<y_1 C" e^8Y^UH#)X-!8tNlKKZQ'8K3<~%Sia{A<XNaOMI3;fshTbXFj=]~T~H!VBfG#\/+os>o')hQF18JVg9

Target ID:	0
Start time:	02:59:08
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\sVfXReO3QI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\sVfXReO3QI.exe"
Imagebase:	0x400000
File size:	6'986'755 bytes
MD5 hash:	26E14EE776EACBBD45F8EE346DCECFCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	02:59:08
Start date:	21/08/2024
Path:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe"
Imagebase:	0x400000
File size:	145'722 bytes
MD5 hash:	49BF9DCA0C8EAFF957F62F0F3CEF0BA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:59:13
Start date:	21/08/2024
Path:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"
Imagebase:	0x400000
File size:	6'794'456 bytes
MD5 hash:	03F2D4B132FC5802F9739F4B91C86C25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	02:59:26
Start date:	21/08/2024
Path:	C:\Users\user\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\PsiphonTemp\psiphon-tunnel-core.exe --config "C:\Users\user\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\user\AppData\Local\Psiphon3\server_list.dat"
Imagebase:	0x410000
File size:	18'710'232 bytes
MD5 hash:	77F9FB45FA91FBC0B2105900F7AF30DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	02:59:27
Start date:	21/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	16%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.5%
Total number of Nodes:	1984
Total number of Limit Nodes:	24

Executed Functions

Function 00405C18 Relevance: 273.2, APIs: 100, Strings: 55, Instructions: 1994stringkeyboardwindowCOMMON

Download Yara Rule

APIs

?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCRT ref: 00405C2B

Part of subcall function 0040202A: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405C37,?,00000000), ref: 00402036
Part of subcall function 0040202A: CreateWindowExW.USER32(00000000,Static,0041A584,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00402053
Part of subcall function 0040202A: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00402065
Part of subcall function 0040202A: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402072
Part of subcall function 0040202A: DispatchMessageW.USER32(?), ref: 0040207C
Part of subcall function 0040202A: KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405C37,?,00000000), ref: 00402085
Part of subcall function 0040202A: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405C37,?,00000000), ref: 0040208C

GetVersionExW.KERNEL32(?,?,00000000), ref: 00405C48
GetCommandLineW.KERNEL32(?,00000020,?,00000000), ref: 00405CD4

Part of subcall function 00403101: ??3@YAXPAX@Z.MSVCRT ref: 00403174
Part of subcall function 00403101: ??3@YAXPAX@Z.MSVCRT ref: 0040318F
Part of subcall function 00403101: ??3@YAXPAX@Z.MSVCRT ref: 00403197
Part of subcall function 00403101: ??3@YAXPAX@Z.MSVCRT ref: 00403207

lstrlenW.KERNEL32(?,00000000,00000000), ref: 00405CFF

Part of subcall function 00403685: ??3@YAXPAX@Z.MSVCRT ref: 004036ED

Part of subcall function 0040455D: #17.COMCTL32(00000000,?,?), ref: 00404569
Part of subcall function 0040455D: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,?,?,?), ref: 004045EA
Part of subcall function 0040455D: wsprintfW.USER32 ref: 004045FE

wsprintfW.USER32 ref: 00405D67
_wtol.MSVCRT(-00000002), ref: 00405DA3
??3@YAXPAX@Z.MSVCRT ref: 00405DF2
??3@YAXPAX@Z.MSVCRT ref: 00405E03
??3@YAXPAX@Z.MSVCRT ref: 00405E0B

Part of subcall function 004011B7: ??2@YAPAXI@Z.MSVCRT ref: 004011D7
Part of subcall function 004011B7: ??3@YAXPAX@Z.MSVCRT ref: 004011FD

GetModuleFileNameW.KERNEL32(00000000,00000208), ref: 00405E82
_wtol.MSVCRT(-00000002), ref: 00405FAA
??2@YAPAXI@Z.MSVCRT ref: 00406139
??3@YAXPAX@Z.MSVCRT ref: 004061BC
??3@YAXPAX@Z.MSVCRT ref: 00406232
??3@YAXPAX@Z.MSVCRT ref: 0040624E
??3@YAXPAX@Z.MSVCRT ref: 0040628C
wsprintfW.USER32 ref: 004062B6

Part of subcall function 004046A3: lstrlenW.KERNEL32(00406EB8,00000000,?,?,004046EA,00000000,00000000,00406EB8,?,waitall,00000000,00000000,?,?,0041E9E8), ref: 004046B0
Part of subcall function 004046A3: lstrlenW.KERNEL32(?,?,?,0041E9E8), ref: 004046B9
Part of subcall function 004046A3: _wcsnicmp.MSVCRT ref: 004046C5

_wtol.MSVCRT(?), ref: 004064D8
??3@YAXPAX@Z.MSVCRT ref: 004065A5
??3@YAXPAX@Z.MSVCRT ref: 004065EF
??3@YAXPAX@Z.MSVCRT ref: 004065F7
??3@YAXPAX@Z.MSVCRT ref: 00406618
??3@YAXPAX@Z.MSVCRT ref: 00406672
??3@YAXPAX@Z.MSVCRT ref: 0040667A
GetCommandLineW.KERNEL32(?,?,00000000,?,?), ref: 004066E4
??3@YAXPAX@Z.MSVCRT ref: 0040675D
??3@YAXPAX@Z.MSVCRT ref: 00406765
??3@YAXPAX@Z.MSVCRT ref: 0040676D
??3@YAXPAX@Z.MSVCRT ref: 00406775
??3@YAXPAX@Z.MSVCRT ref: 0040677D
GetCurrentProcess.KERNEL32(000000FF,000000FF,?,?,?,?,00000000), ref: 00406789
SetProcessWorkingSetSize.KERNEL32(00000000), ref: 00406790
??3@YAXPAX@Z.MSVCRT ref: 004067AB
??3@YAXPAX@Z.MSVCRT ref: 004067B3
??3@YAXPAX@Z.MSVCRT ref: 004067BB
??3@YAXPAX@Z.MSVCRT ref: 004067C3
??3@YAXPAX@Z.MSVCRT ref: 004067DF
??3@YAXPAX@Z.MSVCRT ref: 004067E7
??3@YAXPAX@Z.MSVCRT ref: 004067EF
??3@YAXPAX@Z.MSVCRT ref: 004067F7
??3@YAXPAX@Z.MSVCRT ref: 00406869
??3@YAXPAX@Z.MSVCRT ref: 0040688C
??3@YAXPAX@Z.MSVCRT ref: 004068FE
CoInitialize.OLE32(00000000), ref: 0040691A
lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00406973
_wtol.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406A5C
??3@YAXPAX@Z.MSVCRT ref: 00406A7E
??3@YAXPAX@Z.MSVCRT ref: 00406AC9
GetKeyState.USER32(00000010), ref: 00406B1B
??3@YAXPAX@Z.MSVCRT ref: 00406C61
??3@YAXPAX@Z.MSVCRT ref: 00406C6F
??3@YAXPAX@Z.MSVCRT ref: 00406C9A
??3@YAXPAX@Z.MSVCRT ref: 00406CA2
??3@YAXPAX@Z.MSVCRT ref: 00406CBE
??3@YAXPAX@Z.MSVCRT ref: 00406CC6

Part of subcall function 00404A41: GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00407453,00000000,?,?,004057BC,?,7ZSfx%03x.cmd), ref: 00404A64
Part of subcall function 00404A41: GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,004057BC,?,7ZSfx%03x.cmd), ref: 00404A81
Part of subcall function 00404A41: wsprintfW.USER32 ref: 00404AB7
Part of subcall function 00404A41: GetFileAttributesW.KERNELBASE(?), ref: 00404AD2

??3@YAXPAX@Z.MSVCRT ref: 00406CF6
??3@YAXPAX@Z.MSVCRT ref: 00406D37
??3@YAXPAX@Z.MSVCRT ref: 00406DA2
??3@YAXPAX@Z.MSVCRT ref: 00406DAA
??3@YAXPAX@Z.MSVCRT ref: 00406E6F
??3@YAXPAX@Z.MSVCRT ref: 00406E77
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,setup.exe,?,00000000,?,?), ref: 00406E81
??3@YAXPAX@Z.MSVCRT ref: 00406F3B
??3@YAXPAX@Z.MSVCRT ref: 00406F43
_wtol.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406FD5
??3@YAXPAX@Z.MSVCRT ref: 004071B0
??3@YAXPAX@Z.MSVCRT ref: 004071B8
??3@YAXPAX@Z.MSVCRT ref: 004071DC
??3@YAXPAX@Z.MSVCRT ref: 00407225
??3@YAXPAX@Z.MSVCRT ref: 0040722D
??3@YAXPAX@Z.MSVCRT ref: 00407235
??3@YAXPAX@Z.MSVCRT ref: 0040723B

Part of subcall function 00405492: GetCommandLineW.KERNEL32(?,00000000,?), ref: 004054B3
Part of subcall function 00405492: ??3@YAXPAX@Z.MSVCRT ref: 00405576
Part of subcall function 00405492: ??3@YAXPAX@Z.MSVCRT ref: 0040557E
Part of subcall function 00405492: ??3@YAXPAX@Z.MSVCRT ref: 00405586
Part of subcall function 00405492: ??3@YAXPAX@Z.MSVCRT ref: 0040558E
Part of subcall function 00405492: ??3@YAXPAX@Z.MSVCRT ref: 00405596
Part of subcall function 00405492: ??3@YAXPAX@Z.MSVCRT ref: 0040559E
Part of subcall function 00405492: ??3@YAXPAX@Z.MSVCRT ref: 004055A6
Part of subcall function 00405492: ??3@YAXPAX@Z.MSVCRT ref: 004055AE
Part of subcall function 00405492: ??3@YAXPAX@Z.MSVCRT ref: 004055B6

??3@YAXPAX@Z.MSVCRT ref: 0040724B
??3@YAXPAX@Z.MSVCRT ref: 00407253
??3@YAXPAX@Z.MSVCRT ref: 00407270
??3@YAXPAX@Z.MSVCRT ref: 00407278
??3@YAXPAX@Z.MSVCRT ref: 00407280
??3@YAXPAX@Z.MSVCRT ref: 00407288
??3@YAXPAX@Z.MSVCRT ref: 00407290
??3@YAXPAX@Z.MSVCRT ref: 004072AE
SetLastError.KERNEL32(00000000,00000000,?,?), ref: 004072B7
??3@YAXPAX@Z.MSVCRT ref: 004072CF
??3@YAXPAX@Z.MSVCRT ref: 004072D7
??3@YAXPAX@Z.MSVCRT ref: 004072DF
??3@YAXPAX@Z.MSVCRT ref: 004072E5
??3@YAXPAX@Z.MSVCRT ref: 004072ED
??3@YAXPAX@Z.MSVCRT ref: 004072F5
??3@YAXPAX@Z.MSVCRT ref: 004072FD
??3@YAXPAX@Z.MSVCRT ref: 0040731C
??3@YAXPAX@Z.MSVCRT ref: 00407324
??3@YAXPAX@Z.MSVCRT ref: 0040732C
??3@YAXPAX@Z.MSVCRT ref: 00407332
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000000,?,?), ref: 0040736A
??3@YAXPAX@Z.MSVCRT ref: 00407394
??3@YAXPAX@Z.MSVCRT ref: 00407459
??3@YAXPAX@Z.MSVCRT ref: 00407461
??3@YAXPAX@Z.MSVCRT ref: 00407478
??3@YAXPAX@Z.MSVCRT ref: 00407489
??3@YAXPAX@Z.MSVCRT ref: 00407491

Part of subcall function 00405758: GetDriveTypeW.KERNEL32(?,?,?), ref: 0040579F
Part of subcall function 00405758: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 004057D0
Part of subcall function 00405758: WriteFile.KERNEL32(0041EA30,?,?,00407453,00000000,del ",:Repeat,00000000), ref: 00405885
Part of subcall function 00405758: ??3@YAXPAX@Z.MSVCRT ref: 00405890

MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 004074AA

Strings

AutoInstall, xrefs: 00406B51, 00406BAC, 00406F1B
x64, xrefs: 00407069
sfxversion, xrefs: 00405DD7
$A, xrefs: 0040612D
OverwriteMode, xrefs: 004063B1
waitall, xrefs: 00406EAD
0A, xrefs: 0040605E
" -, xrefs: 00406706
A, xrefs: 00406934
SfxVarCmdLine1, xrefs: 00406639
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 004074A3
forcenowait, xrefs: 00406F92
amd64, xrefs: 00407056
SfxAuthor, xrefs: 0040694D
SfxVarSystemLanguage, xrefs: 00405D76
ExecuteFile, xrefs: 00406AE0, 00406BD7, 00406BE5
hidcon, xrefs: 00406F50
nowait, xrefs: 00406F6E
SfxVarSystemPlatform, xrefs: 00405D27
BeginPrompt, xrefs: 00406AEB
7-Zip SFX, xrefs: 0040749E
MiscFlags, xrefs: 0040643C
sfxelevation, xrefs: 00405E35, 00406701
InstallPath, xrefs: 00406924
i386, xrefs: 00407043
SfxVarCmdLine0, xrefs: 00405D34
SelfDelete, xrefs: 0040647D, 00407427
A, xrefs: 00406CE6
sfxlang, xrefs: 00405D87
sfxconfig, xrefs: 0040600F, 004061E1
GUIFlags, xrefs: 00406419
GUIMode, xrefs: 004063F6
del, xrefs: 0040700C
Shortcut, xrefs: 00407351
pA, xrefs: 00405F76
FinishMessage, xrefs: 004073C1
SetEnvironment, xrefs: 0040681C, 00406875
0A, xrefs: 00406068
sfxwaitall, xrefs: 00405E19
ExecuteParameters, xrefs: 004070D2
Delete, xrefs: 00407379
setup.exe, xrefs: 00406E3A, 00406E3F, 00406E94
SfxVarCmdLine2, xrefs: 004062F3, 00406696
bpt, xrefs: 004064E9
SfxString%d, xrefs: 004062B0
RunProgram, xrefs: 00406BFB, 00406C0D
7ZipSfx.%03x, xrefs: 00406CD9
A, xrefs: 00406D04
HelpText, xrefs: 004068B2
shc, xrefs: 00406FEA
SfxVarModulePlatform, xrefs: 00405D0F
0A, xrefs: 00405E70
x86, xrefs: 00405D0A, 00407030
123456789ABCDEFGHJKMNPQRSTUVWXYZ, xrefs: 004069A2
BeginPromptTimeout, xrefs: 00406502, 00406A49

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@$File_wtol$lstrlenwsprintf$CommandLineMessagePath$??2@AttributesCreateCurrentModuleProcessTempTimer$?_set_new_handler@@CallbackDirectoryDispatchDispatcherDriveErrorFolderHandleInitializeKillLastNameSizeSpecialStateTypeUserVersionWindowWorkingWrite_wcsnicmp
String ID: " -$$A$0A$0A$0A$123456789ABCDEFGHJKMNPQRSTUVWXYZ$7-Zip SFX$7ZipSfx.%03x$AutoInstall$BeginPrompt$BeginPromptTimeout$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$SfxAuthor$SfxString%d$SfxVarCmdLine0$SfxVarCmdLine1$SfxVarCmdLine2$SfxVarModulePlatform$SfxVarSystemLanguage$SfxVarSystemPlatform$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$amd64$bpt$del$forcenowait$hidcon$i386$nowait$pA$setup.exe$sfxconfig$sfxelevation$sfxlang$sfxversion$sfxwaitall$shc$waitall$x64$x86$A$A$A
API String ID: 1285656963-2377148831
Opcode ID: ca29ec69b75dae9377f55f1aad8fca88460a48402f3d6daeb9e5462099815401
Instruction ID: 7d3dfb060556a880520f882e8da7ce04cba8f88452da2e3d957660181bc34423
Opcode Fuzzy Hash: ca29ec69b75dae9377f55f1aad8fca88460a48402f3d6daeb9e5462099815401
Instruction Fuzzy Hash: 0FE2F271900204AADF25BF61DD46AEE3768EF05308F11403BF906B61D2DB7D9A91CB9E

Function 00403A96 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00401A87,00000000,?,?,?,?,?,?,00401A87,?), ref: 00403AA3
GetSystemTimeAsFileTime.KERNEL32(?,00401A87,?,?,?,?,00401A87,?), ref: 00403B19
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00401A87,?), ref: 00403B20
??3@YAXPAX@Z.MSVCRT ref: 00403BDF

Part of subcall function 004011B7: ??2@YAPAXI@Z.MSVCRT ref: 004011D7
Part of subcall function 004011B7: ??3@YAXPAX@Z.MSVCRT ref: 004011FD

memcpy.MSVCRT ref: 00403B71
??3@YAXPAX@Z.MSVCRT ref: 00403BAE
??3@YAXPAX@Z.MSVCRT ref: 00403BF4

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: 70eed00c210e8056117a81afcf139e7f7fadff7b77be66bf58d94e28cbcf4867
Instruction ID: 0f2a00f266c3e91eabf76dad8ed74b5c358096388eeecf68552b374039058eee
Opcode Fuzzy Hash: 70eed00c210e8056117a81afcf139e7f7fadff7b77be66bf58d94e28cbcf4867
Instruction Fuzzy Hash: 8D41EB25900115AADB20AF598C42ABF7B7CEB0570AF40413BE941B61C2E77DAF4286DD

Function 00402678 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,?,004026AE,00405D26,00000001), ref: 00402688
GetProcAddress.KERNEL32(00000000), ref: 0040268F
GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,004026AE,00405D26,00000001), ref: 0040269D

Strings

GetNativeSystemInfo, xrefs: 0040267E
kernel32, xrefs: 00402683

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: AddressInfoLibraryLoadNativeProcSystem
String ID: GetNativeSystemInfo$kernel32
API String ID: 2103483237-3846845290
Opcode ID: 589bfe798714c72d55a02258d5f73302c8b4a0cb66d4c90fb85e1d33c1cb50e7
Instruction ID: 4243547076bf45231392ad9064d8e78bc72b2d3c6908f642ae8a754f6dea8c3c
Opcode Fuzzy Hash: 589bfe798714c72d55a02258d5f73302c8b4a0cb66d4c90fb85e1d33c1cb50e7
Instruction Fuzzy Hash: A2D05E70A0520976CB01ABB15D0E9EB76E86A48609B140461A406F00C4EAADDDA0C77A

Function 0040372C Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 0040373A
SetLastError.KERNEL32(00000010), ref: 0040374F

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: d36faaefddfd81e2762f97a3370e571bf9c3961ee8d128041245bb49f3de1fe9
Instruction ID: fc6d74f889439b8008461c5170a41b41c4634018572b579c801417c90cab6092
Opcode Fuzzy Hash: d36faaefddfd81e2762f97a3370e571bf9c3961ee8d128041245bb49f3de1fe9
Instruction Fuzzy Hash: FF018BF45024146ADB102F799D889EA3B5CAF01326F10CA32F522F21E0E73C9B51865E

Function 0040122A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 00401246
SendMessageW.USER32(00008001,00000000,?), ref: 0040129F

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: 134f51b7559761425d8516f572d58d6d47936f3fb89939f0ed2c5b40a734bcac
Instruction ID: 5a84cd4ed7cf58cef686fcc2e8b11779581c6348a7b22175bc4f470302977229
Opcode Fuzzy Hash: 134f51b7559761425d8516f572d58d6d47936f3fb89939f0ed2c5b40a734bcac
Instruction Fuzzy Hash: A80181B4611208BBEB94DB92DC45F9A77A9FB01714F10807AFD00FA1F0C7B9A9808B1D

Function 00401B1E Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3a344645c90060d1dde64b1fc318fbc4d03283f1872130456d7d7b8fca47a7
Instruction ID: c97574b0b9fb83ae219b8bf287d177c65d35204aa7b292a8b4aaedb3b9765f48
Opcode Fuzzy Hash: 4f3a344645c90060d1dde64b1fc318fbc4d03283f1872130456d7d7b8fca47a7
Instruction Fuzzy Hash: BFB18E71900205EFCB15EFA5C8849EEB7B5FF48314F10842BF912A72A1DB78EA45CB59

Function 0040202A Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405C37,?,00000000), ref: 00402036
CreateWindowExW.USER32(00000000,Static,0041A584,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00402053
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00402065
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402072
DispatchMessageW.USER32(?), ref: 0040207C
KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405C37,?,00000000), ref: 00402085
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405C37,?,00000000), ref: 0040208C

Strings

Static, xrefs: 0040204D

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 947087521f2d8a527adb1e132fdb1a2ab70df0e469f5237fcb2ff151bfac6e68
Instruction ID: 6d361602a22ecfb743b6e8feae7c3bd3eb8e68c6b2cd8e9e3e04e25feeadf995
Opcode Fuzzy Hash: 947087521f2d8a527adb1e132fdb1a2ab70df0e469f5237fcb2ff151bfac6e68
Instruction Fuzzy Hash: 68F062325472317BCA312BA69C4DEEF3E2DEF46BB1F004260F619A11D1DAB94111C6BA

Function 00414476 Relevance: 12.6, APIs: 8, Instructions: 565
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT ref: 004144E6
??2@YAPAXI@Z.MSVCRT ref: 00414530

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 788047ecef0a495616e408a1f8658ec1d260eded41d07f1578465c09e28bf8e1
Instruction ID: 9cfdc296de4d911c8b0d5509db40b0b0cf3220fe84743daa4662bb7cf851d428
Opcode Fuzzy Hash: 788047ecef0a495616e408a1f8658ec1d260eded41d07f1578465c09e28bf8e1
Instruction Fuzzy Hash: 36324371900249DFCB14DFA5C8808EEBBB5FF89308B14456EF91A9B251CB39E985CF58

Function 004053BB Relevance: 10.6, APIs: 7, Instructions: 78
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004053DF
??3@YAXPAX@Z.MSVCRT ref: 00405438
??3@YAXPAX@Z.MSVCRT ref: 00405440
ShellExecuteExW.SHELL32(?), ref: 0040545E
WaitForSingleObject.KERNEL32(004071CE,000000FF), ref: 00405476
CloseHandle.KERNEL32(004071CE), ref: 0040547F
??3@YAXPAX@Z.MSVCRT ref: 00405486

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@$CloseExecuteHandleObjectShellSingleWaitmemset
String ID:
API String ID: 2700081640-0
Opcode ID: 91a943068177400c2716056ef89a331a477f8bae5c5f5a6613d8adce82220148
Instruction ID: bfc6e588bc124ab4bb54016629f9cf6f875c5e33f05a46da5ac90fa54932be6c
Opcode Fuzzy Hash: 91a943068177400c2716056ef89a331a477f8bae5c5f5a6613d8adce82220148
Instruction Fuzzy Hash: FB216B71C00208ABCB11AFD5D885AEFBBB8FF44318F10813BE915B61A1D7785995CF45

Function 004168CA Relevance: 7.6, APIs: 5, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00416921
memmove.MSVCRT ref: 004169B8
??3@YAXPAX@Z.MSVCRT ref: 004169C4

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-0
Opcode ID: d379a83c4509f110c68ff3d8a357345f8dafa83bff8cb8b2909894970113db52
Instruction ID: 23944b093298c9250b12953aee9b2fea977b47268a7197f545c2c6c5c712d5c3
Opcode Fuzzy Hash: d379a83c4509f110c68ff3d8a357345f8dafa83bff8cb8b2909894970113db52
Instruction Fuzzy Hash: 1041F4B1A10204ABDB10DB65C940BFFB7B9EF89744F15446EE841A7201D778EE81CB99

Function 0040455D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32(00000000,?,?), ref: 00404569

Part of subcall function 0040243A: GetUserDefaultUILanguage.KERNEL32(00404579,?,?), ref: 00402444

Part of subcall function 00402490: GetLastError.KERNEL32(00000000,?,?), ref: 004024DF
Part of subcall function 00402490: wsprintfW.USER32 ref: 004024F0
Part of subcall function 00402490: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402505
Part of subcall function 00402490: GetLastError.KERNEL32 ref: 0040250A
Part of subcall function 00402490: ??2@YAPAXI@Z.MSVCRT ref: 00402525
Part of subcall function 00402490: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402538
Part of subcall function 00402490: GetLastError.KERNEL32 ref: 0040253F
Part of subcall function 00402490: lstrcmpiW.KERNEL32(00ADC6C8,?), ref: 00402554
Part of subcall function 00402490: ??3@YAXPAX@Z.MSVCRT ref: 00402564
Part of subcall function 00402490: SetLastError.KERNEL32(00000003), ref: 0040258B
Part of subcall function 00402490: lstrlenA.KERNEL32(0041B330), ref: 004025BF
Part of subcall function 00402490: ??2@YAPAXI@Z.MSVCRT ref: 004025DA
Part of subcall function 00402490: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 0040260C

Part of subcall function 00402490: ??3@YAXPAX@Z.MSVCRT ref: 00402582
Part of subcall function 00402490: _wtol.MSVCRT(?), ref: 0040261D
Part of subcall function 00402490: MultiByteToWideChar.KERNEL32(00000000,0041B330,00000001,00ADC6C8,00000002), ref: 0040263D

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,?,?,?), ref: 004045EA
wsprintfW.USER32 ref: 004045FE

Part of subcall function 00403685: ??3@YAXPAX@Z.MSVCRT ref: 004036ED

Strings

SfxFolder%02d, xrefs: 004045F8

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ErrorLast$??3@$??2@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: SfxFolder%02d
API String ID: 1305296731-528147737
Opcode ID: c0b7c8bedfdb96d278ad746eb2fa6d2f79cda622667cf71b9ff6e01a874d3379
Instruction ID: ad47f965f1414b1aea6f9370fe11b7bd4236df0bf66a58ddcda0defb28dd56f0
Opcode Fuzzy Hash: c0b7c8bedfdb96d278ad746eb2fa6d2f79cda622667cf71b9ff6e01a874d3379
Instruction Fuzzy Hash: 7A2104F6D013146AD750EFB29C4EBCA7668AB80709F00853FFA09A71D0EA7A55408B1D

Function 00402F19 Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,004040B3,0041EA30,?,?,004061AB,00000000,00000000,?,?,?,00000000,?), ref: 00402F4B
lstrlenA.KERNEL32(?,?,004040B3,0041EA30,?,?,004061AB,00000000,00000000,?,?,?,00000000,?), ref: 00402F53
memcmp.MSVCRT ref: 00402FB9
memcmp.MSVCRT ref: 00402FF6
memmove.MSVCRT ref: 00403028

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: a62ca880d0d825914a7d4edcd11435feecd31b01bd7507547217008d56edb1d4
Instruction ID: 6bddd9879f2f5e7a60876394282d69eca814f89a03797a05572576cc836ebeb8
Opcode Fuzzy Hash: a62ca880d0d825914a7d4edcd11435feecd31b01bd7507547217008d56edb1d4
Instruction Fuzzy Hash: BE418C72D01209AFCF10DFA5C8849EEBFB8EF09384F0440AAE804B3280D3799E95DB55

Function 004019E5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT ref: 004019F2
??2@YAPAXI@Z.MSVCRT ref: 00401A36
??2@YAPAXI@Z.MSVCRT ref: 00401A8E

Part of subcall function 004095EE: wvsprintfW.USER32(?,00000000,?), ref: 00409612
Part of subcall function 004095EE: GetLastError.KERNEL32 ref: 00409623
Part of subcall function 004095EE: FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,00000000,00000000,0000000F), ref: 0040964B
Part of subcall function 004095EE: FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,00000000,00000000,0000000F), ref: 00409660
Part of subcall function 004095EE: lstrlenW.KERNEL32(?), ref: 00409673
Part of subcall function 004095EE: lstrlenW.KERNEL32(00000000), ref: 0040967A
Part of subcall function 004095EE: ??2@YAPAXI@Z.MSVCRT ref: 0040968F
Part of subcall function 004095EE: lstrcpyW.KERNEL32(00000000,?), ref: 004096A5
Part of subcall function 004095EE: lstrcpyW.KERNEL32(-00000002,00000000), ref: 004096B6
Part of subcall function 004095EE: ??3@YAXPAX@Z.MSVCRT ref: 004096BF
Part of subcall function 004095EE: LocalFree.KERNEL32(00000000), ref: 004096C9

Strings

ExecuteFile, xrefs: 004019EC

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??2@$FormatMessagelstrcpylstrlen$??3@ErrorFreeLastLocalwvsprintf
String ID: ExecuteFile
API String ID: 1592922708-323923146
Opcode ID: 7a623bca20e68b42fe6845036804734ebb7db2d519c6c2dea3bed0df4bdd9b31
Instruction ID: 6780326a736f9f88a4b68697584b61ff41e5de17b7023dd5f9fed655a3c13ad6
Opcode Fuzzy Hash: 7a623bca20e68b42fe6845036804734ebb7db2d519c6c2dea3bed0df4bdd9b31
Instruction Fuzzy Hash: 0531B335701104AFCB119BA5CC89DAE77A9EF85315B24446BF405EB2A1DB789D80CB29

Function 00401893 Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,0040133C,00000000,00000000,?), ref: 004018D7
WaitForSingleObject.KERNEL32(000000FF,?,00401AF4,?,?), ref: 004018F8

Part of subcall function 004095EE: wvsprintfW.USER32(?,00000000,?), ref: 00409612
Part of subcall function 004095EE: GetLastError.KERNEL32 ref: 00409623
Part of subcall function 004095EE: FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,00000000,00000000,0000000F), ref: 0040964B
Part of subcall function 004095EE: FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,00000000,00000000,0000000F), ref: 00409660
Part of subcall function 004095EE: lstrlenW.KERNEL32(?), ref: 00409673
Part of subcall function 004095EE: lstrlenW.KERNEL32(00000000), ref: 0040967A
Part of subcall function 004095EE: ??2@YAPAXI@Z.MSVCRT ref: 0040968F
Part of subcall function 004095EE: lstrcpyW.KERNEL32(00000000,?), ref: 004096A5
Part of subcall function 004095EE: lstrcpyW.KERNEL32(-00000002,00000000), ref: 004096B6
Part of subcall function 004095EE: ??3@YAXPAX@Z.MSVCRT ref: 004096BF
Part of subcall function 004095EE: LocalFree.KERNEL32(00000000), ref: 004096C9

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: 91e141f45f2ee7295b0cea4f89133db8f2c00a0fa615f411bb75a8c1b5eb54d3
Instruction ID: a876f98e79dacea5cc089968dae63f64e03189e2a5d1ac9b71cf33a519aa8765
Opcode Fuzzy Hash: 91e141f45f2ee7295b0cea4f89133db8f2c00a0fa615f411bb75a8c1b5eb54d3
Instruction Fuzzy Hash: 423126F5601200BAEB355B16DC55EBB36A9EB85310F20803BF902F52F1D67C8941D66F

Function 00404A41 Relevance: 6.1, APIs: 4, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00407453,00000000,?,?,004057BC,?,7ZSfx%03x.cmd), ref: 00404A64
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,004057BC,?,7ZSfx%03x.cmd), ref: 00404A81
wsprintfW.USER32 ref: 00404AB7
GetFileAttributesW.KERNELBASE(?), ref: 00404AD2

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 5f39394a9dca1049afb72b93ca682225ea40c3988a10b8dd75f2f6ab43e532ce
Instruction ID: 5d9b743630f11cc8f98a804d25f6a969196336981951373b86204d1d51b3fe07
Opcode Fuzzy Hash: 5f39394a9dca1049afb72b93ca682225ea40c3988a10b8dd75f2f6ab43e532ce
Instruction Fuzzy Hash: 8C11E772600204FFD7119F55C844AADB7B9FF48314F10842EF906972E1DBB999108B98

Function 00401E7E Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(00403B10,00000000,-00000001,00403B10,?,00401A87,?,?,?,?,00401A87,?), ref: 00401E85
GetLastError.KERNEL32(?,?,?,?,00401A87,?), ref: 00401E8F
SetLastError.KERNEL32(000000B7,?,?,?,?,00401A87,?), ref: 00401E9F
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00401A87,?), ref: 00401EAD

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 2870007de936e2cd6bf86a77b59755239ded30d6049a6d438da8b23bd184778b
Instruction ID: 386708675ad1f67ee821f8193335b86be887b361fe293b8400b21247fb87b693
Opcode Fuzzy Hash: 2870007de936e2cd6bf86a77b59755239ded30d6049a6d438da8b23bd184778b
Instruction Fuzzy Hash: FAE01A3054A220BFEB511B24FC48B9F3B569F41725F148A36FC59E01F4D7388852968A

Function 00414DB4 Relevance: 4.9, APIs: 3, Instructions: 410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00414DBD
??2@YAPAXI@Z.MSVCRT ref: 00414F5B
??2@YAPAXI@Z.MSVCRT ref: 0041502E

Part of subcall function 0041534F: ??2@YAPAXI@Z.MSVCRT ref: 00415377

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??2@$H_prolog
String ID:
API String ID: 3431946709-0
Opcode ID: fab8fd1235ac050b1e0d8c5e45ec562f8d1428b153f9e8a335c811c2583ca095
Instruction ID: 686c930a7ef178ea5ab12c5d19a3d7c251e78e8bbbc10600cae06936c8b42039
Opcode Fuzzy Hash: fab8fd1235ac050b1e0d8c5e45ec562f8d1428b153f9e8a335c811c2583ca095
Instruction Fuzzy Hash: 46F12571A00209DFCB14DF69C884AEA7BB4BF88354F14415AF8199B351DB79ED82CF98

Function 00404038 Relevance: 4.7, APIs: 3, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 00402678: LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,?,004026AE,00405D26,00000001), ref: 00402688
Part of subcall function 00402678: GetProcAddress.KERNEL32(00000000), ref: 0040268F
Part of subcall function 00402678: GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,004026AE,00405D26,00000001), ref: 0040269D

??3@YAXPAX@Z.MSVCRT ref: 004041C6
??3@YAXPAX@Z.MSVCRT ref: 004041CE
??3@YAXPAX@Z.MSVCRT ref: 004041D6

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@$AddressInfoLibraryLoadNativeProcSystem
String ID:
API String ID: 1642057587-0
Opcode ID: 2d54a5c0d0fe28d660c825eb0872e77c4edd5f4509406376405913d5d74d72da
Instruction ID: 7656f2246ecc7c6cc45d06e63a8b72c114f9a889527ded6a08eb3d076b8c2c94
Opcode Fuzzy Hash: 2d54a5c0d0fe28d660c825eb0872e77c4edd5f4509406376405913d5d74d72da
Instruction Fuzzy Hash: 6851A1B2C00149AACF01EFD1CD859FEBB79AF48308F04403AF610B62D1D7799A4ACB59

Function 00415F0B Relevance: 4.6, APIs: 3, Instructions: 114COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00415F10

Part of subcall function 0041839F: _EH_prolog.MSVCRT ref: 004183A4

??3@YAXPAX@Z.MSVCRT ref: 00415FC0
??3@YAXPAX@Z.MSVCRT ref: 00415FFF

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: fa7e8afba3ce79e0b7bb9301de01f44f0688fdaf3b18fd0d1ac67015356f1684
Instruction ID: 80cfc670515df322d5a0f1bad9bb987e37fd57aaff311f52ca6ed10ca3b00574
Opcode Fuzzy Hash: fa7e8afba3ce79e0b7bb9301de01f44f0688fdaf3b18fd0d1ac67015356f1684
Instruction Fuzzy Hash: CE414F3160060ADFCB11EFA5C895AEEBB75BF84308F14446EF406A7251DF39AD86CB25

Function 0040B2A0 Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040B2B3
memmove.MSVCRT ref: 0040B2D0
??3@YAXPAX@Z.MSVCRT ref: 0040B2E1

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 2d29a23e04a800e727a7b54e03b6005ba5ac139afd78bf77e0f410f3315a2635
Instruction ID: 005381a641870b901654b433da9efa5678f8f783537c5aa95d48f4956821a829
Opcode Fuzzy Hash: 2d29a23e04a800e727a7b54e03b6005ba5ac139afd78bf77e0f410f3315a2635
Instruction Fuzzy Hash: 76F0B4B66006005BC2209B5ADD9485BB7E9EFC97007048C7FE91ED3741D334F85486AE

Function 004029FA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00402A1E

Strings

@, xrefs: 00402A11

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: c05d361f5e9571ae993c344487b46086926bcd548e4e39e355e6093bfb7cf5c9
Instruction ID: d00f740de1a2efe1a026dd095351ee785e14532435a1eeee82b2a6518a9fc22a
Opcode Fuzzy Hash: c05d361f5e9571ae993c344487b46086926bcd548e4e39e355e6093bfb7cf5c9
Instruction Fuzzy Hash: 09F0AFB0B102159ADF70BB719A8DA5B77A5BB01358F10853AE402F61D1DBB8E8428A0D

Function 0041810E Relevance: 3.2, APIs: 2, Instructions: 204COMMON

Download Yara Rule

APIs

Part of subcall function 00416245: _CxxThrowException.MSVCRT(?,0041C8E8), ref: 0041625F

??3@YAXPAX@Z.MSVCRT ref: 0041822C
??3@YAXPAX@Z.MSVCRT ref: 00418390

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@$ExceptionThrow
String ID:
API String ID: 2803161813-0
Opcode ID: e06b2bc66e7cb3a24e1f907cd781ac83590aca39cb2d73517e6e0f7c79883864
Instruction ID: 8745e1a2ddce382febef8af04cd5cf2bd10ae178c23d82ec63c8fedf0f7eafba
Opcode Fuzzy Hash: e06b2bc66e7cb3a24e1f907cd781ac83590aca39cb2d73517e6e0f7c79883864
Instruction Fuzzy Hash: 44816B31A00609AFCF25DFA5C891AEEFBB2FF08314F14452EE515A3351DB39A981CB58

Function 00415D5C Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00415D61
??3@YAXPAX@Z.MSVCRT ref: 00415E56

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: 756c0b5c6aefcdd13121025024816d24f19935b4aaa740c09a036b61eb7d408f
Instruction ID: ed65cc10277858091f9e8de967aaf07ed2053d25dc20cdc1fb010143ea0b88c4
Opcode Fuzzy Hash: 756c0b5c6aefcdd13121025024816d24f19935b4aaa740c09a036b61eb7d408f
Instruction Fuzzy Hash: 10411F32C04B04EBCB14DB64CA81AFE7B35EF94304B28402FE002A7661D67D9F81D75A

Function 004011B7 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 004011D7
??3@YAXPAX@Z.MSVCRT ref: 004011FD

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 81d66f699be0dc610134f1bf801777b590ed4f03ba3fd1023f6ee985c335a7b8
Instruction ID: 2a9acf97f50dc74bf2477fddec51c21d8134541a78e9df3ea2b8f2b8b6786771
Opcode Fuzzy Hash: 81d66f699be0dc610134f1bf801777b590ed4f03ba3fd1023f6ee985c335a7b8
Instruction Fuzzy Hash: D2F08C32210611ABC324DF6DC59186BB3E4FB88315720883FE2DAD72A1DA35A8918754

Function 004122F5 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 00412310
GetLastError.KERNEL32(?,?,?,?), ref: 0041231E

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7ccaebcf3ae4d329a8be65b6a742600eba4963c05187a2ee435572f36bdccfb6
Instruction ID: f48f6f2b0c7156b6abd5f8c57d42b75e78fb70457e0008364ac47cd7433d5725
Opcode Fuzzy Hash: 7ccaebcf3ae4d329a8be65b6a742600eba4963c05187a2ee435572f36bdccfb6
Instruction Fuzzy Hash: ADF0B7B4900208EF8B05CFA4D9448EE7BB5EB49350B208559F815D7350D7759A60DB65

Function 004125A8 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 004125C0
_CxxThrowException.MSVCRT(?,0041C60C), ref: 004125E3

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID:
API String ID: 3773818493-0
Opcode ID: fcf478e90851fad2b33c9ed1e6fe70bf29481af54092e07db13bd9d2e017d67e
Instruction ID: 420ce26627c0f1c30ef0389914a86a82d93f5de10a8991056aa7ea3c12b3a24c
Opcode Fuzzy Hash: fcf478e90851fad2b33c9ed1e6fe70bf29481af54092e07db13bd9d2e017d67e
Instruction Fuzzy Hash: 9CE06D71640319AA8B20AF69D8859CABBE8EF04380700C03BFC08C6210E6B9D9A0C799

Function 0040AE60 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040AE6D
??3@YAXPAX@Z.MSVCRT ref: 0040AE7D

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: e9afefaed684a0424ac29e33d82847c05231d754d7aac0630840e5df30a11e45
Instruction ID: 9b673ee5c2754c871367cb61c0ae667a688a38adf027cf99462c8c0d985af208
Opcode Fuzzy Hash: e9afefaed684a0424ac29e33d82847c05231d754d7aac0630840e5df30a11e45
Instruction Fuzzy Hash: 6BD0A7F290421016D214D60898017C777C44F1D308F044D7FF94882311E7789DD4C7EB

Function 00415A4C Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00415A52
??3@YAXPAX@Z.MSVCRT ref: 00415A60

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 6816f4ef9cc482cf1556c997a0dc35d0b2a76dfe488b9d148fb69f72dc558e51
Instruction ID: 36e50f78537d6c02f4a8dbf07160adfdb2fb87d7878207db056aa045a99574e7
Opcode Fuzzy Hash: 6816f4ef9cc482cf1556c997a0dc35d0b2a76dfe488b9d148fb69f72dc558e51
Instruction Fuzzy Hash: 05C08C3291966066C2366629A901ACBB7C45F5E37CF088DBFF854821818ABC5EC1469E

Function 004015D8 Relevance: 2.6, APIs: 2, Instructions: 110COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 004015F7
??2@YAPAXI@Z.MSVCRT ref: 00401625

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 7ad5aa225f16a4b1d32e578b7b055ba544fcc1ca5f17beba0ecf5d568f2aa9fd
Instruction ID: c2a19d5cac2bfdbf8590582b02f57cd8c2d51b72891be0567ea10507677fb98f
Opcode Fuzzy Hash: 7ad5aa225f16a4b1d32e578b7b055ba544fcc1ca5f17beba0ecf5d568f2aa9fd
Instruction Fuzzy Hash: FC31E671901104AFDB20EFA5CC94CAFB7A8EF04344B59487BF441A72A1D7799E81CB6A

Function 004134B7 Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 004134C2
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 004134E1

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: a42822acf305faa6e4e1ed1b7c307282cd490a9ff452566294a691c589accf54
Instruction ID: d77cb9c9d90e793e1b60eb555ee1e1bf0e0da7b09971d09e2dc09e9e88fc8504
Opcode Fuzzy Hash: a42822acf305faa6e4e1ed1b7c307282cd490a9ff452566294a691c589accf54
Instruction Fuzzy Hash: 4BF0B432200204BBCB218F95CC08ECABBB9EF49761F15441AFA05E7220C775E860DBA4

Function 00414386 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 004143BB

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 933b8c5d27097b182096917e0fe23b4488e15967b84e07a88ada714efe5052ef
Instruction ID: 9c1677235a272b5cc34e2a01b884f4e1fb04de9bdd2a22e3254cedb6a922d716
Opcode Fuzzy Hash: 933b8c5d27097b182096917e0fe23b4488e15967b84e07a88ada714efe5052ef
Instruction Fuzzy Hash: B8F06D32600118BB9B11AF56C8418EEB769EF85364710802BFC18AB301D679EE8197A4

Function 00403685 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: f2c818ef7ab3a64ea75edc2a05806f8e576519a16bb26db7b3aaf62d7c6dceca
Instruction ID: 3a2c23510bbdd7db8eaf6a44a7597d442e7cc213151da8d85dbaf3b81e373392
Opcode Fuzzy Hash: f2c818ef7ab3a64ea75edc2a05806f8e576519a16bb26db7b3aaf62d7c6dceca
Instruction Fuzzy Hash: E4012830800009AACF15FF92C9529DD7B75AF14308F50857AF511310F2AB7A5F59DA58

Function 004012AB Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 004012EF

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 448c230cc87f735e1553f318a5b8c444bef40708b0e198b2b123a740f6d4fd43
Instruction ID: 0d0a537d0a85425ebda4de84878e85ba803ab1d2a3bf622a698cf9a5ced90b33
Opcode Fuzzy Hash: 448c230cc87f735e1553f318a5b8c444bef40708b0e198b2b123a740f6d4fd43
Instruction Fuzzy Hash: 52F05E321006029FC7249F55D800BA773F5BB84310F04482EE146F25A0D738A891DF59

Function 004107C0 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00410808

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 1c15ab358f7d83620e0d424f65252b0605aca23ab544cd1b18b3b7dbcbdff36d
Instruction ID: 67237ec06fa6f5526f307c7f7ee3ee8d6cae950530cc7ea3400cefdb61a4f5cb
Opcode Fuzzy Hash: 1c15ab358f7d83620e0d424f65252b0605aca23ab544cd1b18b3b7dbcbdff36d
Instruction Fuzzy Hash: 26F082B11807416BC320EF54CD40A83B3D46F45304B048D3FF44587642D7B9E8C5CB99

Function 0041235B Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041228A: FindCloseChangeNotification.KERNELBASE(?,?,00412366,00000000,?,004123AE,?,80000000,?,?,?,004123D0,?,?,00000003,00000080), ref: 00412295

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00000000,?,004123AE,?,80000000,?,?,?,004123D0), ref: 0041237D

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ChangeCloseCreateFileFindNotification
String ID:
API String ID: 727422849-0
Opcode ID: 6a49ffe8ef07d3521491a90d9a8a388089b773908a45dfb32dd5cb480f9273a5
Instruction ID: 8da2f02dc034daf8371d1df42df6ca4a0fddfd90bd2d401d718584e6e71ac4a6
Opcode Fuzzy Hash: 6a49ffe8ef07d3521491a90d9a8a388089b773908a45dfb32dd5cb480f9273a5
Instruction Fuzzy Hash: 20E086360402197BCF115F649D01BDE3F95AF09360F144616FA24961F0C7B2C4B5AB95

Function 0041249C Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00412AD7,00000001,0041EA30,0041EA30,0041A558,?,00405A90,?,?), ref: 004124BF

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 9268ae55d625ba9bd3f65ec717c6ac52065aac6919130e551e4270b037b827da
Instruction ID: b3ad0e42530da5b4dda889df23b63d717a80709c99c60a777d5212d721e63b56
Opcode Fuzzy Hash: 9268ae55d625ba9bd3f65ec717c6ac52065aac6919130e551e4270b037b827da
Instruction Fuzzy Hash: CFE0C275640208FFDB00DF95D801BDE7BB9AB49354F10C069F9199A260D3799A60DF54

Function 0041839F Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004183A4

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e23681dee6048d7e2731fb4a609dea36f69893ca3260d8bd4e07bac5b1dea7f9
Instruction ID: 5290c6e4ceeb99f02aec6ae12202f97ed0a1f662b14c32a0839b7666316d4697
Opcode Fuzzy Hash: e23681dee6048d7e2731fb4a609dea36f69893ca3260d8bd4e07bac5b1dea7f9
Instruction Fuzzy Hash: 7DE08C72A00108FBCB159F86DC01BEEBB38FB40364F00842FF81191110C779AA50DA68

Function 00407550 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00407563

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: _beginthreadex
String ID:
API String ID: 3014514943-0
Opcode ID: 5cedbd00d0b58acbd8f2f67b12d806d60a324f9fe697fccd0a4b4518c7bb1b65
Instruction ID: b1b1560d688da48002e302f1989f769420d3cb2b74016668af2939eee5b61ada
Opcode Fuzzy Hash: 5cedbd00d0b58acbd8f2f67b12d806d60a324f9fe697fccd0a4b4518c7bb1b65
Instruction Fuzzy Hash: F0D017F6800208BFCF01DFA0CC05CBA3BADEB08204B008469BD05C2210E632DA108BA1

Function 004123E1 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 004123F7

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 8938edae947a69c9db44886959f9dc69aa4ca479dc7ae96bb4d07ee1a96cf5e8
Instruction ID: 9ccc3df45c5337931c1f9920f453614b41e8bb9900b5d069a402b44b4c854426
Opcode Fuzzy Hash: 8938edae947a69c9db44886959f9dc69aa4ca479dc7ae96bb4d07ee1a96cf5e8
Instruction Fuzzy Hash: 99E0EC75201208FFDB01CF90CC01FDE7BBDFB49754F208058E90496160C7759A24EB55

Function 0041228A Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,00412366,00000000,?,004123AE,?,80000000,?,?,?,004123D0,?,?,00000003,00000080), ref: 00412295

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bf632d426777a13286a7d214fabf0ee7930240e4f00ef32643c6c823c72a12ea
Instruction ID: b31490782a570351f923d450f5d4ba6ab7a609589b13ee7b544e96044028fae9
Opcode Fuzzy Hash: bf632d426777a13286a7d214fabf0ee7930240e4f00ef32643c6c823c72a12ea
Instruction Fuzzy Hash: 1CD012316041615A8E741E3CB9459D637D85A46370321079BF0B9C3AE1D3B58CD35694

Function 0040C600 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040C616

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 5de78ebd4f5f29dc8fbb5bb8a3e0a977ead23378360e583b65f93d91bbe299d9
Instruction ID: 89e791b4cdb467548dc89fe6e418eb841be097dbc90599bb9e0328941d4b988a
Opcode Fuzzy Hash: 5de78ebd4f5f29dc8fbb5bb8a3e0a977ead23378360e583b65f93d91bbe299d9
Instruction Fuzzy Hash: 1FD02231900A2197C120FB2DD84048B73805F51338B008F3EF065632D0D638BE8186DE

Function 0041246F Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,00412499,00000000,00000000,?,004012DC,?), ref: 0041247D

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: a76d94471d75101d3d19dad7ac3713a68ec5cb13f5505408d5a5f3094a28fb24
Instruction ID: f7402770b179a49de0ab9fe0b192ea54849ac29a58fff8f6d7b1295910a8291e
Opcode Fuzzy Hash: a76d94471d75101d3d19dad7ac3713a68ec5cb13f5505408d5a5f3094a28fb24
Instruction Fuzzy Hash: 31C04C36159105FF8F020F70CC04C1ABFA2AB99311F10CA18B155C4074C7328034EB12

Function 004135D1 Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 004135FE

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 09e9218cbcf6ec2e1d3ec58b92c603910d18c049cb9797cd433dd5721a44e625
Instruction ID: c5f2408c3cf5f7c02ccda8fc3474b5540caab3f10de51e5c5504a290d30f7bf8
Opcode Fuzzy Hash: 09e9218cbcf6ec2e1d3ec58b92c603910d18c049cb9797cd433dd5721a44e625
Instruction Fuzzy Hash: 5221B771A00B00AFC724CF99C98489BF7F9FF88725764896ED09A93A00D774F945CB54

Function 004133AE Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(?,0041C694), ref: 004133F1

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 077327ad973cbf0bf968648ad16f4ee5207855660b82e04fedf8791f854ae119
Instruction ID: 96fb0cf52aecf5192a38f014b97361b1bca792eaa3b626b98573c6095701f3dd
Opcode Fuzzy Hash: 077327ad973cbf0bf968648ad16f4ee5207855660b82e04fedf8791f854ae119
Instruction Fuzzy Hash: A701B171500705AFCB28CF79C80599BBBF8EF45310700496EA882C3611D774FA85CB50

Function 00402A64 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00413394,?,?,?,0040C02F,?), ref: 00402A80

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d52152f8240d310394afd4d808f8c2102ad5bdb202a27d84af0ad2d18dcc3f18
Instruction ID: 5caba0a65663c98afa134883a55f00c862568e26fdb3439aab27b9329ceed79e
Opcode Fuzzy Hash: d52152f8240d310394afd4d808f8c2102ad5bdb202a27d84af0ad2d18dcc3f18
Instruction Fuzzy Hash: EEC08C303483007AEE6217619E0BF4A3652AB84B16F40C069F348A80E0CBF48810BA0E

Function 00402003 Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,00413323,00000000,?,0041338B,?,?,0040C02F,?), ref: 00402015

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ef87b2e52dde92dd11102c14b5a17c3afe989afc729bbcebbe3bdea788540431
Instruction ID: 9ed37f882ad336993377ad69d37c294f0e387d69dd66a5117829caba82127f93
Opcode Fuzzy Hash: ef87b2e52dde92dd11102c14b5a17c3afe989afc729bbcebbe3bdea788540431
Instruction Fuzzy Hash: 96B09230285300BAEF224B00DE0DB4A76A0AB80B05F24C828B288340E187B85818EA0E

Non-executed Functions

Function 00402490 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,?), ref: 004024DF
wsprintfW.USER32 ref: 004024F0
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402505
GetLastError.KERNEL32 ref: 0040250A
??2@YAPAXI@Z.MSVCRT ref: 00402525
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402538
GetLastError.KERNEL32 ref: 0040253F
lstrcmpiW.KERNEL32(00ADC6C8,?), ref: 00402554
??3@YAXPAX@Z.MSVCRT ref: 00402564
??3@YAXPAX@Z.MSVCRT ref: 00402582
SetLastError.KERNEL32(00000003), ref: 0040258B
lstrlenA.KERNEL32(0041B330), ref: 004025BF
??2@YAPAXI@Z.MSVCRT ref: 004025DA
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 0040260C
_wtol.MSVCRT(?), ref: 0040261D
MultiByteToWideChar.KERNEL32(00000000,0041B330,00000001,00ADC6C8,00000002), ref: 0040263D

Strings

SfxString%d, xrefs: 004024EA

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: SfxString%d
API String ID: 2117570002-944934635
Opcode ID: 112b8933a593586a47d24d1e8032f038cdb721ad5abb193907f9b4e79a180b84
Instruction ID: b38029d2e4fd4b9097bbc1654eb9199a4bd5f96dc74ee56e617e2b3e5d7b8fd3
Opcode Fuzzy Hash: 112b8933a593586a47d24d1e8032f038cdb721ad5abb193907f9b4e79a180b84
Instruction Fuzzy Hash: 3651B379900215FFCB10DF65DD89EDABBA9FB08300F10443AE946E62D0D7B8A9518B1E

Function 004092A9 Relevance: 27.1, APIs: 18, Instructions: 144windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00407925: GetDlgItem.USER32(?,?), ref: 00407932
Part of subcall function 00407925: ShowWindow.USER32(00000000,?), ref: 00407949

GetDlgItem.USER32(?,000004B8), ref: 004092D6
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004092E5
GetDlgItem.USER32(?,000004B5), ref: 0040932C
GetWindowLongW.USER32(00000000,000000F0), ref: 00409331
GetDlgItem.USER32(?,000004B5), ref: 00409341
SetWindowLongW.USER32(00000000), ref: 00409344
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 0040936A
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 0040937C
GetDlgItem.USER32(?,000004B4), ref: 00409386
SetFocus.USER32(00000000), ref: 00409389
SetTimer.USER32(?,00000001,00000000,00000000), ref: 004093B8
CoCreateInstance.OLE32(0041C454,00000000,00000001,0041BD5C,?), ref: 004093DC
GetDlgItem.USER32(?,00000002), ref: 004093F9
IsWindow.USER32(00000000), ref: 004093FC
GetDlgItem.USER32(?,00000002), ref: 0040940C
EnableWindow.USER32(00000000), ref: 0040940F
GetDlgItem.USER32(?,000004B5), ref: 00409423
ShowWindow.USER32(00000000), ref: 00409426

Part of subcall function 00408186: GetDlgItem.USER32(?,000004B6), ref: 00408194

Part of subcall function 00408E5E: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00409228), ref: 00408E87
Part of subcall function 00408E5E: LoadIconW.USER32(00000000), ref: 00408E8A
Part of subcall function 00408E5E: GetSystemMetrics.USER32(00000032), ref: 00408E9E
Part of subcall function 00408E5E: GetSystemMetrics.USER32(00000031), ref: 00408EA3
Part of subcall function 00408E5E: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00409228), ref: 00408EAC
Part of subcall function 00408E5E: LoadImageW.USER32(00000000), ref: 00408EAF
Part of subcall function 00408E5E: SendMessageW.USER32(?,00000080,00000001,?), ref: 00408ECF
Part of subcall function 00408E5E: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408ED8
Part of subcall function 00408E5E: GetDlgItem.USER32(?,000004B2), ref: 00408EF4
Part of subcall function 00408E5E: GetDlgItem.USER32(?,000004B2), ref: 00408EFE
Part of subcall function 00408E5E: GetWindowLongW.USER32(?,000000F0), ref: 00408F0A
Part of subcall function 00408E5E: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00408F19
Part of subcall function 00408E5E: GetDlgItem.USER32(?,000004B5), ref: 00408F27
Part of subcall function 00408E5E: GetDlgItem.USER32(?,000004B5), ref: 00408F35
Part of subcall function 00408E5E: GetWindowLongW.USER32(?,000000F0), ref: 00408F41
Part of subcall function 00408E5E: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00408F50

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: Item$Window$Long$MessageSendSystem$EnableHandleLoadMenuMetricsModuleShow$CreateFocusIconImageInstanceTimer
String ID:
API String ID: 1057135554-0
Opcode ID: e49754246b07947f9327a3e505a0dc2af3972f83f5c4b04be4888168014b4bf2
Instruction ID: 1f75f4d576376dd6869b7793cc4008a80ff502f108e2297fe30e58830d0475fc
Opcode Fuzzy Hash: e49754246b07947f9327a3e505a0dc2af3972f83f5c4b04be4888168014b4bf2
Instruction Fuzzy Hash: 114186B0605708AFDA206F26DD49F5B7BADEF84B04F00843DF955A62E1CB79A850CB1D

Function 004020D2 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 004020DD
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 004020FA
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 0040210E
SizeofResource.KERNEL32(00000000,00000000), ref: 0040211F
LoadResource.KERNEL32(00000000,00000000), ref: 00402129
LockResource.KERNEL32(00000000), ref: 00402134
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00402160
GetProcAddress.KERNEL32(00000000), ref: 00402169
wsprintfW.USER32 ref: 00402188
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 0040219D
GetProcAddress.KERNEL32(00000000), ref: 004021A0

Strings

%04X%c%04X%c, xrefs: 00402182
SetProcessPreferredUILanguages, xrefs: 0040214B
SetThreadPreferredUILanguages, xrefs: 00402197
kernel32, xrefs: 00402150, 00402155, 0040219C

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: 4509f4e0e8980c838efd414ca7c3a82435c9d4736e02e482c88f6a1a6bb26b48
Instruction ID: 1ae794569512dbc5e404ee13fbffb6c659747c84c2a5761ed66dfa610d18b3e0
Opcode Fuzzy Hash: 4509f4e0e8980c838efd414ca7c3a82435c9d4736e02e482c88f6a1a6bb26b48
Instruction Fuzzy Hash: 2021B0B5941308BBDB119BA58C08FAB3ABCEB44710F148422FA04F72D1D6B8CD10CBA9

Function 004095EE Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 00409612
GetLastError.KERNEL32 ref: 00409623
FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,00000000,00000000,0000000F), ref: 0040964B
FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,00000000,00000000,0000000F), ref: 00409660
lstrlenW.KERNEL32(?), ref: 00409673
lstrlenW.KERNEL32(00000000), ref: 0040967A
??2@YAPAXI@Z.MSVCRT ref: 0040968F
lstrcpyW.KERNEL32(00000000,?), ref: 004096A5
lstrcpyW.KERNEL32(-00000002,00000000), ref: 004096B6
??3@YAXPAX@Z.MSVCRT ref: 004096BF
LocalFree.KERNEL32(00000000), ref: 004096C9

Strings

setup.exe, xrefs: 004095F8

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID: setup.exe
API String ID: 829399097-3657005579
Opcode ID: 5750c877aa78be372f2aceb619f0782c8b01b09b2bad645ab1ffa00b07643c80
Instruction ID: 12e22466ea7d6f2cf89fb4c3cc46047a539dfe2ce14655017aee965f16fa7126
Opcode Fuzzy Hash: 5750c877aa78be372f2aceb619f0782c8b01b09b2bad645ab1ffa00b07643c80
Instruction Fuzzy Hash: DD21937680020CFFDB159FA1DC85DEB7BACEB08354B10847BF905A6191EA349E848BA4

Function 00403211 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,0041A688,?,?,?,00000000), ref: 00403240
lstrcmpW.KERNEL32(?,0041A684,?,0000005C,?,?,?,00000000), ref: 00403293
lstrcmpW.KERNEL32(?,0041A67C,?,?,00000000), ref: 004032A9
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 004032BF
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 004032C6
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 004032D8
FindClose.KERNEL32(00000000,?,?,00000000), ref: 004032E7
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 004032F2
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 004032FB
??3@YAXPAX@Z.MSVCRT ref: 00403306
??3@YAXPAX@Z.MSVCRT ref: 00403311

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 521c214363005649f0aa4fc9851e41a9a7fff0a70674e1ff8893655f89226a6c
Instruction ID: 205cec036fafae4d6b5c4eb3cdad048787afdd456ba1b9ea9c608b8e0a7b29f3
Opcode Fuzzy Hash: 521c214363005649f0aa4fc9851e41a9a7fff0a70674e1ff8893655f89226a6c
Instruction Fuzzy Hash: B62186306012197ADB10AF61DD89FEF3B7CAF44745F1444BAF401B10D1EB38AB558A6D

Function 00408DA3 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00408DC2
SetWindowsHookExW.USER32(00000007,Function_00008CE9,00000000,00000000), ref: 00408DCD
GetCurrentThreadId.KERNEL32 ref: 00408DDC
SetWindowsHookExW.USER32(00000002,Function_00008D75,00000000,00000000), ref: 00408DE7
EndDialog.USER32(?,00000000), ref: 00408E0D

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: CurrentHookThreadWindows$Dialog
String ID:
API String ID: 1967849563-0
Opcode ID: 22cad4405ffc611baa51b5bbdaae86c111a6b8b6ccf94b2873c5b2e9bd901595
Instruction ID: 49f4609565cbbe2eab54e5c52cde7036a9aea870f9903f9aac46f6f4f475420f
Opcode Fuzzy Hash: 22cad4405ffc611baa51b5bbdaae86c111a6b8b6ccf94b2873c5b2e9bd901595
Instruction Fuzzy Hash: 3C012672201218EFD6106B57ED04AB2F7ECFF54352B01803FE605D29A1CBB758008B6E

Function 00402757 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,004066C8,?,?,?,?,004066C8), ref: 00402790
CheckTokenMembership.ADVAPI32(00000000,004066C8,?,?,?,?,004066C8,?,00000000,?,?), ref: 004027A2
FreeSid.ADVAPI32(004066C8,?,?,?,004066C8,?,00000000,?,?), ref: 004027AB

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 65cc84debf9a599d2aa76ae24c15b7a3b387b9e5edbe49ca06617e6efb59e37b
Instruction ID: be3f0cd0d0f8866a1a9b6021142c7c8ef3248d09ca8b520e62c9ce18037cc408
Opcode Fuzzy Hash: 65cc84debf9a599d2aa76ae24c15b7a3b387b9e5edbe49ca06617e6efb59e37b
Instruction Fuzzy Hash: 1FF04F7294528CFFDB01DFE88D85ADEBF7CAB18200F4480EAE101B3182D2705718CB2A

Function 0040D470 Relevance: 2.7, APIs: 2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ce5bbf85c27cd3a16bfd62f914cbf9f601b523d066491095a794ae8ca6ce8a
Instruction ID: 7a199f50f8a76bda01e3d9699587820df5a766742c6411fdac8cb10a31be0a81
Opcode Fuzzy Hash: e7ce5bbf85c27cd3a16bfd62f914cbf9f601b523d066491095a794ae8ca6ce8a
Instruction Fuzzy Hash: A061A671A14B019BC728DF79C4916EBB7E0BF40308F44092FE4CA5BA81D739B559CB95

Function 0040ED00 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
Instruction ID: 8cec78a6a68e099a16e582f3a8e71d5628037794c160d545261e982a803351c6
Opcode Fuzzy Hash: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
Instruction Fuzzy Hash: 02022E72A042118BD71CCE28C59027DBBE2FBC4344F150A3FE89667BD4D6789958CB9A

Function 0040A260 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfa02b277370bfe2ec98d47c5a79ead9a97245a421863a61a189d28b752ac7c
Instruction ID: 78eba2b73e7315ed747d2463b99e0f0da727e6e3e71e6de6a30a0cc06e3ef934
Opcode Fuzzy Hash: 3dfa02b277370bfe2ec98d47c5a79ead9a97245a421863a61a189d28b752ac7c
Instruction Fuzzy Hash: EAD173368882628FE308CF1ADC44566B7A2BFC9350F4E8A79DD9527652C334B913CB95

Function 00409DC0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91de5e9ca90c5c66c09e0000d0865218a8ccaff647e0888f7f8b7f535350ac81
Instruction ID: b01226d48ec95055162be86c292afb05ea0fa44dcd13ef36d70e14c0bb6191cc
Opcode Fuzzy Hash: 91de5e9ca90c5c66c09e0000d0865218a8ccaff647e0888f7f8b7f535350ac81
Instruction Fuzzy Hash: F8D1A43A9082A28FE758CF19D850126B7E2AFC9350F8E467DD98427653C334F912DB99

Function 0040AC10 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bfdb3e15d592c1de232d933842c4ab9efd31f480a5751ca1ce541d06df7cb1
Instruction ID: 5fd417c7d952572407c6f6c7888f1ca0bc84f4baebbdb2067ae0ca3ec0b4583c
Opcode Fuzzy Hash: c7bfdb3e15d592c1de232d933842c4ab9efd31f480a5751ca1ce541d06df7cb1
Instruction Fuzzy Hash: 7D71026600DBD08FC3228B3D9C91665BFE1AEA3105B4D8ACDC0E64BB93D426E10CDB75

Function 0040A8F0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9e4649785a9a7ed9bea9f6086f005d98fb5c2918bdb11e6aa39f0e60002f7f
Instruction ID: 926f2a0b08006a4986c2385453d256f4e4db2d14bf8f3d597d75ad2e2c7ef35c
Opcode Fuzzy Hash: ae9e4649785a9a7ed9bea9f6086f005d98fb5c2918bdb11e6aa39f0e60002f7f
Instruction Fuzzy Hash: 08615C725087118FC318DF49D48494AF3E1FFC8318F1A8A6DE9885B361D771E959CB86

Function 0040B0D0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba670fa79e56ea5da9b08d97b7026661e275447204a1dd6cba2d29967c51129
Instruction ID: 6873055d3e848c5c3cb633622bbdea2459b20436e901cb037d067e349efc7e13
Opcode Fuzzy Hash: 0ba670fa79e56ea5da9b08d97b7026661e275447204a1dd6cba2d29967c51129
Instruction Fuzzy Hash: AF41E131B506250AF30C8FA99CD41962FC3D7CA3D2788C63DCA65C6299DABDC057D26C

Function 0040B0D4 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99baf1275c6f2b3443f1753a8f1347bf9585a8147b3ee6e0b1e3a1cf49954d11
Instruction ID: 52a36a15b96d8c3db12f4224e86d09f16eb1e762efc431baf9d28f8b44aef370
Opcode Fuzzy Hash: 99baf1275c6f2b3443f1753a8f1347bf9585a8147b3ee6e0b1e3a1cf49954d11
Instruction Fuzzy Hash: 0F41F131B506250AF31C8FA99CD42962BD3E7C93D2B88C23DCA65C6289DABDC057D258

Function 00419943 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction ID: fc6911014a5769c04090d27d7ffa82f8d56c726274b281e5acdfb0369f8c68fc
Opcode Fuzzy Hash: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction Fuzzy Hash: B6419461C14F9652EB134F7CC842272B320BFAB244F00D75AFDD179963FB326984A655

Function 00409C10 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6961a6851b0df35e6703018b4a68322b5050cf4149273f733f52e21d87ed88d
Instruction ID: 8a2b0b24014c5991b986b901f2d8342aca775a45101bb951e5ded948b9e7196c
Opcode Fuzzy Hash: d6961a6851b0df35e6703018b4a68322b5050cf4149273f733f52e21d87ed88d
Instruction Fuzzy Hash: DE312C75F082620BF3118F1F8880165FBD29FD5210B8981BADC98DB787D23ADD5287E4

Function 00418F10 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b24d27d690fea3d6a361d608d489979a53087c277769aa55b9e439747c50c34
Instruction ID: 6fb0da5beb68f4ae9d0fb46ff12b95f1bd5c2126e2b05c5ba8ba89b872001878
Opcode Fuzzy Hash: 0b24d27d690fea3d6a361d608d489979a53087c277769aa55b9e439747c50c34
Instruction Fuzzy Hash: 14212E3B370D4607EB0C8979AD377BE24C2E344306F88953DE247C9785EEAE9895860D

Function 004195D1 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: c49fcab296ca2bf8af27a36cb23aed312f04d0f4f633dbe1329b5bd87955ea3a
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: BC21C53290462587CB02CE6EE4945A7F392FBD436AF174727ED8467290C639AC54C6A0

Function 004196AB Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction ID: f99b16dda6d38cb87e4d8a5a1f23eddda7a055a6a92cbe0f293ea0f4b8d4b774
Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction Fuzzy Hash: FB21077252442587C701DF1DE8986B7B3E1FFC4319F678A2BD9928B1C1C628DC85D6A4

Function 00405492 Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 213threadprocesssynchronizationCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,00000000,?), ref: 004054B3
??3@YAXPAX@Z.MSVCRT ref: 00405576
??3@YAXPAX@Z.MSVCRT ref: 0040557E
??3@YAXPAX@Z.MSVCRT ref: 00405586
??3@YAXPAX@Z.MSVCRT ref: 0040558E
??3@YAXPAX@Z.MSVCRT ref: 00405596
??3@YAXPAX@Z.MSVCRT ref: 0040559E
??3@YAXPAX@Z.MSVCRT ref: 004055A6
??3@YAXPAX@Z.MSVCRT ref: 004055AE
??3@YAXPAX@Z.MSVCRT ref: 004055B6
??3@YAXPAX@Z.MSVCRT ref: 004055BE
GetStartupInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 004055D7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,01000004,00000000,00000044,?), ref: 004055FE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00405608
??3@YAXPAX@Z.MSVCRT ref: 00405613
??3@YAXPAX@Z.MSVCRT ref: 0040561B
CreateJobObjectW.KERNEL32(00000000,00000000), ref: 00405630
AssignProcessToJobObject.KERNEL32(00000000,?), ref: 00405647
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00405657
SetInformationJobObject.KERNEL32(?,00000007,?,00000008), ref: 00405678
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405681
GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 004056A0
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 004056A9
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 004056B0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 004056BF
GetExitCodeProcess.KERNEL32(?,?), ref: 004056C8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 004056D3
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 004056DF
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004056E6
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004056F1

Strings

" -, xrefs: 004054DE
sfxwaitall, xrefs: 004054D9

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@$CloseHandleObject$CreateProcess$CompletionErrorLastResumeThread$AssignCodeCommandExitInfoInformationLinePortQueuedSingleStartupStatusWait
String ID: " -$sfxwaitall
API String ID: 2734624574-3991362806
Opcode ID: 7534138555af6d7da0c06f5bf533e0ea3e48f844fa8dd0bc78d8b3727306353b
Instruction ID: 8b36649a7f5b94844dc410b38ac8e125e7099180b2db9c241bbbf3df1b55dd4b
Opcode Fuzzy Hash: 7534138555af6d7da0c06f5bf533e0ea3e48f844fa8dd0bc78d8b3727306353b
Instruction Fuzzy Hash: AB6160B2800108BBDF11EFA1DC45EDF3B6CFF58314F044536FA15A21A1DA3A9A549FA9

Function 00403C03 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT(\@,00000000,0041E9F4), ref: 00403C27
SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,0041EA00,00000000,0041E9F4), ref: 00403CCA
??3@YAXPAX@Z.MSVCRT ref: 00403D3B
??3@YAXPAX@Z.MSVCRT ref: 00403D43
??3@YAXPAX@Z.MSVCRT ref: 00403D4B
??3@YAXPAX@Z.MSVCRT ref: 00403D53
??3@YAXPAX@Z.MSVCRT ref: 00403D5B
??3@YAXPAX@Z.MSVCRT ref: 00403D63
??3@YAXPAX@Z.MSVCRT ref: 00403D6B
_wtol.MSVCRT(?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,?), ref: 00403DC1
CoCreateInstance.OLE32(0041C444,00000000,00000001,0041C404,\@,.lnk,?,0000005C), ref: 00403E62
??3@YAXPAX@Z.MSVCRT ref: 00403EFA
??3@YAXPAX@Z.MSVCRT ref: 00403F02
??3@YAXPAX@Z.MSVCRT ref: 00403F0A
??3@YAXPAX@Z.MSVCRT ref: 00403F12
??3@YAXPAX@Z.MSVCRT ref: 00403F1A
??3@YAXPAX@Z.MSVCRT ref: 00403F22
??3@YAXPAX@Z.MSVCRT ref: 00403F2A
??3@YAXPAX@Z.MSVCRT ref: 00403F30
??3@YAXPAX@Z.MSVCRT ref: 00403F38

Strings

\@, xrefs: 00403C14, 00403E4E, 00403E70, 00403EC2, 00403EEE, 00403EB5, 00403EA4, 00403E93, 00403E82, 00403C26, 00403D2B, 00403E51, 00403E79, 00403E8A, 00403E9B, 00403EAC, 00403EBE, 00403ED0, 00403EF3
.lnk, xrefs: 00403E41

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: \@$.lnk
API String ID: 408529070-2235551897
Opcode ID: d9a6bea30dddc72238565fe839226f4d34a1f6ac7e97ef8c390e739a8a88dd89
Instruction ID: c4e1fde8d964a46e0093ffadff84aaac9e103622305f5a74ab09339710324432
Opcode Fuzzy Hash: d9a6bea30dddc72238565fe839226f4d34a1f6ac7e97ef8c390e739a8a88dd89
Instruction Fuzzy Hash: 8CA14D71C10209ABDF14EFA5CC959EEBB79FF5830AF50442AF401B61A1DB399E42CB18

Function 00404F17 Relevance: 37.0, APIs: 3, Strings: 18, Instructions: 227stringCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT(00000000), ref: 004050F0
_wtol.MSVCRT(00000000), ref: 0040510C
lstrcmpiW.KERNEL32(00000000,0041B81C,?,?,?,?,?,?,?,?,?,?,?,?,?,004062EB), ref: 00404FF3

Part of subcall function 00402490: GetLastError.KERNEL32(00000000,?,?), ref: 004024DF
Part of subcall function 00402490: wsprintfW.USER32 ref: 004024F0
Part of subcall function 00402490: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402505
Part of subcall function 00402490: GetLastError.KERNEL32 ref: 0040250A
Part of subcall function 00402490: ??2@YAPAXI@Z.MSVCRT ref: 00402525
Part of subcall function 00402490: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402538
Part of subcall function 00402490: GetLastError.KERNEL32 ref: 0040253F
Part of subcall function 00402490: lstrcmpiW.KERNEL32(00ADC6C8,?), ref: 00402554
Part of subcall function 00402490: ??3@YAXPAX@Z.MSVCRT ref: 00402564
Part of subcall function 00402490: SetLastError.KERNEL32(00000003), ref: 0040258B
Part of subcall function 00402490: lstrlenA.KERNEL32(0041B330), ref: 004025BF
Part of subcall function 00402490: ??2@YAPAXI@Z.MSVCRT ref: 004025DA
Part of subcall function 00402490: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 0040260C

Strings

WarningTitle, xrefs: 00404FAB
ExtractCancelText, xrefs: 004050B5
MiscFlags, xrefs: 00405085, 0040508A, 004050A6
Progress, xrefs: 00404FDB
ExtractDialogWidth, xrefs: 004050D2
PasswordText, xrefs: 00405175
ErrorTitle, xrefs: 00404F93
CancelPrompt, xrefs: 00405145
PasswordTitle, xrefs: 0040515D
ExtractPathText, xrefs: 0040512D
ExtractPathTitle, xrefs: 00405115
ExtractTitle, xrefs: 00404FC3
GUIFlags, xrefs: 00405052, 00405057, 00405073
ExtractPathWidth, xrefs: 004050F9
OverwriteMode, xrefs: 00405035
GUIMode, xrefs: 00405008
ExtractDialogText, xrefs: 004050C1
Title, xrefs: 00404F25

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$PasswordText$PasswordTitle$Progress$Title$WarningTitle
API String ID: 2725485552-2157245290
Opcode ID: a9c6cff8117c3c550b4708d415d49011fe0d469eb6c0d786097ad36de742edcb
Instruction ID: 52c7338879562ac0f6f4460f1eb4efb93b6b1db4ff06df03ebd91a0864d1fcfd
Opcode Fuzzy Hash: a9c6cff8117c3c550b4708d415d49011fe0d469eb6c0d786097ad36de742edcb
Instruction Fuzzy Hash: BB51C9F5E016007ADA11AB275D4ADEF366CDB85708F24443BF904F62C2E77C4E805AAE

Function 00405758 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,?), ref: 0040579F
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 004057D0
WriteFile.KERNEL32(0041EA30,?,?,00407453,00000000,del ",:Repeat,00000000), ref: 00405885
??3@YAXPAX@Z.MSVCRT ref: 00405890
CloseHandle.KERNEL32(0041EA30), ref: 00405899
SetFileAttributesW.KERNEL32(00407453,00000000), ref: 004058B0
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 004058C2
??3@YAXPAX@Z.MSVCRT ref: 004058CB
??3@YAXPAX@Z.MSVCRT ref: 004058D7
??3@YAXPAX@Z.MSVCRT ref: 004058DD
??3@YAXPAX@Z.MSVCRT ref: 0040590B

Strings

if exist ", xrefs: 00405820
open, xrefs: 004058BC
" goto Repeat, xrefs: 00405839
del ", xrefs: 004057F8, 004057FD, 00405846
7ZSfx%03x.cmd, xrefs: 004057B1
", xrefs: 00405812, 00405817, 0040585B
:Repeat, xrefs: 004057EB

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: 359f3aabc4f9e8e11f607baf3d53a5a18da6526f5fcab5e0f91bfd03befc198a
Instruction ID: 454e938891a81a3ce6e75c33e440a46dac244c8e97479dacccdbce2c62b697e3
Opcode Fuzzy Hash: 359f3aabc4f9e8e11f607baf3d53a5a18da6526f5fcab5e0f91bfd03befc198a
Instruction Fuzzy Hash: F7413772C00108AADF11AB91DD869EF7B78EF08318F10843AF511761E1EB795E86CB99

Function 00403458 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 0040346B
lstrcmpiA.KERNEL32(?,STATIC), ref: 0040347E
GetWindowLongW.USER32(?,000000F0), ref: 0040348B

Part of subcall function 00403415: GetWindowTextLengthW.USER32(?), ref: 00403426
Part of subcall function 00403415: GetWindowTextW.USER32(0040349F,00000000,00000001), ref: 00403443

??3@YAXPAX@Z.MSVCRT ref: 004034B8
GetParent.USER32(?), ref: 004034C6
LoadLibraryA.KERNEL32(riched20), ref: 004034DA
GetMenu.USER32(?), ref: 004034ED
SetThreadLocale.KERNEL32(00000419), ref: 004034FA
CreateWindowExW.USER32(00000000,RichEdit20W,0041A584,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 0040352A
DestroyWindow.USER32(?), ref: 0040353B
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00403550
GetSysColor.USER32(0000000F), ref: 00403554
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00403562
SendMessageW.USER32(00000000,00000461,?,?), ref: 0040358D
??3@YAXPAX@Z.MSVCRT ref: 00403592
??3@YAXPAX@Z.MSVCRT ref: 0040359A

Strings

riched20, xrefs: 004034D5
RichEdit20W, xrefs: 00403524
{\rtf, xrefs: 004034A1
STATIC, xrefs: 00403475

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: Window$??3@MessageSend$Text$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 3514532227-2281146334
Opcode ID: 7a3c48a2f791b8e6eb50c97ca310f5915cf6b49072542dbb20b47e5b871b4bb5
Instruction ID: b3a85dc6914aeaa8d740e49fddd05501c59d58f3c974b6d8e2233c6538772d35
Opcode Fuzzy Hash: 7a3c48a2f791b8e6eb50c97ca310f5915cf6b49072542dbb20b47e5b871b4bb5
Instruction Fuzzy Hash: EB31B371901108BFDB02AFA5DC49DEF7BBCAF08705F108076F604F2190D6398E508B6A

Function 00408E5E Relevance: 34.8, APIs: 23, Instructions: 265windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00409228), ref: 00408E87
LoadIconW.USER32(00000000), ref: 00408E8A
GetSystemMetrics.USER32(00000032), ref: 00408E9E
GetSystemMetrics.USER32(00000031), ref: 00408EA3
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00409228), ref: 00408EAC
LoadImageW.USER32(00000000), ref: 00408EAF
SendMessageW.USER32(?,00000080,00000001,?), ref: 00408ECF
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408ED8
GetDlgItem.USER32(?,000004B2), ref: 00408EF4
GetDlgItem.USER32(?,000004B2), ref: 00408EFE
GetWindowLongW.USER32(?,000000F0), ref: 00408F0A
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00408F19
GetDlgItem.USER32(?,000004B5), ref: 00408F27
GetDlgItem.USER32(?,000004B5), ref: 00408F35
GetWindowLongW.USER32(?,000000F0), ref: 00408F41
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00408F50
GetWindow.USER32(?,00000005), ref: 00409036
GetWindow.USER32(?,00000005), ref: 00409052
GetWindow.USER32(?,00000005), ref: 0040906A
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,00409228), ref: 004090CA
LoadIconW.USER32(00000000), ref: 004090D1
GetDlgItem.USER32(?,000004B1), ref: 004090F0
SendMessageW.USER32(00000000), ref: 004090F3

Part of subcall function 00408258: GetDlgItem.USER32(?,?), ref: 00408262
Part of subcall function 00408258: GetWindowTextLengthW.USER32(00000000), ref: 00408269

Part of subcall function 00407925: GetDlgItem.USER32(?,?), ref: 00407932
Part of subcall function 00407925: ShowWindow.USER32(00000000,?), ref: 00407949

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: Window$Item$Long$HandleLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 3694754696-0
Opcode ID: ac7ec00e336c9794e50417161d8aedd7d6cb4612ce90e1a6ec5d593e8ae60ef1
Instruction ID: d692341db9c411847407f156b048f82b81d978b801c66f1920d912fc514de515
Opcode Fuzzy Hash: ac7ec00e336c9794e50417161d8aedd7d6cb4612ce90e1a6ec5d593e8ae60ef1
Instruction Fuzzy Hash: BD71D5703447057BEA256B21DD4AF2B3699EB84704F10443EF652BA2D3CFBDAC018A5E

Function 004021BB Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 004021C7
GetDeviceCaps.GDI32(00000000,00000058), ref: 004021D3
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 004021EC
GetObjectW.GDI32(?,00000018,?), ref: 0040221B
MulDiv.KERNEL32(?,00000003,00000002), ref: 00402226
MulDiv.KERNEL32(?,00000003,00000002), ref: 00402230
CreateCompatibleDC.GDI32(?), ref: 0040223E
CreateCompatibleDC.GDI32(?), ref: 00402245
SelectObject.GDI32(00000000,?), ref: 00402253
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00402261
SelectObject.GDI32(00000000,00000000), ref: 00402269
SetStretchBltMode.GDI32(00000000,00000004), ref: 00402271
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00402290
GetCurrentObject.GDI32(00000000,00000007), ref: 00402299
SelectObject.GDI32(00000000,?), ref: 004022A6
SelectObject.GDI32(00000000,?), ref: 004022AC
DeleteDC.GDI32(00000000), ref: 004022B5
DeleteDC.GDI32(00000000), ref: 004022B8
ReleaseDC.USER32(00000000,?), ref: 004022BF
ReleaseDC.USER32(00000000,?), ref: 004022CE
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 004022DB

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: 3220a658d56a4ac9a5ca2fef4fc815231d73787dff14446d5a04d435e3e7e9ea
Instruction ID: 438214f58f5379330b0b6d021732d2c30900d875c45a8f4f2e76e20f04445e0f
Opcode Fuzzy Hash: 3220a658d56a4ac9a5ca2fef4fc815231d73787dff14446d5a04d435e3e7e9ea
Instruction Fuzzy Hash: 4E314876D40208BFDF115FE19D48EEF7F79EB48760F108066FA04B61A0C6794A60EB66

Function 004022E6 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 004022F8
lstrcmpiA.KERNEL32(?,STATIC), ref: 0040230F
GetWindowLongW.USER32(?,000000F0), ref: 00402322
GetMenu.USER32(?), ref: 00402337

Part of subcall function 004020D2: GetModuleHandleW.KERNEL32(00000000), ref: 004020DD
Part of subcall function 004020D2: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 004020FA
Part of subcall function 004020D2: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 0040210E
Part of subcall function 004020D2: SizeofResource.KERNEL32(00000000,00000000), ref: 0040211F
Part of subcall function 004020D2: LoadResource.KERNEL32(00000000,00000000), ref: 00402129
Part of subcall function 004020D2: LockResource.KERNEL32(00000000), ref: 00402134

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00402369
memcpy.MSVCRT ref: 00402376
CoInitialize.OLE32(00000000), ref: 0040237F
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 0040238B
OleLoadPicture.OLEAUT32(?,00000000,00000000,0041C424,?), ref: 004023B0
GlobalFree.KERNEL32(00000000), ref: 004023C0

Part of subcall function 004021BB: GetWindowDC.USER32(00000000), ref: 004021C7
Part of subcall function 004021BB: GetDeviceCaps.GDI32(00000000,00000058), ref: 004021D3
Part of subcall function 004021BB: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 004021EC
Part of subcall function 004021BB: GetObjectW.GDI32(?,00000018,?), ref: 0040221B
Part of subcall function 004021BB: MulDiv.KERNEL32(?,00000003,00000002), ref: 00402226
Part of subcall function 004021BB: MulDiv.KERNEL32(?,00000003,00000002), ref: 00402230
Part of subcall function 004021BB: CreateCompatibleDC.GDI32(?), ref: 0040223E
Part of subcall function 004021BB: CreateCompatibleDC.GDI32(?), ref: 00402245
Part of subcall function 004021BB: SelectObject.GDI32(00000000,?), ref: 00402253
Part of subcall function 004021BB: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00402261
Part of subcall function 004021BB: SelectObject.GDI32(00000000,00000000), ref: 00402269
Part of subcall function 004021BB: SetStretchBltMode.GDI32(00000000,00000004), ref: 00402271
Part of subcall function 004021BB: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00402290
Part of subcall function 004021BB: GetCurrentObject.GDI32(00000000,00000007), ref: 00402299
Part of subcall function 004021BB: SelectObject.GDI32(00000000,?), ref: 004022A6
Part of subcall function 004021BB: SelectObject.GDI32(00000000,?), ref: 004022AC
Part of subcall function 004021BB: DeleteDC.GDI32(00000000), ref: 004022B5
Part of subcall function 004021BB: DeleteDC.GDI32(00000000), ref: 004022B8
Part of subcall function 004021BB: ReleaseDC.USER32(00000000,?), ref: 004022BF

GetObjectW.GDI32(00000000,00000018,?), ref: 004023F2
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00402406
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00402418
GlobalFree.KERNEL32(00000000), ref: 0040242D

Strings

STATIC, xrefs: 00402306
IMAGES, xrefs: 00402341

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: ce6654e4372c3ffa34acb2beffbf551bf042f34cfe31152263ceba8f76af984c
Instruction ID: 39ea2f5a34e6d05919b55838b179f0d08c2ef57fa9a9f3a5cade62fe7f969a15
Opcode Fuzzy Hash: ce6654e4372c3ffa34acb2beffbf551bf042f34cfe31152263ceba8f76af984c
Instruction Fuzzy Hash: BE418A31902218BFCB119FA1DD4CDEF7F79FF09711B0080A6F905A62A0D7798A51DBA9

Function 00407A40 Relevance: 24.3, APIs: 16, Instructions: 294COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00407A68
GetWindowLongW.USER32(00000000,000000F0), ref: 00407A6D
GetDlgItem.USER32(?,000004B4), ref: 00407AA4
GetWindowLongW.USER32(00000000,000000F0), ref: 00407AA9
GetSystemMetrics.USER32(00000010), ref: 00407B2B
GetSystemMetrics.USER32(00000011), ref: 00407B31
GetSystemMetrics.USER32(00000008), ref: 00407B38
GetSystemMetrics.USER32(00000007), ref: 00407B3F
GetParent.USER32(?), ref: 00407B63
GetClientRect.USER32(00000000,?), ref: 00407B75
ClientToScreen.USER32(?,?), ref: 00407B88
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000004), ref: 00407BEE
GetClientRect.USER32(?,?), ref: 00407C88

Part of subcall function 00407A11: GetDlgItem.USER32(?,?), ref: 00407A2F
Part of subcall function 00407A11: SetWindowPos.USER32(00000000), ref: 00407A36

ClientToScreen.USER32(?,?), ref: 00407B91

Part of subcall function 00407908: GetDlgItem.USER32(?,?), ref: 00407914

GetSystemMetrics.USER32(00000008), ref: 00407D0D
GetSystemMetrics.USER32(00000007), ref: 00407D14

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: 5ad90722fe14a1231b09212549862ba01d9118f977830e8c8324fbeb544dab44
Instruction ID: f3222828a116df411f5926d4397ac139304d214e2855758f1a874d1ee42c1992
Opcode Fuzzy Hash: 5ad90722fe14a1231b09212549862ba01d9118f977830e8c8324fbeb544dab44
Instruction Fuzzy Hash: 46A13B70E04209AFDB14CFBDDD85AEEBBF9EF48304F14452AE605F2291D678E9008B65

Function 004037A5 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040382E
??3@YAXPAX@Z.MSVCRT ref: 00403836
??3@YAXPAX@Z.MSVCRT ref: 00403A5C

Part of subcall function 004028F8: ??3@YAXPAX@Z.MSVCRT ref: 004028FE
Part of subcall function 004028F8: ??3@YAXPAX@Z.MSVCRT ref: 00402905

??3@YAXPAX@Z.MSVCRT ref: 00403A89

Strings

SetEnvironment, xrefs: 004039B8
{\rtf, xrefs: 00403929, 0040393E

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@
String ID: SetEnvironment${\rtf
API String ID: 613200358-318139784
Opcode ID: 27a63a5a7f92f4e166b91d64b471efe2453304cc3adbeb74008082c4d76a8dac
Instruction ID: 8f9334f6a2dd1388b4a5afbed578350eb53b39a6a317aa89a8308fc341e0281c
Opcode Fuzzy Hash: 27a63a5a7f92f4e166b91d64b471efe2453304cc3adbeb74008082c4d76a8dac
Instruction Fuzzy Hash: CA91AF71A00108ABDF21EF91C981AEEBB79AF14305F24407BE481772E2DB795B06DB59

Function 0041942F Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0041945C
__p__fmode.MSVCRT ref: 00419471
__p__commode.MSVCRT ref: 0041947F
__setusermatherr.MSVCRT ref: 004194AB
_initterm.MSVCRT ref: 004194C1
__getmainargs.MSVCRT ref: 004194E4
_initterm.MSVCRT ref: 004194F4
GetStartupInfoA.KERNEL32(?), ref: 00419533
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00419557
exit.MSVCRT ref: 00419567
_XcptFilter.MSVCRT ref: 00419579

Strings

pA, xrefs: 004194DC, 004194DF

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: pA
API String ID: 801014965-794713698
Opcode ID: 032d58b2ebe3cf27d61047a734a84aa96b7daef7a4c7496762f9096cf2c620cd
Instruction ID: f8c09df19b0da82cf9d0b277ad66ee569d762787ff6f3d7b659fbd516fe6565a
Opcode Fuzzy Hash: 032d58b2ebe3cf27d61047a734a84aa96b7daef7a4c7496762f9096cf2c620cd
Instruction Fuzzy Hash: B6419CB6D41344BFDB228FA4DC55AEA7BB9EB09710F20012FE842A3291D7785D81CB59

Function 00407F6E Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00407F7C
GetWindowLongW.USER32(00000000), ref: 00407F83
DefWindowProcW.USER32(?,?,?,?), ref: 00407F99
CallWindowProcW.USER32(?,?,?,?,?), ref: 00407FB6
GetSystemMetrics.USER32(00000031), ref: 00407FC8
GetSystemMetrics.USER32(00000032), ref: 00407FCF
GetWindowDC.USER32(?), ref: 00407FE1
GetWindowRect.USER32(?,?), ref: 00407FEE
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00408022
ReleaseDC.USER32(?,00000000), ref: 0040802A

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 02fb6cd533524937890b9fbe5e83660d242e66e068d65fd6c1c3ae9fb8eaf448
Instruction ID: 75cb0a06a2ac89565616e056336673321ae690d364ffe7e0e0e46a8894e64c23
Opcode Fuzzy Hash: 02fb6cd533524937890b9fbe5e83660d242e66e068d65fd6c1c3ae9fb8eaf448
Instruction Fuzzy Hash: 76212D7650120ABFCB019FB8DD48EEF3BADFB08351F044565F911E22A1CB75E9208B65

Function 0040944E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040918F: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004091D7
Part of subcall function 0040918F: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 004091F7
Part of subcall function 0040918F: GetDlgItem.USER32(?,000004B7), ref: 0040920A
Part of subcall function 0040918F: SetWindowLongW.USER32(00000000,000000FC,Function_00007F6E), ref: 00409218

Part of subcall function 00407925: GetDlgItem.USER32(?,?), ref: 00407932
Part of subcall function 00407925: ShowWindow.USER32(00000000,?), ref: 00407949

Part of subcall function 00407908: GetDlgItem.USER32(?,?), ref: 00407914

GetDlgItem.USER32(?,000004B6), ref: 00409490
DestroyWindow.USER32(00000000), ref: 00409493
CreateWindowExA.USER32(00000200,Edit,0041A844,500100A0,?,?,?,?,?,000004B6,00000000,00000000), ref: 004094C9
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004094D9
GetDlgItem.USER32(?,000004B6), ref: 004094E6
SendMessageW.USER32(00000000,00000030,?,00000001), ref: 004094F0
GetDlgItem.USER32(?,000004B6), ref: 004094FA
SetFocus.USER32(00000000), ref: 004094FD

Strings

Edit, xrefs: 004094BF

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: Item$Window$MessageSend$CreateDestroyDirectoryFileFocusInfoLongShowSystem
String ID: Edit
API String ID: 2563414232-554135844
Opcode ID: 56b916562ecd750780d735d099b627b331725e63fe03f363d69cff45a528d5ec
Instruction ID: 7c9fa7fc0bed8e782d3924518fbb970010649ffe409204d719e10ed99d6b5507
Opcode Fuzzy Hash: 56b916562ecd750780d735d099b627b331725e63fe03f363d69cff45a528d5ec
Instruction Fuzzy Hash: F9116A71A00208BFDB11ABE5CD49FAFBBBCEF44B00F104429F605F61A1C675AD508769

Function 00403F47 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00403F8E

Part of subcall function 00402D38: ??3@YAXPAX@Z.MSVCRT ref: 00402DAB

??3@YAXPAX@Z.MSVCRT ref: 00403FB4
wsprintfA.USER32 ref: 00403FD6
wsprintfA.USER32 ref: 00404003

Strings

;!@Install@!UTF-8!, xrefs: 00403F53
;!@InstallEnd@!, xrefs: 00403F62
:%hs, xrefs: 00403FD0
:Language:%u, xrefs: 00403FFD

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :%hs$:Language:%u$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-695273242
Opcode ID: 2d8e9db283933717d1bf74dcc637fb004bcd9ef8bf7c609457385d08cecbeda9
Instruction ID: 91c5cc515a8c04ea92080f1a80fa1a733173372db4396516089c4ac9de792270
Opcode Fuzzy Hash: 2d8e9db283933717d1bf74dcc637fb004bcd9ef8bf7c609457385d08cecbeda9
Instruction Fuzzy Hash: 78215E71A001086BDF05EAA58D86EEE73ADAF48304F14406BF905F71C2CB7C9A068799

Function 00407773 Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00407787
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 0040779A
GetDlgItem.USER32(?,000004B4), ref: 004077A4
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004077AC
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 004077BC
GetDlgItem.USER32(?,?), ref: 004077C5
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004077CD
GetDlgItem.USER32(?,?), ref: 004077D6
SetFocus.USER32(00000000,?,?,00000000,004086F2,000004B3,00000000,?,000004B3), ref: 004077D9

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: 68307c55e08eac57185263add51eb06e4822709b00eeca7ae34a923681d662df
Instruction ID: d34367ada3e0903658dac9af1ca1aef10e4e5856eabac84c2cebdb26553fe681
Opcode Fuzzy Hash: 68307c55e08eac57185263add51eb06e4822709b00eeca7ae34a923681d662df
Instruction Fuzzy Hash: A4F04F712403087BEA216B61DD86F9BBB5EDF80B54F018425F354661F0CBF7AC209A29

Function 00407DE9 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00407E08
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00407E27
GetDC.USER32(00000000), ref: 00407E32
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00407E3E
MulDiv.KERNEL32(?,00000048,00000000), ref: 00407E4D
ReleaseDC.USER32(00000000,?), ref: 00407E5B
GetModuleHandleW.KERNEL32(00000000), ref: 00407E83
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000762B), ref: 00407EB8

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: cd9703eaab2b01bd1f1ad72a60e51d9745bb6fb91da23de710b65ac31fde8908
Instruction ID: 5ae0e358a048fe13eeaed06a2eede89b6f7514d73d54057b29107d928dd7117d
Opcode Fuzzy Hash: cd9703eaab2b01bd1f1ad72a60e51d9745bb6fb91da23de710b65ac31fde8908
Instruction Fuzzy Hash: EE21A175901258BFD7215BA19D48EEB7B7CFB08301F0040B6FA09A2290D7788E94CB6A

Function 00407957 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00407967
GetSystemMetrics.USER32(0000000B), ref: 00407983
GetSystemMetrics.USER32(0000003D), ref: 0040798C
GetSystemMetrics.USER32(0000003E), ref: 00407994
SelectObject.GDI32(?,?), ref: 004079B1
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004079CC
SelectObject.GDI32(?,?), ref: 004079F2
ReleaseDC.USER32(?,?), ref: 00407A01

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 361b9f72db81968066b11de39633dd2aeb039f56a0627fc63b5b1369e6440dec
Instruction ID: 99be1965ec9079b19cd9ca7ddb514230b5ddac8da32c359285f501be4f4e114b
Opcode Fuzzy Hash: 361b9f72db81968066b11de39633dd2aeb039f56a0627fc63b5b1369e6440dec
Instruction Fuzzy Hash: CE215472901209AFCB018FA5DD84A9EBFF4FF08360F20C46AE459A72A0D335AA50DF41

Function 004088ED Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00408927
GetDlgItem.USER32(?,000004B8), ref: 00408945
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00408957
wsprintfW.USER32 ref: 00408975
??3@YAXPAX@Z.MSVCRT ref: 00408A0D

Strings

%d%%, xrefs: 0040896F

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: fef41a88bddaff5eade1bc218cc7fbd92aa9700993b027471fab001e173baeb7
Instruction ID: 76316364547db91db0794513d36d59d3d90bef1704c5e6550bd17e0e5aae4baa
Opcode Fuzzy Hash: fef41a88bddaff5eade1bc218cc7fbd92aa9700993b027471fab001e173baeb7
Instruction Fuzzy Hash: DC31B171900208BFCB11AF91DD45EEA7BB9FF48304F10846EF986662F1CB79A911CB59

Function 00408B04 Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 00408B1E
KillTimer.USER32(?,00000001), ref: 00408B2F
SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408B59
SuspendThread.KERNEL32(00000298), ref: 00408B72
ResumeThread.KERNEL32(00000298), ref: 00408B8F
EndDialog.USER32(?,00000000), ref: 00408BB1

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: 636331c51eeec99492c3656744559ca8cb25bf13f1d29267e4cf69c729943fa4
Instruction ID: a2b05dd5e41b4995a09a300ee16ca779e4d4a037e63c25cdfddae70b45dc1bb5
Opcode Fuzzy Hash: 636331c51eeec99492c3656744559ca8cb25bf13f1d29267e4cf69c729943fa4
Instruction Fuzzy Hash: 9711C4B4201608DFD7101F12EE84E677BBCFB84745704803EF986A16A1CF396D00DA1D

Function 00404261 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 004042A7
??3@YAXPAX@Z.MSVCRT ref: 004042E5
??3@YAXPAX@Z.MSVCRT ref: 0040430B
??3@YAXPAX@Z.MSVCRT ref: 00404313

Strings

%%T\, xrefs: 00404287
%%T/, xrefs: 004042C5

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: 261993cb00864d984834ad0e43d7f5cd62a108a5b931f8d3cba770c6b4239f23
Instruction ID: 122386fc9699c449d81ec7ba086a527594e92f4f2f80396e21998a5c7b43ab37
Opcode Fuzzy Hash: 261993cb00864d984834ad0e43d7f5cd62a108a5b931f8d3cba770c6b4239f23
Instruction Fuzzy Hash: A811FC35D0010AAACF05FBA2D856CEEBB79AF14318F50846BF511360E2DF789795CB49

Function 0040431C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00404362
??3@YAXPAX@Z.MSVCRT ref: 004043A0
??3@YAXPAX@Z.MSVCRT ref: 004043C6
??3@YAXPAX@Z.MSVCRT ref: 004043CE

Strings

%%S\, xrefs: 00404342
%%S/, xrefs: 00404380

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: 57045baa5eca15e6faefc41cb7dde46f37a06a346480166a3eef6bc4e1eba18d
Instruction ID: f1f894bdf3d4d090df8b11905aad1c5c8858fc3c453367453fbe743e76f1909d
Opcode Fuzzy Hash: 57045baa5eca15e6faefc41cb7dde46f37a06a346480166a3eef6bc4e1eba18d
Instruction Fuzzy Hash: 54112C34D0010AAACF05FBA2C856CEE7B39AF14308F50846BF111360E2DF789795CB89

Function 004043D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040441D
??3@YAXPAX@Z.MSVCRT ref: 0040445B
??3@YAXPAX@Z.MSVCRT ref: 00404481
??3@YAXPAX@Z.MSVCRT ref: 00404489

Strings

%%M/, xrefs: 0040443B
%%M\, xrefs: 004043FD

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: c6429fdd1526b1e7fbb253b58aeebe4a8df068622cf41946daa1f84d1205c3c4
Instruction ID: 8dba794e35f21279b7ca126a25086939a7e1f708a81bc48e9d43c6f6c4f8843e
Opcode Fuzzy Hash: c6429fdd1526b1e7fbb253b58aeebe4a8df068622cf41946daa1f84d1205c3c4
Instruction Fuzzy Hash: F111FC35D0010AAACF05FBA2D856CEE7B79AF14308F50846BF511360E2DF785796CB89

Function 004084EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408501
SHBrowseForFolderW.SHELL32(?), ref: 0040851A
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 00408536
SHGetMalloc.SHELL32(00000000), ref: 00408560

Part of subcall function 004082DB: GetDlgItem.USER32(?,000004B6), ref: 004082E8
Part of subcall function 004082DB: SetFocus.USER32(00000000,?,?,004083CF,000004B6,?), ref: 004082EF

Strings

A, xrefs: 00408547
A, xrefs: 00408513

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID: A$A
API String ID: 1557639607-3025247501
Opcode ID: 8b567cbf236bcd6d22996d77d705d87133768c80d45aeef4e96c8cb7c657258c
Instruction ID: 0f17a3c008e4a99ccc33b60476d4f22474d7ac170467a7db498a71fbbcb5b23f
Opcode Fuzzy Hash: 8b567cbf236bcd6d22996d77d705d87133768c80d45aeef4e96c8cb7c657258c
Instruction Fuzzy Hash: F2114F71A00208ABCB10DB95CA59BDE77BCAB84700F1404AAE905E3280DB79DE05CB65

Function 00407D94 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,0040911B,000004B1,00000000,?,?,?,?,?,00409228), ref: 00407D9C
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00407DAD
GetWindow.USER32(?,00000005), ref: 00407DC6
GetWindow.USER32(00000000,00000002), ref: 00407DDC

Strings

uxtheme, xrefs: 00407D95
SetWindowTheme, xrefs: 00407DA7

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$uxtheme
API String ID: 324724604-1369271589
Opcode ID: 01b0f07356888f23ede045274bc5f10b7f94e2717df3aa36a0264411175b615e
Instruction ID: 7420b1413b3927be0e09d5a5b1199939c933d21b5537d32619d12fb45dfdc6a0
Opcode Fuzzy Hash: 01b0f07356888f23ede045274bc5f10b7f94e2717df3aa36a0264411175b615e
Instruction Fuzzy Hash: 6EF0AE32E4972533C13212666C48FE7765CDF46B51B054136FD04F7240DA68DC4041ED

Function 0040B790 Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040B814
??3@YAXPAX@Z.MSVCRT ref: 0040B856
??2@YAPAXI@Z.MSVCRT ref: 0040B86C
memmove.MSVCRT ref: 0040B889
??3@YAXPAX@Z.MSVCRT ref: 0040B896
memmove.MSVCRT ref: 0040B8B4

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 598d0d4fbbd1a75924cb74ca8d90dc94e8938ef199d3bd8e5eb98e6998e67018
Instruction ID: 2725a0cdf67a86a76ae89e550574ec4b5b9664117e44407cff9637d04d7e1d1b
Opcode Fuzzy Hash: 598d0d4fbbd1a75924cb74ca8d90dc94e8938ef199d3bd8e5eb98e6998e67018
Instruction Fuzzy Hash: EF4158B5A003048FCB14DF19D880A67B7E5FF88304F14856EEC499B306D739E919CBAA

Function 004059B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00405A3A
??3@YAXPAX@Z.MSVCRT ref: 00405A9C
??3@YAXPAX@Z.MSVCRT ref: 00405AB4

Part of subcall function 00403A96: lstrlenW.KERNEL32(00401A87,00000000,?,?,?,?,?,?,00401A87,?), ref: 00403AA3
Part of subcall function 00403A96: GetSystemTimeAsFileTime.KERNEL32(?,00401A87,?,?,?,?,00401A87,?), ref: 00403B19
Part of subcall function 00403A96: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00401A87,?), ref: 00403B20
Part of subcall function 00403A96: ??3@YAXPAX@Z.MSVCRT ref: 00403BDF

Strings

;!@Install@!UTF-8!, xrefs: 00405A55
;!@InstallEnd@!, xrefs: 00405A6F

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: ;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-372238525
Opcode ID: 691e7b16ecd0d81a9d1d7dccc5ea94fd90d5bd9377cef4520e6c83a46c29e05e
Instruction ID: 05be9fed3064c9d881d7a199c2662b51d83aa20cb5094888597b34cc33987248
Opcode Fuzzy Hash: 691e7b16ecd0d81a9d1d7dccc5ea94fd90d5bd9377cef4520e6c83a46c29e05e
Instruction Fuzzy Hash: 94314D3590021EAACF01EF92CD818EEBB75FF48318F10042BE811721E1DB785685DF59

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401053
wsprintfW.USER32 ref: 00401071
lstrcatW.KERNEL32(?,?), ref: 00401084
ExitProcess.KERNEL32 ref: 004010AC

Strings

0x%p, xrefs: 0040106B

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: 6005226d534fa59506d0e1bea7fa8c4fd587573c945a303a9b2733448e6b2449
Instruction ID: 1d156b8e2377e49bbb98790bed191cf7e4a94fa6407155113c02fa0261581198
Opcode Fuzzy Hash: 6005226d534fa59506d0e1bea7fa8c4fd587573c945a303a9b2733448e6b2449
Instruction Fuzzy Hash: FC1160B5801208EFCB20EFB5DD8599B73B8BB44304F00487BE645A2191D678AA948B5A

Function 00404B47 Relevance: 7.6, APIs: 5, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0041E3F0,?,?,?,?,?,?,0040656B,?,?), ref: 00404B60
??3@YAXPAX@Z.MSVCRT ref: 00404C12
??3@YAXPAX@Z.MSVCRT ref: 00404C1A
??3@YAXPAX@Z.MSVCRT ref: 00404C29
??3@YAXPAX@Z.MSVCRT ref: 00404C31

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@$lstrlen
String ID:
API String ID: 2031685711-0
Opcode ID: 29fb89ff9368adaf32589367a9ab08fd84b34a61651bfd4a4b64f513cf1aa78e
Instruction ID: 58df158502e8e8c8b8225c801007fb375eedb3fbf3db66d62c68b1e71e2fb606
Opcode Fuzzy Hash: 29fb89ff9368adaf32589367a9ab08fd84b34a61651bfd4a4b64f513cf1aa78e
Instruction Fuzzy Hash: 87212C71D00105AACB206FA4CC01BEB77B8DF95364F1444BBEE41B71D1E779ED418699

Function 004087F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004081B6: GetSystemMetrics.USER32(0000000B), ref: 004081DE
Part of subcall function 004081B6: GetSystemMetrics.USER32(0000000C), ref: 004081E7

GetSystemMetrics.USER32(00000007), ref: 0040880B
GetSystemMetrics.USER32(00000007), ref: 0040881C
??3@YAXPAX@Z.MSVCRT ref: 004088E3

Strings

100%% , xrefs: 0040883B, 00408842, 0040889B

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: e87f074f6744b37ad901e42117a76a23dcd1fcc12ba0f39c1edec3fa84c37898
Instruction ID: b61f87e028c14ae519fd5acbe82c99188bf114d8ae22895d6fd2ec5fad7201aa
Opcode Fuzzy Hash: e87f074f6744b37ad901e42117a76a23dcd1fcc12ba0f39c1edec3fa84c37898
Instruction Fuzzy Hash: 7231EE72A007089FCB20EF6ACA419AEB7F4EF50314F00443ED482B22D1DB78E944CB99

Function 004026BE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,00407202,00000000,?,?), ref: 004026D1
GetProcAddress.KERNEL32(00000000), ref: 004026D8

Strings

Wow64RevertWow64FsRedirection, xrefs: 004026C7
kernel32, xrefs: 004026CC

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: e30bfedea9ecef5949d5105317049e471af0f001c276a593039802e8fc0993d0
Instruction ID: c8f53901271ec78943a664f820560f4101b0ffac110acd662a43b690bee66615
Opcode Fuzzy Hash: e30bfedea9ecef5949d5105317049e471af0f001c276a593039802e8fc0993d0
Instruction Fuzzy Hash: 19D05EB4193601ABDB402B62AD0CBE276A47B40741F4480357804D00F0CAFC44A2EA1E

Function 004026F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,00402748,?,00407145,?,00000000,?,?), ref: 00402703
GetProcAddress.KERNEL32(00000000), ref: 0040270A

Strings

Wow64DisableWow64FsRedirection, xrefs: 004026F9
kernel32, xrefs: 004026FE

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: a2255e73f7ab32db877da58af0a01301e41c68a702f0b45ed193178c432436c1
Instruction ID: 14b996144198c06d2b580c2b2f92427fd35363d448dabe68fff46cd2ac5b7c70
Opcode Fuzzy Hash: a2255e73f7ab32db877da58af0a01301e41c68a702f0b45ed193178c432436c1
Instruction Fuzzy Hash: A5D013F45937047BD7505BA19D0DFE677946B44741F5440296404D11F4D7FC4455CE1F

Function 00403101 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00403207

Part of subcall function 00402E03: MultiByteToWideChar.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00403165,?,?,00000000,00000000,00000000), ref: 00402E35

??3@YAXPAX@Z.MSVCRT ref: 00403174
??3@YAXPAX@Z.MSVCRT ref: 0040318F
??3@YAXPAX@Z.MSVCRT ref: 00403197

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: e53d579ea1420204a9d3356672f854fcb038d20c3e554b33ae685d69b99d718d
Instruction ID: 4567f7d22649ab5cc64065fd9ce685159733205cb6f020b8159752473f4b33f9
Opcode Fuzzy Hash: e53d579ea1420204a9d3356672f854fcb038d20c3e554b33ae685d69b99d718d
Instruction Fuzzy Hash: 8131D572C04105AACB14EF96DD828EF77BDEF08316F40443FF856B60E1EA3C6A458668

Function 0041270D Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,0041C660), ref: 00412738
??2@YAPAXI@Z.MSVCRT ref: 00412760
memcpy.MSVCRT ref: 00412789
??3@YAXPAX@Z.MSVCRT ref: 00412794

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID:
API String ID: 3462485524-0
Opcode ID: 614e6b9030e33dbd3a2d811ab6a3033ff5f3a7c55e7c8e4e437b1e77e30c11f9
Instruction ID: 405328bf9c6dea51840dca2eba46a3fbb7e242f9a1a1b227e56750dcaa965544
Opcode Fuzzy Hash: 614e6b9030e33dbd3a2d811ab6a3033ff5f3a7c55e7c8e4e437b1e77e30c11f9
Instruction Fuzzy Hash: D41108762003046BCB289F16D9D0DABF7E9AB84354720883FF56DD7280CBB9E8D54759

Function 0040918F Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00407908: GetDlgItem.USER32(?,?), ref: 00407914

Part of subcall function 00407925: GetDlgItem.USER32(?,?), ref: 00407932
Part of subcall function 00407925: ShowWindow.USER32(00000000,?), ref: 00407949

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004091D7
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 004091F7
GetDlgItem.USER32(?,000004B7), ref: 0040920A
SetWindowLongW.USER32(00000000,000000FC,Function_00007F6E), ref: 00409218

Part of subcall function 00408E5E: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00409228), ref: 00408E87
Part of subcall function 00408E5E: LoadIconW.USER32(00000000), ref: 00408E8A
Part of subcall function 00408E5E: GetSystemMetrics.USER32(00000032), ref: 00408E9E
Part of subcall function 00408E5E: GetSystemMetrics.USER32(00000031), ref: 00408EA3
Part of subcall function 00408E5E: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00409228), ref: 00408EAC
Part of subcall function 00408E5E: LoadImageW.USER32(00000000), ref: 00408EAF
Part of subcall function 00408E5E: SendMessageW.USER32(?,00000080,00000001,?), ref: 00408ECF
Part of subcall function 00408E5E: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408ED8
Part of subcall function 00408E5E: GetDlgItem.USER32(?,000004B2), ref: 00408EF4
Part of subcall function 00408E5E: GetDlgItem.USER32(?,000004B2), ref: 00408EFE
Part of subcall function 00408E5E: GetWindowLongW.USER32(?,000000F0), ref: 00408F0A
Part of subcall function 00408E5E: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00408F19
Part of subcall function 00408E5E: GetDlgItem.USER32(?,000004B5), ref: 00408F27
Part of subcall function 00408E5E: GetDlgItem.USER32(?,000004B5), ref: 00408F35
Part of subcall function 00408E5E: GetWindowLongW.USER32(?,000000F0), ref: 00408F41
Part of subcall function 00408E5E: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00408F50

Part of subcall function 004082DB: GetDlgItem.USER32(?,000004B6), ref: 004082E8
Part of subcall function 004082DB: SetFocus.USER32(00000000,?,?,004083CF,000004B6,?), ref: 004082EF

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: Item$Window$Long$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoShow
String ID:
API String ID: 3043669009-0
Opcode ID: 83d92fe2ae362385f538e20dd195bc9a90b973da163aa05b173518147f80f435
Instruction ID: d55f7cd6c0ae67d2cfea52dc8002a5c696cbb6fa088204d5cba6b4347c9ab962
Opcode Fuzzy Hash: 83d92fe2ae362385f538e20dd195bc9a90b973da163aa05b173518147f80f435
Instruction Fuzzy Hash: 6E118675E403146BDB10EBB99C49FDE77BCEB84B14F10446FB251E32C0DAB899058755

Function 004077E6 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 0040780D
GetSystemMetrics.USER32(00000031), ref: 00407833
CreateFontIndirectW.GDI32(?), ref: 00407842
DeleteObject.GDI32(00000000), ref: 00407871

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 5da47058ff94d5803732122388ffcc42587bfddbb95a0ced26d5b12eadc4e772
Instruction ID: bcf797713747d1bbc7a039335063bb95dfc11f2d3f3f6a9aa021fe6aed6dce96
Opcode Fuzzy Hash: 5da47058ff94d5803732122388ffcc42587bfddbb95a0ced26d5b12eadc4e772
Instruction Fuzzy Hash: D2113376A00205AFDB149F54DD88FEAB7B8EB04304F0480AAED15A7391DB74ED44CB55

Function 00402E9C Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000001,00000000,?,?,?), ref: 00402ECD
??3@YAXPAX@Z.MSVCRT ref: 00402ED6

Part of subcall function 004011B7: ??2@YAPAXI@Z.MSVCRT ref: 004011D7
Part of subcall function 004011B7: ??3@YAXPAX@Z.MSVCRT ref: 004011FD

ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000001,00000001,?), ref: 00402EEE
??3@YAXPAX@Z.MSVCRT ref: 00402F0E

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID:
API String ID: 612612615-0
Opcode ID: 1c3f63ef1eee124114cccf2536dc2808fbbd791f413996130052b08bb3e73a6e
Instruction ID: 9bd8dc273a68bd9637afbd8831705f8c3fd905c1db486eae3d391806f68f5536
Opcode Fuzzy Hash: 1c3f63ef1eee124114cccf2536dc2808fbbd791f413996130052b08bb3e73a6e
Instruction Fuzzy Hash: F2017572D00108BADB15A795DD85DDEB7BCEF58314F10407BF901B31D1EB785A408A99

Function 00408CE9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 00408D23
GetClientRect.USER32(?,?), ref: 00408D35
PtInRect.USER32(?,?,?), ref: 00408D44

Part of subcall function 0040872F: KillTimer.USER32(?,00000001,?,00408D59), ref: 0040873D

CallNextHookEx.USER32(?,?,?), ref: 00408D66

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ClientRect$CallHookKillNextScreenTimer
String ID:
API String ID: 3015594791-0
Opcode ID: 15b66d1cb46cfd40a4fba80601086509ebb595d1b5124e48eed938ea5df3e736
Instruction ID: 18d01c9c2ab30fc155503021630ae1f402c7651b4ea92375da3568117c475b81
Opcode Fuzzy Hash: 15b66d1cb46cfd40a4fba80601086509ebb595d1b5124e48eed938ea5df3e736
Instruction Fuzzy Hash: 04017935100105EFDB109F55ED14EAA7BA6FF14344B18853AE855A26A0DF34E810DB19

Function 004044C1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00403415: GetWindowTextLengthW.USER32(?), ref: 00403426
Part of subcall function 00403415: GetWindowTextW.USER32(0040349F,00000000,00000001), ref: 00403443

??3@YAXPAX@Z.MSVCRT ref: 0040450D
??3@YAXPAX@Z.MSVCRT ref: 00404515
SetWindowTextW.USER32(?,?), ref: 00404522
??3@YAXPAX@Z.MSVCRT ref: 0040452D

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: 96bd27e7f3fc57ee4696f094549bd80dee55dfdf6bb1a65402e69d1b3675177c
Instruction ID: ff7ec8d6d0e8271002606b95276d32d5875dc5555b990560dc26556ed382b180
Opcode Fuzzy Hash: 96bd27e7f3fc57ee4696f094549bd80dee55dfdf6bb1a65402e69d1b3675177c
Instruction Fuzzy Hash: B1F0FF76D00109BACF01FBE1DD468CE7B79AF18318F1044BBF50571091EA799B958B95

Function 00408061 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 0040807C
CreateFontIndirectW.GDI32(?), ref: 00408092
GetDlgItem.USER32(?,000004B5), ref: 004080A6
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 004080B2

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 264c581feac235bf5db38c3df5d80af8d6bc45eebf8f891e465c2a489f60d106
Instruction ID: d40879a5241dbada588f6d3d89cdcd4bb4273d743b4923439a9775596fe479dc
Opcode Fuzzy Hash: 264c581feac235bf5db38c3df5d80af8d6bc45eebf8f891e465c2a489f60d106
Instruction Fuzzy Hash: 05F0B475501704ABD7215B94DD09FC77FACAB84B01F048039EE41E21D0DBB4D4188A2A

Function 0040B970 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00420B90), ref: 0040B979
LeaveCriticalSection.KERNEL32(00420B90), ref: 0040B9BC

Part of subcall function 0040B790: ??2@YAPAXI@Z.MSVCRT ref: 0040B814
Part of subcall function 0040B790: ??3@YAXPAX@Z.MSVCRT ref: 0040B856
Part of subcall function 0040B790: ??2@YAPAXI@Z.MSVCRT ref: 0040B86C
Part of subcall function 0040B790: memmove.MSVCRT ref: 0040B889
Part of subcall function 0040B790: ??3@YAXPAX@Z.MSVCRT ref: 0040B896
Part of subcall function 0040B790: memmove.MSVCRT ref: 0040B8B4

Part of subcall function 0040AED0: memset.MSVCRT ref: 0040AF3D

Part of subcall function 0040B900: ??2@YAPAXI@Z.MSVCRT ref: 0040B927

Strings

$A, xrefs: 0040B98D
$A, xrefs: 0040B9A5

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??2@$??3@CriticalSectionmemmove$EnterLeavememset
String ID: $A$$A
API String ID: 2633840989-464203494
Opcode ID: 678182a7b1fb41f2735d9a1324951dca02cc2b15f86711d7f43aa98ef369e29f
Instruction ID: eb367c7ddaee2a2fb62f52f584b5ee913fc6020de714d6b7f11535a2a145910a
Opcode Fuzzy Hash: 678182a7b1fb41f2735d9a1324951dca02cc2b15f86711d7f43aa98ef369e29f
Instruction Fuzzy Hash: 01E0127132152916892437566D15AEE2B9ACEC5758B14003FF701732C3CFAC285656EE

Function 00402096 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040209B
GetWindowRect.USER32(?,?), ref: 004020B4
ScreenToClient.USER32(00000000,?), ref: 004020C2
ScreenToClient.USER32(00000000,?), ref: 004020C9

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: c1e4db117b574ef1589c0c9d55717d3f19d7559ec2b1b8ce9c9335790e320de4
Instruction ID: 360ef478bd25029cb3ddb5db89bdb2cb9d11200f358063210d0ebdbaf2693bd9
Opcode Fuzzy Hash: c1e4db117b574ef1589c0c9d55717d3f19d7559ec2b1b8ce9c9335790e320de4
Instruction Fuzzy Hash: B7E086722062117FD7119BA5BC88C8B7FADDFD5A26700447AF54592221C7769C20DA72

Function 004052E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 004083D2: GetSystemMetrics.USER32(00000010), ref: 00408414
Part of subcall function 004083D2: GetSystemMetrics.USER32(00000011), ref: 00408422

wsprintfW.USER32 ref: 0040536D
??3@YAXPAX@Z.MSVCRT ref: 004053AA

Strings

%X - %03X - %03X - %03X - %03X, xrefs: 00405367

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: MetricsSystem$??3@wsprintf
String ID: %X - %03X - %03X - %03X - %03X
API String ID: 1174869416-1993364030
Opcode ID: 54f3d7688a31d9ede09f57ae658537ffb95a78b7225a2b87c8686a6f2efc5fb4
Instruction ID: 4b7263c7f208e356f40bd8d925c78b4f60c931082ae3ce1b0b234df7c4f1af54
Opcode Fuzzy Hash: 54f3d7688a31d9ede09f57ae658537ffb95a78b7225a2b87c8686a6f2efc5fb4
Instruction Fuzzy Hash: C4116D31A40218AADB65BB91ED06FDE7338FF14708F10417AA5117A1D2DFB86A45CB88

Function 004083D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000010), ref: 00408414
GetSystemMetrics.USER32(00000011), ref: 00408422

Strings

ExecuteFile, xrefs: 0040840B

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: MetricsSystem
String ID: ExecuteFile
API String ID: 4116985748-323923146
Opcode ID: 14d786c73423a61b5c4d888c2600fdeb7daaabf908332af799251ff76a0a5de7
Instruction ID: 6a74ab13091649485f48d3283ac03bce7b6736a34d248b30378b572136a87764
Opcode Fuzzy Hash: 14d786c73423a61b5c4d888c2600fdeb7daaabf908332af799251ff76a0a5de7
Instruction Fuzzy Hash: 2CF0F974A007058FC7B0DF79D940286B7F4BF48350749893FD986D3A90EBB4A4859F85

Function 00408611 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00408646
??3@YAXPAX@Z.MSVCRT ref: 0040866E

Strings

(%d%s), xrefs: 00408640

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: ??3@wsprintf
String ID: (%d%s)
API String ID: 3815514257-2087557067
Opcode ID: 987eb4089fde38301cdce038a3fa0667c85b22f9c23ef7476c7b2653851f1aae
Instruction ID: 37cf70faa09b515f4225f8f05a611f4f85e102aba12cbf3defd6e2e13dcc1dea
Opcode Fuzzy Hash: 987eb4089fde38301cdce038a3fa0667c85b22f9c23ef7476c7b2653851f1aae
Instruction Fuzzy Hash: 14F06271800218BBCF21B755DD06ECA7778AF04308F1045BBA512B14A2EE76AA548A98

Function 004048EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Could not allocate memory,7-Zip SFX,00000010), ref: 004048FA

Strings

7-Zip SFX, xrefs: 004048EE
Could not allocate memory, xrefs: 004048F3

Memory Dump Source

Source File: 00000000.00000002.2597936174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2597516887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598352277.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2598714803.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2599050720.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sVfXReO3QI.jbxd

Similarity

API ID: Message
String ID: 7-Zip SFX$Could not allocate memory
API String ID: 2030045667-3806377612
Opcode ID: 3326d66dcc1a04258ccecf944498af0c4029a673cea994d3bb0345d3c23038b9
Instruction ID: 1f72cfa22fc7bf934b0b745acd93f2f995aad45dd61b0b2d5dae8fa57f35f3c3
Opcode Fuzzy Hash: 3326d66dcc1a04258ccecf944498af0c4029a673cea994d3bb0345d3c23038b9
Instruction Fuzzy Hash: 37B012703C130431D10003300C07FC01041C70CF0AF1088517104A81D3DFD620E0204D

Analysis Process: PsiphonPortable.exePID: 7408, Parent PID: 7316COMMON

Execution Graph

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	35.8%
Signature Coverage:	10.5%
Total number of Nodes:	1588
Total number of Limit Nodes:	86

Executed Functions

Function 1000268A Relevance: 89.8, APIs: 48, Strings: 3, Instructions: 536
threadfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,10004408,00000001), ref: 10002736
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10002745
CreateFileMappingW.KERNELBASE(000000FF,00000000,08000004,00000000,00000000,00000000), ref: 10002765
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000), ref: 1000277D
CreateThread.KERNELBASE(00000000,00000001,10002349,00000000,00000000,00000000), ref: 100027AD
GetLastError.KERNEL32 ref: 100027BC
GetCurrentProcessId.KERNEL32 ref: 100027F5
GetCurrentThreadId.KERNEL32 ref: 100027FD
SendMessageW.USER32(00008004,0000053A,00000000), ref: 10002866
GetCurrentProcessId.KERNEL32 ref: 10002871
GetCurrentThreadId.KERNEL32 ref: 10002873
SetWindowLongW.USER32(?,000000FC,100025BA), ref: 10002894
GetCurrentProcessId.KERNEL32 ref: 100028C6
wsprintfW.USER32 ref: 100028F5
GetCurrentProcessId.KERNEL32 ref: 100028FE
GetCurrentProcessId.KERNEL32 ref: 10002905
wsprintfW.USER32 ref: 1000292F
GetLastError.KERNEL32 ref: 10002938
GetCurrentProcessId.KERNEL32 ref: 10002942

Part of subcall function 10001995: CharNextW.USER32(?,?,?,771B2E90,?,771ADF10,1000295B,?,00000000,00000000), ref: 100019CF
Part of subcall function 10001995: CharNextW.USER32(00000000,?,771B2E90,?,771ADF10,1000295B,?,00000000,00000000), ref: 100019DD

SetCurrentDirectoryW.KERNEL32(-10002408,00000001,?,00000017,00000001,00000000), ref: 10002A4D
GetCurrentThreadId.KERNEL32 ref: 10002907

Part of subcall function 10001BE2: SetLastError.KERNEL32(00000000), ref: 10001C22

GetCurrentThreadId.KERNEL32 ref: 100028C8

Part of subcall function 10001BE2: GetVersionExW.KERNEL32(00000114,?,771B2E90), ref: 10001C10

GlobalFree.KERNEL32(?), ref: 10002D8C

Part of subcall function 1000194C: GetVersionExW.KERNEL32(00000114,?), ref: 10001974

GetCommandLineW.KERNEL32(00000000,00000001), ref: 10002B06
GlobalFree.KERNEL32(00000000), ref: 10002B61
GlobalAlloc.KERNEL32(00000040,00000000), ref: 10002B6E

Part of subcall function 10002488: GetWindowThreadProcessId.USER32(?,?), ref: 100024A9
Part of subcall function 10002488: OpenProcess.KERNEL32(00000040,00000000,?,SeDebugPrivilege,00000001,?,?,771B2E90), ref: 100024C6
Part of subcall function 10002488: GetLastError.KERNEL32(?,771B2E90), ref: 100024D3

FindCloseChangeNotification.KERNELBASE ref: 10002D11
wsprintfW.USER32 ref: 10002D47
wsprintfW.USER32 ref: 10002D55
wsprintfW.USER32 ref: 10002D61
wsprintfW.USER32 ref: 10002D72

Strings

runas, xrefs: 10002B2B
/UAC:%X /NCRC%s, xrefs: 10002BCF
seclogon, xrefs: 10002BE9

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: Current$Process$Threadwsprintf$CreateErrorLast$Global$CharEventFileFreeNextVersionWindow$AllocChangeCloseCommandDirectoryFindLineLongMappingMessageNotificationOpenSendView
String ID: /UAC:%X /NCRC%s$runas$seclogon
API String ID: 2530454560-462553597
Opcode ID: 73ff17370230964a78374dfa29cc8e79be62d33509881e24be56eff2d626fe21
Instruction ID: ff1822c73bc9f771132c37108fbe12d48ffa4c58f50466b060dbd87fb1f046ef
Opcode Fuzzy Hash: 73ff17370230964a78374dfa29cc8e79be62d33509881e24be56eff2d626fe21
Instruction Fuzzy Hash: 4912BCB0808351AFF701DF64CC88B9E7BE8FB457C4F420819F58492269DBB49D88CB66

Function 050D4120 Relevance: 69.6, APIs: 28, Strings: 18, Instructions: 642
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 050D6045: lstrcpyW.KERNEL32(?,?), ref: 050D605E
Part of subcall function 050D6045: GlobalFree.KERNEL32 ref: 050D606F

Part of subcall function 050D5F42: CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 050D5F83
Part of subcall function 050D5F42: SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000), ref: 050D5F9C
Part of subcall function 050D5F42: GetFileSize.KERNEL32(000000FF,00000000), ref: 050D5FA8
Part of subcall function 050D5F42: GlobalAlloc.KERNEL32(00000040,000000FD), ref: 050D5FC0
Part of subcall function 050D5F42: ReadFile.KERNELBASE(000000FF,00000000,000000FF,00000000,00000000), ref: 050D5FE1
Part of subcall function 050D5F42: CloseHandle.KERNEL32(000000FF), ref: 050D5FEF

Part of subcall function 050D5E75: lstrcpynW.KERNEL32(050D41C4,007437C0,-050D89A1,?,?,050D41C4,"DisableDisallowedTrafficAlert"=dword:00000001,?,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg), ref: 050D5ED1
Part of subcall function 050D5E75: lstrlenW.KERNEL32(050D41C4,?,?,050D41C4,"DisableDisallowedTrafficAlert"=dword:00000001,?,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg), ref: 050D5EDB
Part of subcall function 050D5E75: lstrlenW.KERNEL32(050D41C4,?,?,050D41C4,"DisableDisallowedTrafficAlert"=dword:00000001,?,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg), ref: 050D5F30

lstrcpynW.KERNEL32(05130EC0,"DisableDisallowedTrafficAlert"=dword:00000001,00000248,?,?,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg), ref: 050D4238
lstrlenW.KERNEL32(05130EC0,?,?,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg), ref: 050D4243
lstrcpynW.KERNEL32(05130EC0,"DisableDisallowedTrafficAlert"=dword:00000001,00000248,?,?,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg), ref: 050D42AF
lstrlenW.KERNEL32(05130EC0,?,?,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg), ref: 050D42BA

Part of subcall function 050D5E75: lstrcpynW.KERNEL32(050D41C4,007437C0,00010000,050D41C4,"DisableDisallowedTrafficAlert"=dword:00000001,?,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg), ref: 050D5F1F

lstrlenW.KERNEL32("DisableDisallowedTrafficAlert"=dword:00000001), ref: 050D4389
lstrcpynW.KERNEL32(050F8A00,050D89DE,050D89DF), ref: 050D4433
lstrlenW.KERNEL32(050F8A00), ref: 050D443E
lstrcpynW.KERNEL32(050F8A00,050D89DE,00020000), ref: 050D450C
lstrlenW.KERNEL32(050F8A00), ref: 050D4517
lstrlenW.KERNEL32("DisableDisallowedTrafficAlert"=dword:00000001), ref: 050D455E
lstrcpynW.KERNEL32(050F8A00,"DisableDisallowedTrafficAlert"=dword:00000001,050D89DF), ref: 050D45C0
lstrcmpW.KERNEL32(050F8A00,dword), ref: 050D45D0
lstrlenW.KERNEL32(050F8A00), ref: 050D45EA
lstrcpynW.KERNEL32(050F8A00,"DisableDisallowedTrafficAlert"=dword:00000001,00000009), ref: 050D462A
lstrcmpW.KERNEL32(050F8A00,hex), ref: 050D466C
lstrcmpW.KERNEL32(050F8A00,hex(0)), ref: 050D468C
lstrlenW.KERNEL32(050F8A00), ref: 050D47FF

Strings

hex(6), xrefs: 050D4742
"DisableDisallowedTrafficAlert"=dword:00000001, xrefs: 050D41BA, 050D41CA, 050D4232, 050D42A9, 050D433B, 050D434B, 050D4384, 050D448C, 050D454C, 050D4559, 050D4569, 050D458F, 050D45A5, 050D45BA, 050D4624, 050D4848, 050D4858
hex(7), xrefs: 050D4762
hex(4), xrefs: 050D4702
hex(9), xrefs: 050D479C
hex, xrefs: 050D4662
hex(2), xrefs: 050D46C2
hex(5), xrefs: 050D4722
hex(1), xrefs: 050D46A2
hex(a), xrefs: 050D47B9
hex(0), xrefs: 050D4682
hex(3), xrefs: 050D46E2
hex(b), xrefs: 050D47D6
dword, xrefs: 050D45C6
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg, xrefs: 050D4178, 050D4186
F, xrefs: 050D48F4
hex(8), xrefs: 050D477F
F, xrefs: 050D494B

Memory Dump Source

Source File: 00000002.00000002.2611660380.00000000050D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 050D0000, based on PE: true

Associated: 00000002.00000002.2611613713.00000000050D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611705494.00000000050D7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611748941.00000000050D8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611799136.0000000005120000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611847122.0000000005132000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_50d0000_PsiphonPortable.jbxd

Similarity

API ID: lstrlen$lstrcpyn$File$lstrcmp$Global$AllocCloseCreateFreeHandlePointerReadSizelstrcpy
String ID: "DisableDisallowedTrafficAlert"=dword:00000001$C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg$F$F$dword$hex$hex(0)$hex(1)$hex(2)$hex(3)$hex(4)$hex(5)$hex(6)$hex(7)$hex(8)$hex(9)$hex(a)$hex(b)
API String ID: 2960896406-4204981277
Opcode ID: 1b3a3464bd3aba8a8f335b4c651dcd1fd4cebaef4f81174fb5dbaca1fc9bd3c6
Instruction ID: b1f0920ac5dba266420d01260b72adf9880dc294823f497c3a2ed73ca3297d5b
Opcode Fuzzy Hash: 1b3a3464bd3aba8a8f335b4c651dcd1fd4cebaef4f81174fb5dbaca1fc9bd3c6
Instruction Fuzzy Hash: E5327B71A013099BDF14DFA4E886AFEFBB2FF49715F148019E502BA284DBB05985CB71

Function 004039E3 Relevance: 56.3, APIs: 22, Strings: 10, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403A02
SetErrorMode.KERNELBASE(00008001), ref: 00403A0D
OleInitialize.OLE32(00000000), ref: 00403A14

Part of subcall function 0040645D: GetModuleHandleA.KERNEL32(?,?,00000020,00403A26,00000008), ref: 0040646B
Part of subcall function 0040645D: LoadLibraryA.KERNELBASE(?,?,?,00000020,00403A26,00000008), ref: 00406476
Part of subcall function 0040645D: GetProcAddress.KERNEL32(00000000), ref: 00406488

SHGetFileInfoW.SHELL32(0040931C,00000000,?,000002B4,00000000), ref: 00403A3C

Part of subcall function 0040616A: lstrcpynW.KERNEL32(?,?,00002004,00403A51,0046ADC0,NSIS Error), ref: 00406177

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 00403A51
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" ,00000000), ref: 00403A64
CharNextW.USER32(00000000,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" ,00000020), ref: 00403A8B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403B60
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403B75
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403B81
DeleteFileW.KERNELBASE(004D30C0), ref: 00403B98
OleUninitialize.OLE32(?), ref: 00403C31
ExitProcess.KERNEL32 ref: 00403C51
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403C5D
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403C69
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403C75
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403C7C
DeleteFileW.KERNEL32(004331F8,004331F8,?,00477008,004092BC,00473000,?), ref: 00403CCD
CopyFileW.KERNEL32(004DF0D8,004331F8,00000001), ref: 00403CE1
CloseHandle.KERNEL32(00000000,004331F8,004331F8,?,004331F8,00000000), ref: 00403D0E
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403D64
ExitWindowsEx.USER32(00000002,00000000), ref: 00403DA0

Strings

"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" , xrefs: 00403A58, 00403A5D, 00403BB8
~nsu.tmp, xrefs: 00403C57
NCRC, xrefs: 00403ADC
_?=, xrefs: 00403BC4
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004039F6
Error launching installer, xrefs: 00403BDD
/D=, xrefs: 00403B06
\Temp, xrefs: 00403B7B
SeShutdownPrivilege, xrefs: 00403D76
NSIS Error, xrefs: 00403A42

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" $Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-2279026766
Opcode ID: 68266bafc206ec77b9f892d23c4aef905f4494e6b01b225f4942505767497f92
Instruction ID: 4e18f5f1af3a7f331e2e544c63ade91685479340742a394c6c2d6f2448785750
Opcode Fuzzy Hash: 68266bafc206ec77b9f892d23c4aef905f4494e6b01b225f4942505767497f92
Instruction Fuzzy Hash: FEA1B571504301BBD6207F629D0AE1B7EACAF4075AF11483FF585B61D2DBBC8A448B6E

Function 00406DFC Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" ), ref: 00406E19
lstrcatW.KERNEL32(0045C928,\*.*), ref: 00406E6A
lstrcatW.KERNEL32(?,00408838), ref: 00406E8A
lstrlenW.KERNEL32(?), ref: 00406E8D
FindFirstFileW.KERNEL32(0045C928,?), ref: 00406EA1
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406F83
FindClose.KERNEL32(?), ref: 00406F94

Strings

"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" , xrefs: 00406E05
Delete: DeleteFile failed("%s"), xrefs: 00406F5E
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406FB9
Delete: DeleteFile on Reboot("%s"), xrefs: 00406F41
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406FF4
RMDir: RemoveDirectory("%s"), xrefs: 00406FD0
RMDir: RemoveDirectory failed("%s"), xrefs: 00407011
\*.*, xrefs: 00406E64
Delete: DeleteFile("%s"), xrefs: 00406F1D

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" $Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-724928243
Opcode ID: e25bf17fa5cd8a8754a82c370ef333a2a3ae489cf446f822b8942f902ad3cb12
Instruction ID: 065701ca96279c828ad8c0a907823cf62f9bd73eb8e14a3183d43afd793dd255
Opcode Fuzzy Hash: e25bf17fa5cd8a8754a82c370ef333a2a3ae489cf446f822b8942f902ad3cb12
Instruction Fuzzy Hash: 8951F332404306AADB206B71DC45AAF37B8DF41724B21813FF902721C2DB7C5DA2DA6E

Function 0040761C Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08b0311c7b190f70b7f6b66510179fe2aae7c875dcf9b09b9f207b7722ad9ec
Instruction ID: 6d9a96506c23ada9e0f5992c1433d3039d4b40deeb0cc045ecd6cd6b38dbc2b7
Opcode Fuzzy Hash: f08b0311c7b190f70b7f6b66510179fe2aae7c875dcf9b09b9f207b7722ad9ec
Instruction Fuzzy Hash: DCF15971908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D378E986CF86

Function 7026124C Relevance: 3.2, APIs: 2, Instructions: 156processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000000), ref: 7026130B
GetLastError.KERNEL32 ref: 70261412

Memory Dump Source

Source File: 00000002.00000002.2612156353.0000000070261000.00000020.00000001.01000000.00000006.sdmp, Offset: 70260000, based on PE: true

Associated: 00000002.00000002.2612108950.0000000070260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612237169.0000000070263000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612310355.0000000070265000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_70260000_PsiphonPortable.jbxd

Similarity

API ID: CreateErrorLastSnapshotToolhelp32
String ID:
API String ID: 4136412728-0
Opcode ID: 596ae5032470ed2f13e3ddca5b170255ced0b9f7b8d6530e210ff345391b0079
Instruction ID: 8436e669528bb204b1818fcb0fc30fa445e031920286a6074dd3ee5d5226fae0
Opcode Fuzzy Hash: 596ae5032470ed2f13e3ddca5b170255ced0b9f7b8d6530e210ff345391b0079
Instruction Fuzzy Hash: 9051C373A00214DFD715DF61DC86B6D77A4EB44314F348429E905CBF90C6B4B5E4AB92

Function 00406436 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572D0,0045BED8,004572D0,0040692F,004572D0), ref: 00406441
FindClose.KERNEL32(00000000), ref: 0040644D

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: cabe7cd0e8d0c42d8893e3e2e2c087770211128cd55027c92275192456ad2468
Instruction ID: 304157284c36da419ef03f6d9f2c23ccabbefed464cde17f37dc78c4e58848de
Opcode Fuzzy Hash: cabe7cd0e8d0c42d8893e3e2e2c087770211128cd55027c92275192456ad2468
Instruction Fuzzy Hash: 37D01271504120AFC34027786E0C89B7A599F16331725CA3AB5EAF21E1C7748C3287EC

Function 004015A0 Relevance: 58.1, APIs: 15, Strings: 18, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNEL32(?,004CB0B0,?,000000E6,HideCommandLineWindow,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,HideCommandLineWindow,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
SetFileAttributes: "%s":%08X, xrefs: 0040177B
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Call: %d, xrefs: 0040165A
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
SetFileAttributes failed., xrefs: 004017A1
detailprint: %s, xrefs: 00401679
Rename failed: %s, xrefs: 0040194B
BringToFront, xrefs: 004016BD
CreateDirectory: "%s" (%d), xrefs: 004017BF
HideCommandLineWindow, xrefs: 00401864, 00401912, 00401936
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Rename: %s, xrefs: 004018F8
Aborting: "%s", xrefs: 0040161D
CreateDirectory: "%s" created, xrefs: 00401849
Sleep(%d), xrefs: 0040169D
Jump: %d, xrefs: 00401602
Rename on reboot: %s, xrefs: 00401943

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$HideCommandLineWindow$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-4099689987
Opcode ID: fba0ab4e7ccf5d8c556da6ed02245b98afa567c62f150e8fa28fa4392de864ab
Instruction ID: 6970006c80b2daef1e7dd2d9cca72418e9fe59065d0b28f5efb0bef5c027f317
Opcode Fuzzy Hash: fba0ab4e7ccf5d8c556da6ed02245b98afa567c62f150e8fa28fa4392de864ab
Instruction Fuzzy Hash: 67B10431A00214EBDB106F61DD459AE3BA9EF04314B25813FF546B61E2DA7D4E41CAAE

Function 00405A8C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040645D: GetModuleHandleA.KERNEL32(?,?,00000020,00403A26,00000008), ref: 0040646B
Part of subcall function 0040645D: LoadLibraryA.KERNELBASE(?,?,?,00000020,00403A26,00000008), ref: 00406476
Part of subcall function 0040645D: GetProcAddress.KERNEL32(00000000), ref: 00406488

lstrcatW.KERNEL32(004D30C0,00447250), ref: 00405B0E
lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe",?,?,?,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe",00000000,004C70A8,004D30C0,00447250,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447250,00000000,00000006,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" ), ref: 00405B90
lstrcmpiW.KERNEL32(?,.exe,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe",?,?,?,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe",00000000,004C70A8,004D30C0,00447250,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447250,00000000), ref: 00405BA3
GetFileAttributesW.KERNEL32("C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"), ref: 00405BAE

Part of subcall function 004060B2: wsprintfW.USER32 ref: 004060BF

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405C17
RegisterClassW.USER32(0046AD60), ref: 00405C6A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405C82
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405CBB

Part of subcall function 00403FF5: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00404090

ShowWindow.USER32(00000005,00000000), ref: 00405CF1
LoadLibraryW.KERNEL32(RichEd20), ref: 00405D02
LoadLibraryW.KERNEL32(RichEd32), ref: 00405D0D
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405D1D
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405D2A
RegisterClassW.USER32(0046AD60), ref: 00405D33
DialogBoxParamW.USER32(?,00000000,004055D9,00000000), ref: 00405D52

Strings

RichEdit, xrefs: 00405D24
"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" , xrefs: 00405A98
RichEd32, xrefs: 00405D08
PrD, xrefs: 00405AC5
_Nb, xrefs: 00405C31
Control Panel\Desktop\ResourceLocale, xrefs: 00405AD2
.DEFAULT\Control Panel\International, xrefs: 00405AF9
RichEdit20A, xrefs: 00405D16, 00405D1B
"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe", xrefs: 00405B56, 00405B5B, 00405B6C, 00405BBD, 00405BC3
.exe, xrefs: 00405B9D
RichEd20, xrefs: 00405CFD

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"$"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" $.DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$PrD$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-776204145
Opcode ID: 80ca71923c634680d402ef98f9edd294887f2eac5f8585db4802c5967787b579
Instruction ID: 3a6a227fec416dc0362735230570460a00d436347f4cd54f675a02b01ae67812
Opcode Fuzzy Hash: 80ca71923c634680d402ef98f9edd294887f2eac5f8585db4802c5967787b579
Instruction Fuzzy Hash: 1271A071104B00AED720AB65AE45E2737ACEB44745F40443FF945B62E2EBB8AC518F2E

Function 70261C1B Relevance: 37.3, APIs: 18, Strings: 3, Instructions: 559stringmemorylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 70261581: GlobalAlloc.KERNELBASE(00000040,?,702615BA,?,?,7026185F,?,70261017), ref: 7026158B

Part of subcall function 702615A3: lstrcpyW.KERNEL32(00000000,?), ref: 702615C1
Part of subcall function 702615A3: GlobalFree.KERNEL32 ref: 702615D2

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 70261D0B
lstrcpyW.KERNEL32(00000008,?), ref: 70261D59
lstrcpyW.KERNEL32(00000808,?), ref: 70261D63
GlobalFree.KERNEL32(00000000), ref: 70261D7D
GlobalFree.KERNEL32(?), ref: 70261E69
GlobalFree.KERNEL32(?), ref: 70261E6E
GlobalFree.KERNELBASE(?), ref: 70261E73
GlobalFree.KERNEL32(00000000), ref: 7026201A
lstrcpyW.KERNEL32(?,?), ref: 7026217A
GetModuleHandleW.KERNEL32(00000008), ref: 702621EE
LoadLibraryW.KERNELBASE(00000008), ref: 702621FF
lstrcmpiW.KERNEL32(kernel32,00000008), ref: 7026221B
lstrcmpiW.KERNEL32(kernel32.dll,00000008), ref: 70262227
lstrlenW.KERNEL32(00000808), ref: 70262258
lstrcatW.KERNEL32(00000808,702630C8), ref: 7026227C
lstrcpyW.KERNEL32(?,00000808), ref: 702622C7
lstrcatW.KERNEL32(?,00000057), ref: 702622DE
lstrcatW.KERNEL32(00000808,00000057), ref: 70262307

Strings

kernel32.dll, xrefs: 70262222
kernel32, xrefs: 70262216
W, xrefs: 702622C0

Memory Dump Source

Source File: 00000002.00000002.2612156353.0000000070261000.00000020.00000001.01000000.00000006.sdmp, Offset: 70260000, based on PE: true

Associated: 00000002.00000002.2612108950.0000000070260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612237169.0000000070263000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612310355.0000000070265000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_70260000_PsiphonPortable.jbxd

Similarity

API ID: Global$Free$lstrcpy$lstrcat$Alloclstrcmpi$HandleLibraryLoadModulelstrlen
String ID: W$kernel32$kernel32.dll
API String ID: 2496820534-4093004423
Opcode ID: fe7f559c63842f44d743b299b1a4c6f377517f3aadc97bdae5b153043bc06d51
Instruction ID: e57c06fe7f5558c431aa5342ae9ff8cee9d18bd467a20fc99ce5a6005b2e8454
Opcode Fuzzy Hash: fe7f559c63842f44d743b299b1a4c6f377517f3aadc97bdae5b153043bc06d51
Instruction Fuzzy Hash: CE12CF73E14646DECB118FA4C8846EEB7B5FB08300F24842ED156E7A90D774AAE8DB51

Function 10001EDC Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(AdvAPI32,?,?,?,00000000,10002713,10004408,00000001), ref: 10001EEB
LoadLibraryA.KERNEL32(ShlWAPI,?,?,00000000,10002713,10004408,00000001), ref: 10001EF4
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 10001F04
LoadLibraryA.KERNEL32(USER32,?,?,00000000,10002713,10004408,00000001), ref: 10001F10
GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 10001F18
LoadLibraryA.KERNELBASE(SECUR32,?,?,00000000,10002713,10004408,00000001), ref: 10001F24
GetProcAddress.KERNELBASE(00000000,GetUserNameExW), ref: 10001F2C
GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 10001F39
GetProcAddress.KERNEL32(00000000,SHGetValueA), ref: 10001F46

Strings

CheckTokenMembership, xrefs: 10001EFC
CreateProcessWithLogonW, xrefs: 10001F2E
SHGetValueA, xrefs: 10001F3B
SECUR32, xrefs: 10001F1A
GetUserNameExW, xrefs: 10001F26
ShlWAPI, xrefs: 10001EED
AdvAPI32, xrefs: 10001EE6
ChangeWindowMessageFilter, xrefs: 10001F12
USER32, xrefs: 10001F06

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: AdvAPI32$ChangeWindowMessageFilter$CheckTokenMembership$CreateProcessWithLogonW$GetUserNameExW$SECUR32$SHGetValueA$ShlWAPI$USER32
API String ID: 2238633743-317704901
Opcode ID: 1f806dab57e0d73e68b652c05fdbd3d85cd45c579f557fb9ea507bcd518f6a85
Instruction ID: 48f6b5e9b9d2b3d9e28081fc1af9a79398f56288de8b1ffb0a0e6babec6ad198
Opcode Fuzzy Hash: 1f806dab57e0d73e68b652c05fdbd3d85cd45c579f557fb9ea507bcd518f6a85
Instruction Fuzzy Hash: A4F0A4E1D012686AE620BBF65C88D8B7EACEB945E13431426F20493128DF7455008AA8

Function 00401A1F Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406404: lstrlenW.KERNEL32(Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

lstrcatW.KERNEL32(00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe","C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe",00000000,00000000,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe",004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 0040616A: lstrcpynW.KERNEL32(?,?,00002004,00403A51,0046ADC0,NSIS Error), ref: 00406177

Part of subcall function 004050D2: lstrlenW.KERNEL32(0043B238,00000000,00000000,00000000), ref: 0040510A
Part of subcall function 004050D2: lstrlenW.KERNEL32(00403361,0043B238,00000000,00000000,00000000), ref: 0040511A
Part of subcall function 004050D2: lstrcatW.KERNEL32(0043B238,00403361), ref: 0040512D
Part of subcall function 004050D2: SetWindowTextW.USER32(0043B238,0043B238), ref: 0040513F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405165
Part of subcall function 004050D2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040517F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040518D

Strings

"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe", xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user retry, xrefs: 00401B40
File: error, user abort, xrefs: 00401B53
File: wrote %d to "%s", xrefs: 00401BD0
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error creating "%s", xrefs: 00401AF0
HideCommandLineWindow, xrefs: 00401B15, 00401B31
File: error, user cancel, xrefs: 00401B93

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$HideCommandLineWindow
API String ID: 4286501637-919641124
Opcode ID: cb2ea112a6d5708afa0a1d6b98d2a639abb6c955421a78b536d05d697647842d
Instruction ID: 08d878c9e80d9a323f30b4f94fb3bca26633bf48a784620ab852fc75793eaf31
Opcode Fuzzy Hash: cb2ea112a6d5708afa0a1d6b98d2a639abb6c955421a78b536d05d697647842d
Instruction Fuzzy Hash: 88511771901114BADB107BB1CD46EAF3A68DF05369F21423FF516B10D3DB7C4A528AAD

Function 00403679 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 205
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040368D
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004), ref: 004036A9

Part of subcall function 00405FB0: GetFileAttributesW.KERNELBASE(00000003,004036BC,004DF0D8,80000000,00000003), ref: 00405FB4
Part of subcall function 00405FB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405FD6

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003), ref: 004036F2
GlobalAlloc.KERNELBASE(00000040,004091D8), ref: 0040382E
CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,04000100,00000000,?,004D70C8), ref: 00403867

Strings

"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" , xrefs: 00403686
Null, xrefs: 00403770
Inst, xrefs: 0040375E
soft, xrefs: 00403767
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403877
Error launching installer, xrefs: 004036C9
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403889
XqB, xrefs: 00403834

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: File$Create$AllocAttributesCountGlobalModuleNameSizeTick
String ID: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" $Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$XqB$soft
API String ID: 2312874724-3222103968
Opcode ID: dc67487d1d5886e496fe9a95df8d8d004577587b5cb1a975d93318355e81f02c
Instruction ID: f367662fd253c9a4c32130068affbadc700f065c840d768c21b487d0aca010bd
Opcode Fuzzy Hash: dc67487d1d5886e496fe9a95df8d8d004577587b5cb1a975d93318355e81f02c
Instruction Fuzzy Hash: DA71C3B1900204AFDB11AFB5DD85BAE7AACAB04755F10807FFA05B72D1CB789E448B5C

Function 10001BE2 Relevance: 19.6, APIs: 13, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(00000114,?,771B2E90), ref: 10001C10
SetLastError.KERNEL32(00000000), ref: 10001C22

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: ErrorLastVersion
String ID:
API String ID: 305913169-0
Opcode ID: f7b22df63fd94ce0db5f842c3456cfde58ddd7e9ce2eb328282e0ef749223a4f
Instruction ID: 781c41f1377e9669cc37b05094e7f240193f75726cfc1e42fe02484d6e0c8e80
Opcode Fuzzy Hash: f7b22df63fd94ce0db5f842c3456cfde58ddd7e9ce2eb328282e0ef749223a4f
Instruction Fuzzy Hash: E251387190025AAFFB10DFA08C89AEEBBB9EF043C1F504466E651A2199D7709A84DB61

Function 00406966 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 212
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(0043B238,?,00000000,00405109,0043B238,00000000,00000000,00000000,00000000), ref: 00406A37
GetSystemDirectoryW.KERNEL32("C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe",00002004), ref: 00406AB9

Part of subcall function 0040616A: lstrcpynW.KERNEL32(?,?,00002004,00403A51,0046ADC0,NSIS Error), ref: 00406177

GetWindowsDirectoryW.KERNEL32("C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe",00002004), ref: 00406ACC
lstrcatW.KERNEL32("C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe",\Microsoft\Internet Explorer\Quick Launch), ref: 00406B46
lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe",0043B238,?,00000000,00405109,0043B238,00000000,00000000,00000000,00000000), ref: 00406BA8

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406B40
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406A87
"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe", xrefs: 0040698D, 00406A79, 00406A7F, 00406AA3, 00406AB8, 00406ACB, 00406AE7, 00406B12, 00406B45, 00406B64, 00406B79, 00406B7A, 00406B88, 00406BA1, 00406BA7, 00406BB4, 00406BED

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-722761395
Opcode ID: 349b504904d19e27fd4f4c91fd092aa9198956906fd02c1d1d814161a489649c
Instruction ID: e48cded74d6947d59e8abd59105747811bc68a9d38b3ce97ffc5bdd505d2dbd5
Opcode Fuzzy Hash: 349b504904d19e27fd4f4c91fd092aa9198956906fd02c1d1d814161a489649c
Instruction Fuzzy Hash: 4171E5B1A00121ABDF20AF68CD44A7A33B5AF55314F12803BE947F62D0E77C99A1CB4D

Function 702628A3 Relevance: 13.6, APIs: 9, Instructions: 147
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?), ref: 70262958
GlobalAlloc.KERNELBASE(00000040,?), ref: 70262985
lstrcpynW.KERNEL32(00000000,?), ref: 70262998
GlobalAlloc.KERNEL32(00000040,00000010), ref: 702629B4
CLSIDFromString.OLE32(00000000,00000000), ref: 702629C1
GlobalFree.KERNEL32(00000000), ref: 702629C8
GlobalAlloc.KERNEL32(00000040), ref: 702629D8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 702629EF
GlobalFree.KERNELBASE(00000000), ref: 70262A19

Memory Dump Source

Source File: 00000002.00000002.2612156353.0000000070261000.00000020.00000001.01000000.00000006.sdmp, Offset: 70260000, based on PE: true

Associated: 00000002.00000002.2612108950.0000000070260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612237169.0000000070263000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612310355.0000000070265000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_70260000_PsiphonPortable.jbxd

Similarity

API ID: Global$Alloc$Free$ByteCharFromMultiStringWidelstrcpynlstrlen
String ID:
API String ID: 916651646-0
Opcode ID: 4c6fb2e99a812b317ccb4c2f73f8cf6f5077eb944436637cf75920b7781a6036
Instruction ID: 1644352724c099e792bd8408c939456af901427a837e47dcec0ceb216eb51a08
Opcode Fuzzy Hash: 4c6fb2e99a812b317ccb4c2f73f8cf6f5077eb944436637cf75920b7781a6036
Instruction Fuzzy Hash: AF41AF731087029FD3258F65CC48B2E77FCEB84361F20491DF546DA990D7B4A8E8AB62

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 004050D2: lstrlenW.KERNEL32(0043B238,00000000,00000000,00000000), ref: 0040510A
Part of subcall function 004050D2: lstrlenW.KERNEL32(00403361,0043B238,00000000,00000000,00000000), ref: 0040511A
Part of subcall function 004050D2: lstrcatW.KERNEL32(0043B238,00403361), ref: 0040512D
Part of subcall function 004050D2: SetWindowTextW.USER32(0043B238,0043B238), ref: 0040513F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405165
Part of subcall function 004050D2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040517F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040518D

Part of subcall function 00406404: lstrlenW.KERNEL32(Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNELBASE(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: %s not found in %s, xrefs: 0040249A
HideCommandLineWindow, xrefs: 004024CE, 004024E5

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$HideCommandLineWindow
API String ID: 1033533793-3479902643
Opcode ID: 7126d7f87333a31c50dcaf441315a421a4963bba86a6d5b99edc85380d7bda2a
Instruction ID: d8831ef82082564af9a2e195be03e9e7495047a885a7848ebc2eed903ecf7a42
Opcode Fuzzy Hash: 7126d7f87333a31c50dcaf441315a421a4963bba86a6d5b99edc85380d7bda2a
Instruction Fuzzy Hash: 0B219F35A00208BBCF206FA1CE49A9E7A70AF00314F30813FF512761E1D7BD4A919A5D

Function 004033D2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7

Part of subcall function 004033BB: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040389E,?), ref: 004033C9

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403583,00000004,00000000,00000000,?,?,?,004038C5,000000FF,00000000,00000000), ref: 0040341A
WriteFile.KERNELBASE(004271E0,0042D498,000000FF,00000000,0042F1E8,00004000,?,00000000,?,00403583,00000004,00000000,00000000,?,?), ref: 004034D8
SetFilePointer.KERNELBASE(00058B68,00000000,00000000,0042F1E8,00004000,?,00000000,?,00403583,00000004,00000000,00000000,?,?,?,004038C5), ref: 0040352A

Strings

qB, xrefs: 0040342C
XqB, xrefs: 0040349E

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: XqB$qB
API String ID: 2146148272-2352303668
Opcode ID: 979a132689fdd3b66ddc975673b61f2c520d6a21d2f47b68d5318fd2806375dd
Instruction ID: 352f119b9731fba5dc1d5d47024dbf085b4ecca43a18aeda97e8958449c38e74
Opcode Fuzzy Hash: 979a132689fdd3b66ddc975673b61f2c520d6a21d2f47b68d5318fd2806375dd
Instruction Fuzzy Hash: F841A372604211AFCB209F29EE4593A3F6CFB1435A784027FE511A23B0CB399E55CB5D

Function 70262445 Relevance: 10.6, APIs: 7, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StringFromGUID2.OLE32(?,00000000,?,?,?,00000000,70262B4A,00000000), ref: 70262499

Part of subcall function 7026164F: lstrcpyW.KERNEL32(00000018,00000000), ref: 70261674

wsprintfW.USER32 ref: 702624E8
GlobalFree.KERNEL32(?), ref: 70262516
GlobalFree.KERNELBASE(00000000), ref: 7026253F

Memory Dump Source

Source File: 00000002.00000002.2612156353.0000000070261000.00000020.00000001.01000000.00000006.sdmp, Offset: 70260000, based on PE: true

Associated: 00000002.00000002.2612108950.0000000070260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612237169.0000000070263000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612310355.0000000070265000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_70260000_PsiphonPortable.jbxd

Similarity

API ID: FreeGlobal$FromStringlstrcpywsprintf
String ID:
API String ID: 2435812281-0
Opcode ID: edef332e16bc51550339ada3aa60fc62461ae22a73c36de497aee3f83fc55194
Instruction ID: cfb754405a6c6528104f1214423ce95dbcf08adb731389fff0a2b06f9206e04b
Opcode Fuzzy Hash: edef332e16bc51550339ada3aa60fc62461ae22a73c36de497aee3f83fc55194
Instruction Fuzzy Hash: D7310073208902AFD7228F24CE48A1EB7B9EB442547614508F943D6DA4DF349CFCEB22

Function 050D5F42 Relevance: 10.6, APIs: 7, Instructions: 73filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 050D5F83
SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000), ref: 050D5F9C
GetFileSize.KERNEL32(000000FF,00000000), ref: 050D5FA8
GlobalAlloc.KERNEL32(00000040,000000FD), ref: 050D5FC0
ReadFile.KERNELBASE(000000FF,00000000,000000FF,00000000,00000000), ref: 050D5FE1
CloseHandle.KERNEL32(000000FF), ref: 050D5FEF
GlobalFree.KERNEL32(00000000), ref: 050D600E

Memory Dump Source

Source File: 00000002.00000002.2611660380.00000000050D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 050D0000, based on PE: true

Associated: 00000002.00000002.2611613713.00000000050D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611705494.00000000050D7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611748941.00000000050D8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611799136.0000000005120000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611847122.0000000005132000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_50d0000_PsiphonPortable.jbxd

Similarity

API ID: File$Global$AllocCloseCreateFreeHandlePointerReadSize
String ID:
API String ID: 3525489169-0
Opcode ID: 7a601b565afd43545bc4e114ae0d3d589ebded0eae7d6d8d4c87d109dca5a95a
Instruction ID: 9109fd7e849cbf0f65e5f881d98fc70ac6448f74adfa2fb5c7ff017e36e0f656
Opcode Fuzzy Hash: 7a601b565afd43545bc4e114ae0d3d589ebded0eae7d6d8d4c87d109dca5a95a
Instruction Fuzzy Hash: 59311D74A00308EFDB14DFA4DC59BAEBBB4FB08714F108649FA15AB2C0CBB95605CB64

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00406404: lstrlenW.KERNEL32(Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

Part of subcall function 004050D2: lstrlenW.KERNEL32(0043B238,00000000,00000000,00000000), ref: 0040510A
Part of subcall function 004050D2: lstrlenW.KERNEL32(00403361,0043B238,00000000,00000000,00000000), ref: 0040511A
Part of subcall function 004050D2: lstrcatW.KERNEL32(0043B238,00403361), ref: 0040512D
Part of subcall function 004050D2: SetWindowTextW.USER32(0043B238,0043B238), ref: 0040513F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405165
Part of subcall function 004050D2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040517F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040518D

Part of subcall function 00405D9F: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457288,Error launching installer), ref: 00405DC4
Part of subcall function 00405D9F: CloseHandle.KERNEL32(?), ref: 00405DD1

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: command="%s", xrefs: 00402241
Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 17554e249cd14fb5cd0c3b2798a4193156fd42220d6d33eb710891a55c479f0c
Instruction ID: e2ade92b8e8beb45c5288a0de0c91049ee5acc48a81ea59d75a15a872706837f
Opcode Fuzzy Hash: 17554e249cd14fb5cd0c3b2798a4193156fd42220d6d33eb710891a55c479f0c
Instruction Fuzzy Hash: 6E11C232504115EBDB11AFE0DE4AAAE3AA5EF00324B24807FF502B50D1CABC4952DBAD

Function 00402B23 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,HideCommandLineWindow,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,HideCommandLineWindow,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,HideCommandLineWindow,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Strings

HideCommandLineWindow, xrefs: 00402B5A

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID: HideCommandLineWindow
API String ID: 2568930968-1563606009
Opcode ID: 37df47139288bb5308ab500167525db906f8869ab55d91c6a88dcede18f9fec2
Instruction ID: 2b6f9eedf6ae11cfe1e36f0213f8387d72ebb0b879c85407db03f4e9eb7306d9
Opcode Fuzzy Hash: 37df47139288bb5308ab500167525db906f8869ab55d91c6a88dcede18f9fec2
Instruction Fuzzy Hash: A7016171500204BBDB14AF60DE49D9E3B78EF05359F10443AF646BA1E1D6798982DB68

Function 00402713 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 0040616A: lstrcpynW.KERNEL32(?,?,00002004,00403A51,0046ADC0,NSIS Error), ref: 00406177

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe", xrefs: 00402770
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
HideCommandLineWindow, xrefs: 00402718, 0040271D, 0040272C, 0040276F

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"$<RM>$HideCommandLineWindow$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-433023660
Opcode ID: 76e29fefa2fcb51dbbedf7035b1aedb250ed7f53bb72e54dbf76baee11489292
Instruction ID: 42bd81ef3d59a899a4afa764d38de83c0885f73ff342ba6e601af17a918a1269
Opcode Fuzzy Hash: 76e29fefa2fcb51dbbedf7035b1aedb250ed7f53bb72e54dbf76baee11489292
Instruction Fuzzy Hash: D301FF75D00319BACB107FA58D859AF7978AF09345F10403FF11A761E3D7B84A508BAD

Function 00403550 Relevance: 7.6, APIs: 5, Instructions: 108fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(-00069C40,00000000,00000000,00000000,00000000,?,?,?,004038C5,000000FF,00000000,00000000,004091D8,?), ref: 00403574
ReadFile.KERNELBASE(004091D8,00000004,?,00000000,00000000,00000004,00000000,00000000,?,?,?,004038C5,000000FF,00000000,00000000,004091D8), ref: 004035A2
ReadFile.KERNELBASE(0042F1E8,00004000,?,00000000,004091D8,?,004038C5,000000FF,00000000,00000000,004091D8,?), ref: 004035FC
WriteFile.KERNELBASE(00000000,0042F1E8,?,000000FF,00000000,?,004038C5,000000FF,00000000,00000000,004091D8,?), ref: 00403614

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID:
API String ID: 2113905535-0
Opcode ID: 7052c420235308e1a53cecd41fbf7afbbe8e53aab26b08745c9ca0e470065494
Instruction ID: a63153eef40669f0ed7c1800638863e54a14cc79a46bc24bc920c3bc8af84b95
Opcode Fuzzy Hash: 7052c420235308e1a53cecd41fbf7afbbe8e53aab26b08745c9ca0e470065494
Instruction Fuzzy Hash: 5E31F971500108FBDB21CFA9ED44EAE3BBCEB44351F60483AF904E6290D6359B51DB69

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 0040616A: lstrcpynW.KERNEL32(?,?,00002004,00403A51,0046ADC0,NSIS Error), ref: 00406177

GlobalFree.KERNELBASE(00000000), ref: 00402387

Strings

Exch: stack < %d elements, xrefs: 00401ED8
"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe", xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"$Exch: stack < %d elements$Pop: stack empty
API String ID: 1459762280-2584812219
Opcode ID: 18b4178551c86a45abeddca5050921926a3f5ab0cd3fa67d3c4eac0a98504fae
Instruction ID: 00a269db9d122ce218cb6369f3e7d31d5b123713c6f27ce8ba71e52fe8ccb839
Opcode Fuzzy Hash: 18b4178551c86a45abeddca5050921926a3f5ab0cd3fa67d3c4eac0a98504fae
Instruction Fuzzy Hash: 6F21D476601105EBD710AB64DD81A6F77A4EF04318721403FF542B72D2E7789C1186AD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 004060B2: wsprintfW.USER32 ref: 004060BF

GlobalFree.KERNELBASE(00000000), ref: 00402387

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 499cadfa344b62526d7b141b3586f4b269aab55898d88dbec3dfdd6d2d107791
Instruction ID: d706dadd873a054bb948c0373b183cc18cdaf107e69ff1aff3bcb7a8f3beee4c
Opcode Fuzzy Hash: 499cadfa344b62526d7b141b3586f4b269aab55898d88dbec3dfdd6d2d107791
Instruction Fuzzy Hash: 6E114C72900109AFCF01EFA1DD459AE7BB8EF04344F10407AF606F62A0D7799A51DB59

Function 10001B4D Relevance: 7.5, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,00000000,?,?,?,10001D60,?), ref: 10001B64
GetTokenInformation.KERNELBASE(00000000,00000012(TokenIntegrityLevel),?,00000004,?,?,?,?,10001D60,?), ref: 10001B7A
SetLastError.KERNEL32(00000000,?,?,?,10001D60,?), ref: 10001B86
GetLastError.KERNEL32(?,?,?,10001D60,?), ref: 10001B8C
CloseHandle.KERNEL32(00000000,?,?,?,10001D60,?), ref: 10001B97

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: ErrorLastToken$CloseHandleInformationOpenProcess
String ID:
API String ID: 4040495316-0
Opcode ID: 6d9e3710b4c717eafaab26f657cf2c10de98fd6e4a3aea65354d4a14066186e3
Instruction ID: 0cd616b1b210e777e24bf8a6dc9bd802a97b1b10b282f73080bbef1cfd2adf0e
Opcode Fuzzy Hash: 6d9e3710b4c717eafaab26f657cf2c10de98fd6e4a3aea65354d4a14066186e3
Instruction Fuzzy Hash: F8F01D76600228BBEB109B90CC49BD97BACEF047E2F104155FA55E2094DBB49A40DBA0

Function 70262A4F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 70261C1B: GlobalFree.KERNEL32(?), ref: 70261E69
Part of subcall function 70261C1B: GlobalFree.KERNEL32(?), ref: 70261E6E
Part of subcall function 70261C1B: GlobalFree.KERNELBASE(?), ref: 70261E73

GlobalFree.KERNEL32(00000000), ref: 70262AFA
FreeLibrary.KERNEL32(?), ref: 70262B71
GlobalFree.KERNELBASE(00000000), ref: 70262B96

Part of subcall function 702623C1: GlobalAlloc.KERNEL32(00000040,00000000), ref: 702623F3

Part of subcall function 702625B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,?,70262ACB,00000000), ref: 70262611

Part of subcall function 70261904: lstrcpyW.KERNEL32(00000000,error), ref: 70261929

Part of subcall function 70262445: wsprintfW.USER32 ref: 702624E8
Part of subcall function 70262445: GlobalFree.KERNEL32(?), ref: 70262516
Part of subcall function 70262445: GlobalFree.KERNELBASE(00000000), ref: 7026253F

Strings

, xrefs: 70262B77

Memory Dump Source

Source File: 00000002.00000002.2612156353.0000000070261000.00000020.00000001.01000000.00000006.sdmp, Offset: 70260000, based on PE: true

Associated: 00000002.00000002.2612108950.0000000070260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612237169.0000000070263000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612310355.0000000070265000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_70260000_PsiphonPortable.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpywsprintf
String ID:
API String ID: 1767494692-3916222277
Opcode ID: 93fc9c37e1da9f2b9755197c8cfaf5a70e4959b856634a35ffdc7cc82889dd55
Instruction ID: 91628636527932751b77ebcc65566cea5efd840676984bc8780c423d192348af
Opcode Fuzzy Hash: 93fc9c37e1da9f2b9755197c8cfaf5a70e4959b856634a35ffdc7cc82889dd55
Instruction Fuzzy Hash: 5E31DA73504A429ECB159F64C8C5B9D3BB8EB04314F148429F9475ED96CBF4A8ECDB22

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406404: lstrlenW.KERNEL32(Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

Part of subcall function 00406436: FindFirstFileW.KERNELBASE(004572D0,0045BED8,004572D0,0040692F,004572D0), ref: 00406441
Part of subcall function 00406436: FindClose.KERNEL32(00000000), ref: 0040644D

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 882c708a540b1b6e40822fa95cd5da4fbfff49ab246fdf6d56c9b4995ea32088
Instruction ID: c5bc72853f8421da741d5617367b4824c82a14243d7aff776d7bb0801c040b7d
Opcode Fuzzy Hash: 882c708a540b1b6e40822fa95cd5da4fbfff49ab246fdf6d56c9b4995ea32088
Instruction Fuzzy Hash: 94114F71D00214AACB10BBBA994699FBBBCEF04314F10843FE506F7292E6B985118B59

Function 00405FE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405FFE
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403946,004D30C0,004D70C8), ref: 00406019

Strings

"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" , xrefs: 00405FE9
nsa, xrefs: 00405FED

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" $nsa
API String ID: 1716503409-2838144880
Opcode ID: 4c34e6a0a90932f4b551cf1a0ac55fda76427712b032f8561b8497f4a2d6824a
Instruction ID: be25c3b17c8933440b05da9cd673d95fc9e669a54b60c2a7ae19a21696f833e6
Opcode Fuzzy Hash: 4c34e6a0a90932f4b551cf1a0ac55fda76427712b032f8561b8497f4a2d6824a
Instruction Fuzzy Hash: 03F06776600208ABDB10CF59DD09A9EBBADEF94710F00803FFA45E7290E6B09A54C768

Function 70261108 Relevance: 6.4, APIs: 5, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 702615A3: lstrcpyW.KERNEL32(00000000,?), ref: 702615C1
Part of subcall function 702615A3: GlobalFree.KERNEL32 ref: 702615D2

GlobalAlloc.KERNEL32(00000040,?), ref: 7026118F
GlobalFree.KERNEL32(00000000), ref: 702611D0
GlobalFree.KERNEL32(00000000), ref: 702611F0
GlobalFree.KERNEL32(00000000), ref: 70261204
GlobalFree.KERNELBASE(?), ref: 7026122E

Memory Dump Source

Source File: 00000002.00000002.2612156353.0000000070261000.00000020.00000001.01000000.00000006.sdmp, Offset: 70260000, based on PE: true

Associated: 00000002.00000002.2612108950.0000000070260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612237169.0000000070263000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612310355.0000000070265000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_70260000_PsiphonPortable.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy
String ID:
API String ID: 852173138-0
Opcode ID: 3cd4176b1ef7d31f65dffaf290c2f8c2c3cd3040218c358189a07dccc21ee8e2
Instruction ID: f64a512ba13b0c185de00e760b671bc364258fa72ed0780e09965dd4bd5d41a9
Opcode Fuzzy Hash: 3cd4176b1ef7d31f65dffaf290c2f8c2c3cd3040218c358189a07dccc21ee8e2
Instruction Fuzzy Hash: B631EC73A042129FD3018FA9CC49B5D77FCEB462547284559FA85CBF60E6B4F890A720

Function 004064C6 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 004064D1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004064E7
GetProcAddress.KERNEL32(?,00000000), ref: 004064F6
GlobalFree.KERNEL32(00000000), ref: 004064FF

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: cca72bce24a91bf59807d1cc254d6b8728fe87be69838ce7ea74a844989b610b
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 68E0D8312001107BE2101B269E8CD677EADDFCA7B2B05013EF685F11A0CE308C11D638

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457288,Error launching installer), ref: 00405DC4
CloseHandle.KERNEL32(?), ref: 00405DD1

Strings

Error launching installer, xrefs: 00405DA8

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 2afcd463f825584facbc8802dab800c5bb1591f62b8a6ee26e2c87f99b5cd2cd
Instruction ID: 382474dafc83c3ab62cfa3b3aa405e4b9d7c85dbe04cfe36e17f81e43d348e98
Opcode Fuzzy Hash: 2afcd463f825584facbc8802dab800c5bb1591f62b8a6ee26e2c87f99b5cd2cd
Instruction Fuzzy Hash: 6BE0EC70510309AFEB009B64ED0997B7BBCFB00305F508576BD51E2661D779D9148A68

Function 00407A26 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36cb06954edc7335e9d92b109141cbd09c7a7193fbcbb3a0e0d18f944b47e5e
Instruction ID: 7372baf4ca72983a720edb26d3aa8eb56cdb2bb7098e1cb2460684513cc098eb
Opcode Fuzzy Hash: c36cb06954edc7335e9d92b109141cbd09c7a7193fbcbb3a0e0d18f944b47e5e
Instruction Fuzzy Hash: 38A14671914248EBDB18CF18C8946ED3BE1FF44355F10912AFD5AAB290D738E981CF85

Function 00407C24 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f400c994127adfbf61058f0df631bf6e0d69df8ab50e85f6c29bef2e618aba5
Instruction ID: 19be9bd041eb831dc497f9eed389fffc0b40ebad8130cd8a8cc9c73c743c8dd7
Opcode Fuzzy Hash: 1f400c994127adfbf61058f0df631bf6e0d69df8ab50e85f6c29bef2e618aba5
Instruction Fuzzy Hash: FC913471904248EBDF18CF18C8947E93BA1FF44399F10912AFC5AAB291C738E985CF85

Function 00407473 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb3c0e8f84787af47df7413a68d2a7b57c255642fcd00871c8e2605327e1244
Instruction ID: 7f7ee5045e18535129bde91f801cc5c524a8174eb8871a5b0dc4d7b8e610d919
Opcode Fuzzy Hash: 0eb3c0e8f84787af47df7413a68d2a7b57c255642fcd00871c8e2605327e1244
Instruction Fuzzy Hash: 40814871918248EBDB14CF29C8447ED3BA1FF44355F10812AFD6AAB290D778E985CF85

Function 004078B3 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf24dacc8478a35d58cb1e451b5f07b4fbd3d5e90387a27a31f51ce211858d9
Instruction ID: 0b2195dfed2d2eaf31799a866d23b30a47b9bddfdc78d95a245e633d29955650
Opcode Fuzzy Hash: dcf24dacc8478a35d58cb1e451b5f07b4fbd3d5e90387a27a31f51ce211858d9
Instruction Fuzzy Hash: 41711271914248EBDF28CF18C844AE93BE1FF48355F10812AFD5AAB291D738E985CF85

Function 004079B5 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1648e0811c9f97d55a3022652a548649fa1c26b9f6cb7626f8a21e4732b448f
Instruction ID: e9ed1edde03ce079a1eac7925ffd26eceee2e589c91d04c2349d82a358760cac
Opcode Fuzzy Hash: b1648e0811c9f97d55a3022652a548649fa1c26b9f6cb7626f8a21e4732b448f
Instruction Fuzzy Hash: 51713471918248EBDF18CF18C844BE93BB1FF44345F10812AFD5AAA291C738E985CF86

Function 00407913 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231398222cbd9f561c647f948b9b3d3c6184bd44b9bf4c4e3e1677bf7cb27c81
Instruction ID: 372954581a63a42c771a5a1ecf6877848c3696302c905df1bb59de476e0b08a4
Opcode Fuzzy Hash: 231398222cbd9f561c647f948b9b3d3c6184bd44b9bf4c4e3e1677bf7cb27c81
Instruction Fuzzy Hash: FB613671904248EBEB28CF18C844BAD3BB1FF44345F10912AFD56AA291D778E985CF86

Function 00407DC0 Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 00407526
GlobalAlloc.KERNELBASE(00000040,?,00000000,00004000,0042F1E8), ref: 0040752F
GlobalFree.KERNEL32(?), ref: 0040759E
GlobalAlloc.KERNELBASE(00000040,?,00000000,00004000,0042F1E8), ref: 004075A9

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: 6fc4b81007277366271f5ed8f4823a6fbaedd18a17911aa1f8adf1f3d20f8d2f
Instruction ID: 69d61f3c28aa3c4651f1fcdc65fbd76dba6520ab561f69162c86fd3f3c29a3b1
Opcode Fuzzy Hash: 6fc4b81007277366271f5ed8f4823a6fbaedd18a17911aa1f8adf1f3d20f8d2f
Instruction Fuzzy Hash: C9514471914248EBDB28CF19C854AAD3BE1FF44355F10812AFD5AAA291C738E981CF85

Function 00402B9F Relevance: 4.6, APIs: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00000001,?), ref: 00402BED
MultiByteToWideChar.KERNEL32(?,?,?,00000001,?,00000002), ref: 00402C14

Part of subcall function 004060B2: wsprintfW.USER32 ref: 004060BF

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: ByteCharFileMultiReadWidewsprintf
String ID:
API String ID: 2364376003-0
Opcode ID: 14d2e5f0a76c930811b8f64fdfc0fa0e2f8275d22f94cac74b50ae0c6de7aed3
Instruction ID: b736646ffbb8274f0b2c0f55679a0b09e5904d597d9e4d846d7759ba10fa4134
Opcode Fuzzy Hash: 14d2e5f0a76c930811b8f64fdfc0fa0e2f8275d22f94cac74b50ae0c6de7aed3
Instruction Fuzzy Hash: 8E31B535908148BAEB119F648A88AFE7778EF01314F14407BE492F62D4D2B98E81C759

Function 00406034 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,?,00406A96,80000002,Software\Microsoft\Windows\CurrentVersion,?,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe","C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"), ref: 0040605E
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406A96,80000002,Software\Microsoft\Windows\CurrentVersion,?,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe","C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"), ref: 00406080
RegCloseKey.ADVAPI32(?,?,00406A96,80000002,Software\Microsoft\Windows\CurrentVersion,?,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe","C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"), ref: 004060A7

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: ce379d2cd2c6934f93681775daff6b6b388132cfaa10fc4de9bcc8a3fbe1b6f0
Instruction ID: 98a2f5c40708be4a22a19e2b3dffd551e29741b81bdf7905c269ac5831645af6
Opcode Fuzzy Hash: ce379d2cd2c6934f93681775daff6b6b388132cfaa10fc4de9bcc8a3fbe1b6f0
Instruction Fuzzy Hash: F301487125020AAADF21CF64ED05BDB3BE9EF18354F014426FA05E2160E335E964DBA9

Function 0040645D Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,00403A26,00000008), ref: 0040646B
LoadLibraryA.KERNELBASE(?,?,?,00000020,00403A26,00000008), ref: 00406476
GetProcAddress.KERNEL32(00000000), ref: 00406488

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 834e98854e3cd4bdbc26171f75450eebe3d36459cd124193f5d9cd80cd5e6d51
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 97D012312001059BC6001B65AF08A5F776DEF95611707C03EF546F3131EB34D415A6AD

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405FB0 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004036BC,004DF0D8,80000000,00000003), ref: 00405FB4
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405FD6

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: bb163b9fe6ad53c4c24c626dc6eb2012a5604aa560a8fbe1d65a356919806daf
Instruction ID: 0718ebe39a3ec8d134d715fe04010489d3ea4afa24b2ee2dc260a56d563539cd
Opcode Fuzzy Hash: bb163b9fe6ad53c4c24c626dc6eb2012a5604aa560a8fbe1d65a356919806daf
Instruction Fuzzy Hash: C9D09E71654202EFEF098F60DE1AF6EBBA2EB94B00F01852CB396540F0DA725819DB15

Function 00402DA5 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402DC0

Part of subcall function 004060B2: wsprintfW.USER32 ref: 004060BF

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 10236523b1b82d1dfa0b6a0d4cdd1d04937be490d17512a33b5600199dc53e43
Instruction ID: b489a4299bf93da238d67b2395a4f637ce1eda5adeec28224da557ff73f55b49
Opcode Fuzzy Hash: 10236523b1b82d1dfa0b6a0d4cdd1d04937be490d17512a33b5600199dc53e43
Instruction Fuzzy Hash: 77E04F72601104ABD711EBA5AD42CAE7A6CAB00359B14443BF102F5091C67A8A50863D

Function 050D5D6D Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,050D2927,?,?,050D2927,00000000,05130EC0,00000000,00000000), ref: 050D5D8F

Memory Dump Source

Source File: 00000002.00000002.2611660380.00000000050D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 050D0000, based on PE: true

Associated: 00000002.00000002.2611613713.00000000050D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611705494.00000000050D7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611748941.00000000050D8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611799136.0000000005120000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611847122.0000000005132000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_50d0000_PsiphonPortable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f285971f2bd5eca80a8c3a8170ec208493a3192f96efc00a360a29e97ea161b0
Instruction ID: b90a7e174e6f6ac56b1831b63f15fd13af4ac0962b860834e7531eb24b664d39
Opcode Fuzzy Hash: f285971f2bd5eca80a8c3a8170ec208493a3192f96efc00a360a29e97ea161b0
Instruction Fuzzy Hash: 83E075B5654108BBDB04CF88D992FAB7BA9EB4C750F108248FE0897280D671ED118BA4

Function 00403389 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(004091D8,00000000,00000000,00000000,0042F1E8,004271E0,00403453,0042F1E8,00004000,?,00000000,?,00403583,00000004,00000000,00000000), ref: 004033A0

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: c6c40d3f4f7261540deed743693c79d8b23b6d840c968e3368c6ef78f45d931b
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: B0E08C32114118BBCB119E929C40AE77B5CEB043A2F008432BE54E9290DA30DA04DBA8

Function 050D5E4B Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(050F8A00,00000003,00000000,?,00000000,050D298F,00000000,?,050D298F,00000000,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg,00000000,00000003,050F8A00,?), ref: 050D5E65

Memory Dump Source

Source File: 00000002.00000002.2611660380.00000000050D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 050D0000, based on PE: true

Associated: 00000002.00000002.2611613713.00000000050D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611705494.00000000050D7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611748941.00000000050D8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611799136.0000000005120000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611847122.0000000005132000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_50d0000_PsiphonPortable.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 96d05c809d8c181353b84f1dce5b576fb58cbe761a2bb231b32136d3840bef35
Instruction ID: 506600832678f977bc2a174b96fc638c2db82420810cf9f0d87268d642baa36a
Opcode Fuzzy Hash: 96d05c809d8c181353b84f1dce5b576fb58cbe761a2bb231b32136d3840bef35
Instruction Fuzzy Hash: 0DE0B6B5614208BFCB04CF88D841E9F7BACEB4C310F008148FE08C7240C631ED118BA0

Function 00403914 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406199: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" ,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 004061FC
Part of subcall function 00406199: CharNextW.USER32(?,?,?,00000000), ref: 0040620B
Part of subcall function 00406199: CharNextW.USER32(?,004D70C8,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" ,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 00406210
Part of subcall function 00406199: CharPrevW.USER32(?,?,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" ,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 00406224

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403B6B), ref: 00403935

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: f4befcb6106095d9d06c1b39d32d6196981096d2805c3ce9a3ed86820828cee4
Instruction ID: 5ea94fba79f3f21d5ad716e498331d560289176cc766b9bc92f8e515fc4ca6d3
Opcode Fuzzy Hash: f4befcb6106095d9d06c1b39d32d6196981096d2805c3ce9a3ed86820828cee4
Instruction Fuzzy Hash: 14D0C922147D3136C592376A7D06FCF090D8F0279AB0A407BF949B91CA5FAC4B8285FE

Function 70262728 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(70264020,00000004,00000040,70264028), ref: 70262746

Memory Dump Source

Source File: 00000002.00000002.2612156353.0000000070261000.00000020.00000001.01000000.00000006.sdmp, Offset: 70260000, based on PE: true

Associated: 00000002.00000002.2612108950.0000000070260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612237169.0000000070263000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612310355.0000000070265000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_70260000_PsiphonPortable.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 028d8afcab27be29925b54d66307c32bccd6048476c247e734976de6a53c2c17
Instruction ID: 2182a0be114ed88218ef0a3613f33e82aeb7beb69749b91fb70f243e8579e4fe
Opcode Fuzzy Hash: 028d8afcab27be29925b54d66307c32bccd6048476c247e734976de6a53c2c17
Instruction Fuzzy Hash: BEE0C073919361DEC359CF7A9C887167AF0A31A306B21C52AEBC8DEAA0D3F04144BB15

Function 050D5D1B Relevance: 1.5, APIs: 1, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00020019,00000000,00000000,?,050D13BB,?,?,050D13BB,?,?,00000000,00020019,?), ref: 050D5D31

Memory Dump Source

Source File: 00000002.00000002.2611660380.00000000050D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 050D0000, based on PE: true

Associated: 00000002.00000002.2611613713.00000000050D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611705494.00000000050D7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611748941.00000000050D8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611799136.0000000005120000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611847122.0000000005132000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_50d0000_PsiphonPortable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 64728c486a7af5ec150edb532711d3d41523e4fe50248565462330104fb42b04
Instruction ID: 02133ee1275e9c916756f4eda7d54f40def6f3b70c3b7d6ce12486b404d95156
Opcode Fuzzy Hash: 64728c486a7af5ec150edb532711d3d41523e4fe50248565462330104fb42b04
Instruction Fuzzy Hash: 01D042B5615108FBCB04CF99D946E9FBBACEB48650F108149BE08D7240D671AE118BA1

Function 004033BB Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040389E,?), ref: 004033C9

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 70261581 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,702615BA,?,?,7026185F,?,70261017), ref: 7026158B

Memory Dump Source

Source File: 00000002.00000002.2612156353.0000000070261000.00000020.00000001.01000000.00000006.sdmp, Offset: 70260000, based on PE: true

Associated: 00000002.00000002.2612108950.0000000070260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612237169.0000000070263000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612310355.0000000070265000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_70260000_PsiphonPortable.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: a8f837c23d3f93b5e03da40ec3bce854b897fc4839e8f86696ae352a18a4cf7f
Instruction ID: 7a704159488335939a73fe7b07341056897f08ddcd022005ddc0fbef1e166200
Opcode Fuzzy Hash: a8f837c23d3f93b5e03da40ec3bce854b897fc4839e8f86696ae352a18a4cf7f
Instruction Fuzzy Hash: 50B012732080005FEE008B15CC0EF303AA4E700308F204040F704C9450C2F048049514

Non-executed Functions

Function 0040522D Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040528F
GetDlgItem.USER32(?,000003EE), ref: 0040529E
GetClientRect.USER32(?,?), ref: 004052F6
GetSystemMetrics.USER32(00000015), ref: 004052FE
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 0040531F
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405330
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405343
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405351
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405364
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405386
ShowWindow.USER32(?,00000008), ref: 0040539A
GetDlgItem.USER32(?,000003EC), ref: 004053BB
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004053CB
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004053E0
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004053EC
GetDlgItem.USER32(?,000003F8), ref: 004052AD

Part of subcall function 00403EF8: SendMessageW.USER32(00000028,?,00000001,00405914), ref: 00403F06

Part of subcall function 00406966: GetVersion.KERNEL32(0043B238,?,00000000,00405109,0043B238,00000000,00000000,00000000,00000000), ref: 00406A37

Part of subcall function 00406404: lstrlenW.KERNEL32(Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

GetDlgItem.USER32(?,000003EC), ref: 0040540B
CreateThread.KERNEL32(00000000,00000000,Function_000051A7,00000000), ref: 00405419
CloseHandle.KERNEL32(00000000), ref: 00405420
ShowWindow.USER32(00000000), ref: 00405447
ShowWindow.USER32(?,00000008), ref: 0040544C
ShowWindow.USER32(00000008), ref: 00405493
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054C5
CreatePopupMenu.USER32 ref: 004054D6
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004054EB
GetWindowRect.USER32(?,?), ref: 004054FE
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405520
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040555B
OpenClipboard.USER32(00000000), ref: 0040556B
EmptyClipboard.USER32 ref: 00405571
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040557D
GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405587
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040559B
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004055BD
SetClipboardData.USER32(0000000D,00000000), ref: 004055C8
CloseClipboard.USER32 ref: 004055CE

Strings

New install of "%s" to "%s", xrefs: 004052E2
PrD, xrefs: 00405537
{, xrefs: 004054B2

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"$PrD${
API String ID: 2110491804-2508554099
Opcode ID: 11dd572734fdcc9cd5cd232e0012044d14f9f12b4c407c8bff242ac5f06050a0
Instruction ID: 894ce410e52ba77d1203c8417793cf84406b50b5a57a64d435ed06079733cfed
Opcode Fuzzy Hash: 11dd572734fdcc9cd5cd232e0012044d14f9f12b4c407c8bff242ac5f06050a0
Instruction Fuzzy Hash: 25B15B70800608FFDB119F60DE85EAE7B79FB44355F00813AFA45BA1A0CBB98A519F59

Function 00404ADC Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404AF3
GetDlgItem.USER32(?,00000408), ref: 00404B00
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B4F
LoadBitmapW.USER32(0000006E), ref: 00404B62
SetWindowLongW.USER32(?,000000FC,Function_00004A2C), ref: 00404B7C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404B8E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404BA2
SendMessageW.USER32(?,00001109,00000002), ref: 00404BB8
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BC4
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404BD4
DeleteObject.GDI32(?), ref: 00404BD9
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C04
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C10
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CB1
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404CD4
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CE5
GetWindowLongW.USER32(?,000000F0), ref: 00404D0F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D1E
ShowWindow.USER32(?,00000005), ref: 00404D2F
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E2D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404E88
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404E9D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EC1
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404EE7
ImageList_Destroy.COMCTL32(?), ref: 00404EFC
GlobalFree.KERNEL32(?), ref: 00404F0C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404F7C
SendMessageW.USER32(?,00001102,?,?), ref: 0040502A
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405039
InvalidateRect.USER32(?,00000000,00000001), ref: 00405059
ShowWindow.USER32(?,00000000), ref: 004050A9
GetDlgItem.USER32(?,000003FE), ref: 004050B4
ShowWindow.USER32(00000000), ref: 004050BB

Strings

N, xrefs: 00404D66
, xrefs: 00405099
M, xrefs: 00404CA3
@, xrefs: 00404CF0

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 331d57f919298572917719af16d59c3eea641a000a84375da397a5fe01c84ea5
Instruction ID: ce2321f3f297f3fbf41fbef512ec3ccbffa26c3bd4bbee077dcac70070df60a7
Opcode Fuzzy Hash: 331d57f919298572917719af16d59c3eea641a000a84375da397a5fe01c84ea5
Instruction Fuzzy Hash: CC025AB0900209AFDF209FA4DD45AAE7BB5FB84314F10413AF615B62E1D7B88E91DF58

Function 10001571 Relevance: 59.8, APIs: 31, Strings: 3, Instructions: 313windowprocessstringCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 10001583
lstrlenW.KERNEL32(?), ref: 10001615
lstrlenW.KERNEL32(?), ref: 1000161D
GlobalAlloc.KERNEL32(00000040,?), ref: 1000162B
wsprintfW.USER32 ref: 10001663
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1000169F
GetLastError.KERNEL32 ref: 100016B0

Part of subcall function 10001480: GetDlgItem.USER32(?,00000001), ref: 100014BF
Part of subcall function 10001480: EnableWindow.USER32(00000000), ref: 100014C2

GetDlgItem.USER32(?,000003EC), ref: 100016DB
SendMessageW.USER32(00000000), ref: 100016E4
GetDlgItem.USER32(?,000003ED), ref: 100016FC
SendMessageW.USER32(00000000), ref: 100016FF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000001,00000000,?,00000000,00000000,00000000,00000044,?), ref: 10001753
GetLastError.KERNEL32 ref: 10001767
FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,00000000), ref: 1000179C
MessageBoxW.USER32(?,?,00000000,00000030), ref: 100017B4
LocalFree.KERNEL32(?), ref: 100017BD
GetLastError.KERNEL32 ref: 100017C5
GlobalFree.KERNEL32(?), ref: 100017CC
CloseHandle.KERNEL32(?), ref: 100017D5
EndDialog.USER32(?,-00000001), ref: 100017F9
SetWindowLongW.USER32(?,000000EB,?), ref: 1000181E
GetDlgItem.USER32(?,000003EC), ref: 1000183D
SendMessageW.USER32(00000000), ref: 10001846
GetDlgItem.USER32(?,000003ED), ref: 1000185B
SendMessageW.USER32(00000000), ref: 1000185E
LoadLibraryA.KERNEL32(SHELL32), ref: 10001865
LoadImageW.USER32(00000000,000000C2,00000001,00000020,00000020,00008000), ref: 1000187C
GetDlgItem.USER32(?,000003EA), ref: 10001891
SendMessageW.USER32(00000000), ref: 10001894
SendMessageW.USER32(?,0000000C,00000000), ref: 100018A3
DestroyWindow.USER32(?), ref: 100018E9

Strings

%s%s%s, xrefs: 1000165B
D, xrefs: 1000167C
SHELL32, xrefs: 10001860

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: Message$ItemSend$Window$ErrorLast$CreateFreeGlobalLoadLongProcesslstrlen$AllocCloseDestroyDialogEnableFormatHandleImageLibraryLocalLogonWithwsprintf
String ID: %s%s%s$D$SHELL32
API String ID: 2856953046-1920488832
Opcode ID: ea474140cac456f78d6d3e5b7960cb7afc163cd58573efcf63ed2d4fe950c5e0
Instruction ID: 6eee2769d5493dfee740adc41000da3eadc798a05ffbb18bc8d5d8c70be693c2
Opcode Fuzzy Hash: ea474140cac456f78d6d3e5b7960cb7afc163cd58573efcf63ed2d4fe950c5e0
Instruction Fuzzy Hash: 18A1BF71600259BFFB11DFA0CC84EEE7BBDEB447C1F114029FA05A71A8DA719E419B61

Function 00404605 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404659
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404667
GetDlgItem.USER32(?,000003FB), ref: 00404687
GetAsyncKeyState.USER32(00000010), ref: 0040468E
GetDlgItem.USER32(?,000003F0), ref: 004046A3
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 004046B4
SetWindowTextW.USER32(?,?), ref: 004046E3
SHBrowseForFolderW.SHELL32(?), ref: 0040479D
lstrcmpiW.KERNEL32("C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe",00447250,00000000,?,?), ref: 004047DA
lstrcatW.KERNEL32(?,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"), ref: 004047E6
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004047F6
CoTaskMemFree.OLE32(00000000), ref: 004047A8

Part of subcall function 00405DE4: GetDlgItemTextW.USER32(00000001,00000001,00002004,004040E1), ref: 00405DF7

Part of subcall function 00406199: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" ,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 004061FC
Part of subcall function 00406199: CharNextW.USER32(?,?,?,00000000), ref: 0040620B
Part of subcall function 00406199: CharNextW.USER32(?,004D70C8,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" ,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 00406210
Part of subcall function 00406199: CharPrevW.USER32(?,?,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" ,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 00406224

Part of subcall function 00403FD4: lstrcatW.KERNEL32(00000000,00000000), ref: 00403FEF

GetDiskFreeSpaceW.KERNEL32(00443248,?,?,0000040F,?,00443248,00443248,?,00000000,00443248,?,?,000003FB,?), ref: 004048B9
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004048D4

Part of subcall function 00406966: GetVersion.KERNEL32(0043B238,?,00000000,00405109,0043B238,00000000,00000000,00000000,00000000), ref: 00406A37

SetDlgItemTextW.USER32(00000000,00000400,0040931C), ref: 0040494D

Strings

PrD, xrefs: 00404770
H2D, xrefs: 0040483B
"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe", xrefs: 004047D4, 004047D9, 004047E4
A, xrefs: 00404796

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"$A$H2D$PrD
API String ID: 3347642858-365947127
Opcode ID: 563870873e52b2e0a3cdb2865a86a3a579f559fabb233f753f9e034d7750c1c3
Instruction ID: b0b3c754d12335248bfc7248cfd16ee1359f8a3788a1353c85d9a997a926ad80
Opcode Fuzzy Hash: 563870873e52b2e0a3cdb2865a86a3a579f559fabb233f753f9e034d7750c1c3
Instruction Fuzzy Hash: A9B184B1900205ABDF11AFA1CD85AAF7BB8EF84315F10843BF705B72D1D7789A418B69

Function 100012F6 Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 113stringCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000FA), ref: 10001307
GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 1000131A
lstrcatW.KERNEL32(?,lng), ref: 10001340

Part of subcall function 1000128A: GetPrivateProfileStringW.KERNEL32(MyRunAsStrings,000000FF,00000000,?,00000208,?), ref: 100012AC

Part of subcall function 1000128A: SendMessageW.USER32(00000000), ref: 100012EC

Part of subcall function 1000128A: GetDlgItem.USER32(?,000000FF), ref: 100012E5

GetDlgItem.USER32(?,000003E8), ref: 10001400
GetPrivateProfileIntW.KERNEL32(MyRunAsCfg,DisableCurrUserOpt,00000000,?), ref: 10001422
EnableWindow.USER32(?,00000000), ref: 1000142C
GetPrivateProfileIntW.KERNEL32(MyRunAsCfg,HideCurrUserOpt,00000000,?), ref: 10001440
ShowWindow.USER32(?,00000000), ref: 1000144B

Strings

Cancel, xrefs: 100013F4
Username, xrefs: 100013B2
lng, xrefs: 1000133A
HelpText, xrefs: 10001369
HideCurrUserOpt, xrefs: 1000143A
DisableCurrUserOpt, xrefs: 1000141C
Pwd, xrefs: 100013CA
DlgTitle, xrefs: 10001351
OptCurrUser, xrefs: 10001382
MyRunAsCfg, xrefs: 10001415, 10001421, 1000143F
OptOtherUser, xrefs: 1000139A

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: PrivateProfileWindow$Item$EnableFileLongMessageModuleNameSendShowStringlstrcat
String ID: Cancel$DisableCurrUserOpt$DlgTitle$HelpText$HideCurrUserOpt$MyRunAsCfg$OptCurrUser$OptOtherUser$Pwd$Username$lng
API String ID: 269917529-1606624064
Opcode ID: 862e5e30289adcc3691008639fd92c3349852e4b1b12bdd8b44c85aff9c9fdda
Instruction ID: 72e3e7567a4b2d08d3af25829a5d8fef434853eb0c6f4d8b40b6ac70311a2b67
Opcode Fuzzy Hash: 862e5e30289adcc3691008639fd92c3349852e4b1b12bdd8b44c85aff9c9fdda
Instruction Fuzzy Hash: 44318BF140016C7AF710DB518C88EEB3A6CEB997C5F414565FB15E2089DEB09EC08A78

Function 00407033 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00407057
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00407091
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 0040710A
lstrcpynA.KERNEL32(?,?,00000005), ref: 00407116
lstrcmpA.KERNEL32(name,?), ref: 00407128
CloseHandle.KERNEL32(?), ref: 00407347

Part of subcall function 00406404: lstrlenW.KERNEL32(Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

Strings

name, xrefs: 00407120
%s: failed opening file "%s", xrefs: 0040706D
GetTTFNameString, xrefs: 00407068

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: 0715d5e28a72504c5accadc8c16e1503c0709497f081ba3703715ed6f8973fce
Instruction ID: a1a783c1589cc2114d60951c227a61dfc271eaab027b45fbce8ea6a895ba6447
Opcode Fuzzy Hash: 0715d5e28a72504c5accadc8c16e1503c0709497f081ba3703715ed6f8973fce
Instruction Fuzzy Hash: DC91C170D1412DAADF04EBE5C9909FEBBB9EF48301F00406AF592F7290E6385A05EB75

Function 100011A5 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75windowlibraryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 100011EC
wsprintfW.USER32 ref: 1000121C
GetDlgItem.USER32(?,000003E8), ref: 1000123D
SendMessageW.USER32(00000000), ref: 10001246
LoadLibraryA.KERNEL32(SHELL32,00005503,?,00000204), ref: 1000125A
LoadStringW.USER32(00000000), ref: 10001261
GetDlgItem.USER32(?,000003EC), ref: 1000127E
SendMessageW.USER32(00000000), ref: 10001281

Strings

SHELL32, xrefs: 10001255

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: ItemLoadMessageSend$LibraryNameStringUserwsprintf
String ID: SHELL32
API String ID: 970484078-1756878077
Opcode ID: f617acc9506dc185ec153b645465450b41fe0ffbb218363b05879e49e8b089b4
Instruction ID: 99095764c372e153b6451f99a75ed4cd9f4541ce9e740321d50607094a9c9112
Opcode Fuzzy Hash: f617acc9506dc185ec153b645465450b41fe0ffbb218363b05879e49e8b089b4
Instruction Fuzzy Hash: B021E0B2900128EAEB11EB94DC85FDA77BCEB046C1F018196F705F7154DA709F498FA4

Function 10001A46 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(000000FF,00000028,771B2E90,00000000,100024C0,SeDebugPrivilege,00000001,?,?,771B2E90), ref: 10001A5A
LookupPrivilegeValueW.ADVAPI32(00000000,00000010,?), ref: 10001A73
AdjustTokenPrivileges.ADVAPI32(771B2E90,00000000,00000001,00000010,00000001,00000010), ref: 10001AA3
GetLastError.KERNEL32 ref: 10001AAF
CloseHandle.KERNEL32(771B2E90), ref: 10001AD0

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: Token$AdjustCloseErrorHandleLastLookupOpenPrivilegePrivilegesProcessValue
String ID:
API String ID: 379965542-0
Opcode ID: 0f232aef3a96b309bd6a0f3cca63768b85361136d919c17ad0cba15be69951ab
Instruction ID: 641a09e4c9f4efc63bdbeae1072b8237f19d681d31db9b5d384132f34a18873b
Opcode Fuzzy Hash: 0f232aef3a96b309bd6a0f3cca63768b85361136d919c17ad0cba15be69951ab
Instruction Fuzzy Hash: 8811E876A0024DAFEB01CFE4CCC5AEEBBFCEB04384F104565E551D6194D7B49A849B61

Function 050D56B0 Relevance: 86.0, APIs: 32, Strings: 17, Instructions: 245stringfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(050F8A00,050D886C), ref: 050D56DA
wsprintfW.USER32 ref: 050D5702
lstrcatW.KERNEL32(050F8A00,=hex:), ref: 050D575B
lstrcatW.KERNEL32(050F8A00,=hex(0):), ref: 050D5776
lstrcatW.KERNEL32(050F8A00,=hex(2):), ref: 050D5791
lstrcatW.KERNEL32(050F8A00,050D893C), ref: 050D5855
lstrlenW.KERNEL32(050F8A00,05120EC0,00000000), ref: 050D5866
WriteFile.KERNEL32(05120EC0,050F8A00,00000000), ref: 050D5878
lstrlenW.KERNEL32(050F8A00), ref: 050D5888
lstrcpyW.KERNEL32(050F8A00,050D8944), ref: 050D58BB
wsprintfW.USER32 ref: 050D5914
lstrcatW.KERNEL32(050F8A00,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg), ref: 050D5927
lstrlenW.KERNEL32(050F8A00), ref: 050D593C
lstrcatW.KERNEL32(050F8A00,050D8958), ref: 050D5956
lstrcatW.KERNEL32(050F8A00,\), ref: 050D5968
lstrlenW.KERNEL32(050F8A00,05120EC0,00000000), ref: 050D5979
WriteFile.KERNEL32(05120EC0,050F8A00,00000000), ref: 050D598B
lstrcatW.KERNEL32(050F8A00,050D8968), ref: 050D59BC
lstrcatW.KERNEL32(050F8A00,"DisableDisallowedTrafficAlert"=dword:00000001), ref: 050D59CC
lstrcatW.KERNEL32(050F8A00,"), ref: 050D59DC
lstrlenW.KERNEL32(050F8A00,05120EC0,00000000), ref: 050D59ED
WriteFile.KERNEL32(05120EC0,050F8A00,00000000), ref: 050D59FF
wsprintfW.USER32 ref: 050D5A22
lstrlenW.KERNEL32("DisableDisallowedTrafficAlert"=dword:00000001,05120EC0,00000000), ref: 050D5A36
WriteFile.KERNEL32(05120EC0,"DisableDisallowedTrafficAlert"=dword:00000001,00000000), ref: 050D5A48

Strings

=hex(2):, xrefs: 050D5787
=hex(6):, xrefs: 050D57BD
"DisableDisallowedTrafficAlert"=dword:00000001, xrefs: 050D56E6, 050D56F3, 050D59A5, 050D59C2, 050D5A1D, 050D5A31, 050D5A3F
\, xrefs: 050D595E
", xrefs: 050D59D2
%02x,, xrefs: 050D590A
=hex(5):, xrefs: 050D57A2
=hex(8):, xrefs: 050D57ED
=hex(9):, xrefs: 050D5805
=hex(b):, xrefs: 050D5835
=hex(0):, xrefs: 050D576C
%s=dword:%08x, xrefs: 050D5A18
=hex(a):, xrefs: 050D581D
=hex:, xrefs: 050D5751
"%s", xrefs: 050D56F8
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg, xrefs: 050D590F, 050D591D
=hex(7):, xrefs: 050D57D5

Memory Dump Source

Source File: 00000002.00000002.2611660380.00000000050D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 050D0000, based on PE: true

Associated: 00000002.00000002.2611613713.00000000050D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611705494.00000000050D7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611748941.00000000050D8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611799136.0000000005120000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611847122.0000000005132000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_50d0000_PsiphonPortable.jbxd

Similarity

API ID: lstrcat$lstrlen$FileWrite$wsprintf$lstrcpy
String ID: "$"%s"$"DisableDisallowedTrafficAlert"=dword:00000001$%02x,$%s=dword:%08x$=hex(0):$=hex(2):$=hex(5):$=hex(6):$=hex(7):$=hex(8):$=hex(9):$=hex(a):$=hex(b):$=hex:$C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg$\
API String ID: 1628572585-183838596
Opcode ID: a27a70e1f71311d26b2ce04b44b2c5047a8d6d7ad3ebace06f67c8f6c83266c7
Instruction ID: 701d82eadec43e4d90a3181b64fdf22a4c40f63f2548650998d7d3c2888e39af
Opcode Fuzzy Hash: a27a70e1f71311d26b2ce04b44b2c5047a8d6d7ad3ebace06f67c8f6c83266c7
Instruction Fuzzy Hash: A0917530644345EBDF549F94FD4ABAEBBB2FF00616F008054FE12A9184CBB45A64DBB2

Function 0040650D Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 00406520
lstrlenW.KERNEL32(?), ref: 0040652D
GetVersionExW.KERNEL32(?), ref: 0040658B

Part of subcall function 0040618C: CharUpperW.USER32(?,00406562,?), ref: 00406192

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 004065CA
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004065E9
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004065F3
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004065FE
FreeLibrary.KERNEL32(00000000), ref: 00406635
GlobalFree.KERNEL32(?), ref: 0040663E

Strings

EnumProcessModules, xrefs: 004065EB
GetModuleBaseNameW, xrefs: 004065F5
EnumProcesses, xrefs: 004065E3
Kernel32.DLL, xrefs: 004066FC
Process32NextW, xrefs: 00406729
Unknown, xrefs: 0040665D
Module32NextW, xrefs: 0040673F
Process32FirstW, xrefs: 0040671E
PSAPI.DLL, xrefs: 004065C5
Module32FirstW, xrefs: 00406734
CreateToolhelp32Snapshot, xrefs: 00406716

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: 40333aef454c47322eec6f7f9158de98af9d91ef9b06c0be04974d32da86a69b
Instruction ID: 8cac56bd889a6922fafa0e84fcbe499284ae1ad590ea9cc90dd23bfef8a88dc9
Opcode Fuzzy Hash: 40333aef454c47322eec6f7f9158de98af9d91ef9b06c0be04974d32da86a69b
Instruction Fuzzy Hash: 18918671900219EBDF10AFA5CD88AAE7AB8FF45341F11807AE546F2290DB788A55CF58

Function 050D3994 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 461stringfilewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 050D6045: lstrcpyW.KERNEL32(?,?), ref: 050D605E
Part of subcall function 050D6045: GlobalFree.KERNEL32 ref: 050D606F

Part of subcall function 050D4B53: lstrlenW.KERNEL32(?), ref: 050D4B60
Part of subcall function 050D4B53: lstrcpynW.KERNEL32(?,?,?), ref: 050D4C48
Part of subcall function 050D4B53: lstrcpynW.KERNEL32(00000000,?,?), ref: 050D4CD3

FindWindowExW.USER32(?,00000000,#32770,00000000), ref: 050D3B57
GetDlgItem.USER32(00000000), ref: 050D3B5E
CreateFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg,00000004,00000000,00000000,00000003,00000000,00000000), ref: 050D3C15
CreateFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg,40000000,00000000,00000000,00000002,00000080,00000000), ref: 050D3C54
WriteFile.KERNEL32(000000FF,050D8140,00000002,?,00000000), ref: 050D3C98
lstrlenW.KERNEL32(Windows Registry Editor Version 5.00,?,00000000), ref: 050D3CB5
WriteFile.KERNEL32(000000FF,Windows Registry Editor Version 5.00,00000000), ref: 050D3CCA
lstrcpynW.KERNEL32(-00000008,05130EC0,00000124), ref: 050D3D08
lstrcpynW.KERNEL32(05130EC0,-00000008,00000124), ref: 050D3D53
SendMessageW.USER32(00000000,0000000C,00000000,05130EC0), ref: 050D3D99
wsprintfW.USER32 ref: 050D3DE5
wsprintfW.USER32 ref: 050D3E29
lstrlenW.KERNEL32("DisableDisallowedTrafficAlert"=dword:00000001,?,00000000), ref: 050D3E40
WriteFile.KERNEL32(000000FF,"DisableDisallowedTrafficAlert"=dword:00000001,00000000), ref: 050D3E55
wsprintfW.USER32 ref: 050D3E71
lstrlenW.KERNEL32("DisableDisallowedTrafficAlert"=dword:00000001,?,00000000), ref: 050D3E88
WriteFile.KERNEL32(000000FF,"DisableDisallowedTrafficAlert"=dword:00000001,00000000), ref: 050D3E9D
lstrcmpiW.KERNEL32(05118C60,?), ref: 050D3F48
lstrcpynW.KERNEL32("DisableDisallowedTrafficAlert"=dword:00000001,05130EC0,00000124), ref: 050D4006
lstrcatW.KERNEL32("DisableDisallowedTrafficAlert"=dword:00000001,050D8228), ref: 050D4023
lstrcatW.KERNEL32("DisableDisallowedTrafficAlert"=dword:00000001,05118A00), ref: 050D4033
lstrcpynW.KERNEL32(-00000008,"DisableDisallowedTrafficAlert"=dword:00000001,00000124), ref: 050D4076
lstrlenW.KERNEL32(050D822C,?,00000000), ref: 050D40B2
WriteFile.KERNEL32(000000FF,050D8234,00000000), ref: 050D40C7
CloseHandle.KERNEL32(000000FF), ref: 050D40D4
SendMessageW.USER32(00000000,0000000C,00000000,050D89D4), ref: 050D410C

Strings

/A=, xrefs: 050D3AD6
"DisableDisallowedTrafficAlert"=dword:00000001, xrefs: 050D3A3C, 050D3A74, 050D3AAF, 050D3ADB, 050D3B15, 050D3B7A, 050D3DE0, 050D3E24, 050D3E3B, 050D3E49, 050D3E6C, 050D3E83, 050D3E91, 050D4001, 050D401E, 050D402E, 050D4067
/B=, xrefs: 050D3B10
#32770, xrefs: 050D3B4C
/N=, xrefs: 050D3AAA
[%s\%s], xrefs: 050D3E67
Windows Registry Editor Version 5.00, xrefs: 050D3CBE
/G=, xrefs: 050D3A6F
/D=, xrefs: 050D3B75
[-%s\%s], xrefs: 050D3E1F
Windows Registry Editor Version 5.00, xrefs: 050D3CB0
[%s], xrefs: 050D3DDB
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg, xrefs: 050D3A32, 050D3C10, 050D3C4F

Memory Dump Source

Source File: 00000002.00000002.2611660380.00000000050D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 050D0000, based on PE: true

Associated: 00000002.00000002.2611613713.00000000050D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611705494.00000000050D7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611748941.00000000050D8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611799136.0000000005120000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611847122.0000000005132000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_50d0000_PsiphonPortable.jbxd

Similarity

API ID: File$lstrcpyn$Writelstrlen$wsprintf$CreateMessageSendlstrcat$CloseFindFreeGlobalHandleItemWindowlstrcmpilstrcpy
String ID: [%s\%s]$[%s]$[-%s\%s]$"DisableDisallowedTrafficAlert"=dword:00000001$#32770$/A=$/B=$/D=$/G=$/N=$C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg$Windows Registry Editor Version 5.00$Windows Registry Editor Version 5.00
API String ID: 3381506926-2071499515
Opcode ID: 22dbd562a1b379e33b6ec4f147184710093ed61359966cf9e7cb86c752c1f806
Instruction ID: eea21c44f0785bf61629c034360500c983ecced5aa531e9312f865f300003255
Opcode Fuzzy Hash: 22dbd562a1b379e33b6ec4f147184710093ed61359966cf9e7cb86c752c1f806
Instruction Fuzzy Hash: C602D4B1A41314AAEB60DB50EC4AFEEF7B5BF44705F148188F609661C0DBB59A84CF35

Function 050D4B53 Relevance: 67.8, APIs: 24, Strings: 21, Instructions: 257stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 050D4B60
lstrcpynW.KERNEL32(?,?,?), ref: 050D4C48
lstrcpynW.KERNEL32(00000000,?,?), ref: 050D4CD3
lstrcmpiW.KERNEL32(?,HKEY_CLASSES_ROOT), ref: 050D4CE5
lstrcmpiW.KERNEL32(?,HKCR), ref: 050D4CFB
lstrcpyW.KERNEL32(00000000,HKEY_CLASSES_ROOT), ref: 050D4D1D
lstrcmpiW.KERNEL32(?,HKEY_CURRENT_USER), ref: 050D4D34
lstrcmpiW.KERNEL32(?,HKCU), ref: 050D4D4A
lstrcpyW.KERNEL32(00000000,HKEY_CURRENT_USER), ref: 050D4D6C
lstrcmpiW.KERNEL32(?,HKEY_LOCAL_MACHINE), ref: 050D4D83
lstrcmpiW.KERNEL32(?,HKLM), ref: 050D4D99
lstrcpyW.KERNEL32(00000000,HKEY_LOCAL_MACHINE), ref: 050D4DBB
lstrcmpiW.KERNEL32(?,HKEY_USERS), ref: 050D4DD2
lstrcmpiW.KERNEL32(?,HKU), ref: 050D4DE8
lstrcpyW.KERNEL32(00000000,HKEY_USERS), ref: 050D4E0A
lstrcmpiW.KERNEL32(?,HKEY_PERFORMANCE_DATA), ref: 050D4E21
lstrcmpiW.KERNEL32(?,HKPD), ref: 050D4E37
lstrcpyW.KERNEL32(00000000,HKEY_PERFORMANCE_DATA), ref: 050D4E59
lstrcmpiW.KERNEL32(?,HKEY_CURRENT_CONFIG), ref: 050D4E70
lstrcmpiW.KERNEL32(?,HKCC), ref: 050D4E86
lstrcpyW.KERNEL32(00000000,HKEY_CURRENT_CONFIG), ref: 050D4EA8
lstrcmpiW.KERNEL32(?,HKEY_DYN_DATA), ref: 050D4EBC
lstrcmpiW.KERNEL32(?,HKDD), ref: 050D4ED2
lstrcpyW.KERNEL32(00000000,HKEY_DYN_DATA), ref: 050D4EF4

Strings

HKEY_CURRENT_USER, xrefs: 050D4D63
HKEY_USERS, xrefs: 050D4E01
HKEY_LOCAL_MACHINE, xrefs: 050D4D77
HKEY_PERFORMANCE_DATA, xrefs: 050D4E15
HKDD, xrefs: 050D4EC6
HKEY_LOCAL_MACHINE, xrefs: 050D4DB2
HKEY_CURRENT_CONFIG, xrefs: 050D4E9F
HKCR, xrefs: 050D4CEF
HKEY_DYN_DATA, xrefs: 050D4EB0
HKEY_PERFORMANCE_DATA, xrefs: 050D4E50
HKEY_CURRENT_USER, xrefs: 050D4D28
HKCU, xrefs: 050D4D3E
HKLM, xrefs: 050D4D8D
HKU, xrefs: 050D4DDC
HKPD, xrefs: 050D4E2B
HKEY_CLASSES_ROOT, xrefs: 050D4D14
HKEY_CURRENT_CONFIG, xrefs: 050D4E64
HKEY_CLASSES_ROOT, xrefs: 050D4CD9
HKEY_DYN_DATA, xrefs: 050D4EEB
HKEY_USERS, xrefs: 050D4DC6
HKCC, xrefs: 050D4E7A

Memory Dump Source

Source File: 00000002.00000002.2611660380.00000000050D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 050D0000, based on PE: true

Associated: 00000002.00000002.2611613713.00000000050D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611705494.00000000050D7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611748941.00000000050D8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611799136.0000000005120000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611847122.0000000005132000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_50d0000_PsiphonPortable.jbxd

Similarity

API ID: lstrcmpi$lstrcpy$lstrcpyn$lstrlen
String ID: HKCC$HKCR$HKCU$HKDD$HKEY_CLASSES_ROOT$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_CURRENT_USER$HKEY_DYN_DATA$HKEY_DYN_DATA$HKEY_LOCAL_MACHINE$HKEY_LOCAL_MACHINE$HKEY_PERFORMANCE_DATA$HKEY_PERFORMANCE_DATA$HKEY_USERS$HKEY_USERS$HKLM$HKPD$HKU
API String ID: 2222171190-2311977196
Opcode ID: 2db3cefade2d08be3a232fe0a5a186fd9cba98e8a72ac9337d3224a304d388e7
Instruction ID: 5cd1f67c68a75571f22214bc43d1b38b8efecbef54abffe10dc23c7b3d534688
Opcode Fuzzy Hash: 2db3cefade2d08be3a232fe0a5a186fd9cba98e8a72ac9337d3224a304d388e7
Instruction Fuzzy Hash: 82B11B70605319EBCF64CF64EC89FAEBBB5FF84701F508599E80A9A240DBB49941CF64

Function 004055D9 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00405615
ShowWindow.USER32(?), ref: 00405632
DestroyWindow.USER32 ref: 00405646
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405662
GetDlgItem.USER32(?,?), ref: 00405683
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405697
IsWindowEnabled.USER32(00000000), ref: 0040569E
GetDlgItem.USER32(?,00000001), ref: 0040574D
GetDlgItem.USER32(?,00000002), ref: 00405757
SetClassLongW.USER32(?,000000F2,?), ref: 00405771
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004057C2
GetDlgItem.USER32(?,00000003), ref: 00405868
ShowWindow.USER32(00000000,?), ref: 0040588A
EnableWindow.USER32(?,?), ref: 0040589C
EnableWindow.USER32(?,?), ref: 004058B7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004058CD
EnableMenuItem.USER32(00000000), ref: 004058D4
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004058EC
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004058FF
lstrlenW.KERNEL32(00447250,?,00447250,0046ADC0), ref: 00405928
SetWindowTextW.USER32(?,00447250), ref: 0040593C
ShowWindow.USER32(?,0000000A), ref: 00405A70

Strings

PrD, xrefs: 00405919

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: PrD
API String ID: 184305955-4282739039
Opcode ID: a563f3c2c599501beef882c1b7706b334ab1ef7dde5fcc94fc7aa6df061418cd
Instruction ID: e32f65a829e85eadb9633a2d0af490baa2bc81b7fdf0bb2ead4b0685e6b50708
Opcode Fuzzy Hash: a563f3c2c599501beef882c1b7706b334ab1ef7dde5fcc94fc7aa6df061418cd
Instruction Fuzzy Hash: 87C1AF71500B04EBDB216F61EE89E2B3BA9FB45346F00053EF545B21F0DA799891AF1E

Function 00404218 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004042CD
GetDlgItem.USER32(?,000003E8), ref: 004042E1
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004042FE
GetSysColor.USER32(?), ref: 0040430F
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040431D
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040432B
lstrlenW.KERNEL32(?), ref: 00404336
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404343
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404352

Part of subcall function 0040412A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404284,?), ref: 00404141
Part of subcall function 0040412A: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404284,?), ref: 00404150
Part of subcall function 0040412A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404284,?), ref: 00404164

GetDlgItem.USER32(?,0000040A), ref: 004043AA
SendMessageW.USER32(00000000), ref: 004043B1
GetDlgItem.USER32(?,000003E8), ref: 004043DE
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00404421
LoadCursorW.USER32(00000000,00007F02), ref: 0040442F
SetCursor.USER32(00000000), ref: 00404432
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 00404447
LoadCursorW.USER32(00000000,00007F00), ref: 00404453
SetCursor.USER32(00000000), ref: 00404456
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404485
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404497

Strings

open, xrefs: 0040443F
N, xrefs: 004043CC
@%F, xrefs: 00404407

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: 4ce468f3699d88ed665c706f7775ee9aa6dc059267c0d14d93e3607c8b30f664
Instruction ID: 5e7a78df94721a13c93f88c26dc0e1e940185c2092e6ea244a57a3ff362b188b
Opcode Fuzzy Hash: 4ce468f3699d88ed665c706f7775ee9aa6dc059267c0d14d93e3607c8b30f664
Instruction Fuzzy Hash: 9D71B1B1900609BFDF109F60DD85E6A7B69FB84315F00813AFA04B62D1C778A991CF99

Function 050D4F12 Relevance: 36.1, APIs: 12, Strings: 12, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(050D133D,REG_BINARY,?,050D133D,050F8A00), ref: 050D4F1E
lstrcmpiW.KERNEL32(050D133D,REG_DWORD,?,050D133D,050F8A00), ref: 050D4F3B

Strings

REG_NONE, xrefs: 050D4FA6
REG_MULTI_SZ, xrefs: 050D4F89
REG_QWORD, xrefs: 050D5045
REG_RESOURCE_REQUIREMENTS_LIST, xrefs: 050D502B
REG_DWORD, xrefs: 050D4F32
REG_BINARY, xrefs: 050D4F15
REG_DWORD_BIG_ENDIAN, xrefs: 050D4F4F
REG_RESOURCE_LIST, xrefs: 050D4FF7
REG_EXPAND_SZ, xrefs: 050D4F6C
REG_FULL_RESOURCE_DESCRIPTOR, xrefs: 050D5011
REG_SZ, xrefs: 050D4FC0
REG_LINK, xrefs: 050D4FDD

Memory Dump Source

Source File: 00000002.00000002.2611660380.00000000050D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 050D0000, based on PE: true

Associated: 00000002.00000002.2611613713.00000000050D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611705494.00000000050D7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611748941.00000000050D8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611799136.0000000005120000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611847122.0000000005132000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_50d0000_PsiphonPortable.jbxd

Similarity

API ID: lstrcmpi
String ID: REG_BINARY$REG_DWORD$REG_DWORD_BIG_ENDIAN$REG_EXPAND_SZ$REG_FULL_RESOURCE_DESCRIPTOR$REG_LINK$REG_MULTI_SZ$REG_NONE$REG_QWORD$REG_RESOURCE_LIST$REG_RESOURCE_REQUIREMENTS_LIST$REG_SZ
API String ID: 1586166983-3251115134
Opcode ID: 9e26fad8a027873c82b9485fa485dc6f9765d78eb97b3649d2ffdee74fd84037
Instruction ID: 9c1e0b752ea474a7dab62e6fc203e9a2539553e31cc4fe0156706e14a17d132c
Opcode Fuzzy Hash: 9e26fad8a027873c82b9485fa485dc6f9765d78eb97b3649d2ffdee74fd84037
Instruction Fuzzy Hash: E0310970354305BBDB509B65FC5AF6EBEAAAB01B90F40C514BD06CB280EA79D8518BB0

Function 00406BFA Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2D8,NUL), ref: 00406C0A
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406DF1,000000F1,000000F1,00000001,0040700F,?,00000000,000000F1,?), ref: 00406C29
GetShortPathNameW.KERNEL32(000000F1,0045B2D8,00000400), ref: 00406C32

Part of subcall function 00405F16: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406D34,00000000,[Rename]), ref: 00405F26
Part of subcall function 00405F16: lstrlenA.KERNEL32(?,?,00000000,00406D34,00000000,[Rename]), ref: 00405F58

GetShortPathNameW.KERNEL32(000000F1,00460930,00000400), ref: 00406C53
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2D8,000000FF,0045BAD8,00000400,00000000,00000000,?,00000000,?,00406DF1,000000F1,000000F1,00000001,0040700F), ref: 00406C7C
WideCharToMultiByte.KERNEL32(00000000,00000000,00460930,000000FF,0045C128,00000400,00000000,00000000,?,00000000,?,00406DF1,000000F1,000000F1,00000001,0040700F), ref: 00406C94
wsprintfA.USER32 ref: 00406CAE
GetFileSize.KERNEL32(00000000,00000000,00460930,C0000000,00000004,00460930,?,?,00000000,000000F1,?), ref: 00406CE6
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406CF5
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406D11
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406D41
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C528,00000000,-0000000A,004098AC,00000000,[Rename]), ref: 00406D98

Part of subcall function 00405FB0: GetFileAttributesW.KERNELBASE(00000003,004036BC,004DF0D8,80000000,00000003), ref: 00405FB4
Part of subcall function 00405FB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405FD6

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406DAC
GlobalFree.KERNEL32(00000000), ref: 00406DB3
CloseHandle.KERNEL32(?), ref: 00406DBD

Strings

[Rename], xrefs: 00406D29, 00406D38
%s=%s, xrefs: 00406CA4
0F, xrefs: 00406C49
NUL, xrefs: 00406BFF

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: %s=%s$0F$NUL$[Rename]
API String ID: 565278875-2063020953
Opcode ID: e0014d3f174d201f701c5d3f5aee3fb449f0ed8f00eb016f1380403eef9c3722
Instruction ID: 01698a087521ae3c061db779a59327618d621d7377b5f04441123a8e0743360b
Opcode Fuzzy Hash: e0014d3f174d201f701c5d3f5aee3fb449f0ed8f00eb016f1380403eef9c3722
Instruction Fuzzy Hash: B6413732204209BFC2202BA1DD88D6F3AACDF86764B16043EF546F22D1DA3DD819867D

Function 050D1000 Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00030E10), ref: 050D1024

Part of subcall function 050D6045: lstrcpyW.KERNEL32(?,?), ref: 050D605E
Part of subcall function 050D6045: GlobalFree.KERNEL32 ref: 050D606F

Part of subcall function 050D4B53: lstrlenW.KERNEL32(?), ref: 050D4B60
Part of subcall function 050D4B53: lstrcpynW.KERNEL32(?,?,?), ref: 050D4C48
Part of subcall function 050D4B53: lstrcpynW.KERNEL32(00000000,?,?), ref: 050D4CD3

FindWindowExW.USER32(?,00000000,#32770,00000000), ref: 050D12E0
GetDlgItem.USER32(00000000), ref: 050D12E7
GlobalFree.KERNEL32(?), ref: 050D13FA

Part of subcall function 050D4F12: lstrcmpiW.KERNEL32(050D133D,REG_BINARY,?,050D133D,050F8A00), ref: 050D4F1E

Part of subcall function 050D5D1B: RegOpenKeyExW.KERNELBASE(00020019,00000000,00000000,?,050D13BB,?,?,050D13BB,?,?,00000000,00020019,?), ref: 050D5D31

Part of subcall function 050D5D9F: RegCloseKey.ADVAPI32(050D13D4,?,?,050D13D4,?), ref: 050D5DA7

Part of subcall function 050D6268: wsprintfW.USER32 ref: 050D6280

Strings

/V=, xrefs: 050D11D4
/B=, xrefs: 050D1292
"DisableDisallowedTrafficAlert"=dword:00000001, xrefs: 050D10AC, 050D10FB, 050D1132, 050D1169, 050D119A, 050D11D9, 050D1219, 050D1258, 050D1297, 050D1322
/K=, xrefs: 050D1195
/N=, xrefs: 050D10F6
/G=, xrefs: 050D1253
/S=, xrefs: 050D1214
/T=, xrefs: 050D131D
/NS=, xrefs: 050D112D
/NI=, xrefs: 050D1164
#32770, xrefs: 050D12D5

Memory Dump Source

Source File: 00000002.00000002.2611660380.00000000050D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 050D0000, based on PE: true

Associated: 00000002.00000002.2611613713.00000000050D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611705494.00000000050D7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611748941.00000000050D8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611799136.0000000005120000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611847122.0000000005132000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_50d0000_PsiphonPortable.jbxd

Similarity

API ID: Global$Freelstrcpyn$AllocCloseFindItemOpenWindowlstrcmpilstrcpylstrlenwsprintf
String ID: "DisableDisallowedTrafficAlert"=dword:00000001$#32770$/B=$/G=$/K=$/N=$/NI=$/NS=$/S=$/T=$/V=
API String ID: 1121994691-1995937050
Opcode ID: 3d661cbf806cfb8cbc11579232812e49489d5806a67e062e64dd814791125403
Instruction ID: 924b8b92ecabdf915310f02a75c463ae47fe69fe8fb59f53e4c747b4b9f546fe
Opcode Fuzzy Hash: 3d661cbf806cfb8cbc11579232812e49489d5806a67e062e64dd814791125403
Instruction Fuzzy Hash: 6E918D74655300ABEB50DB10FC57FEEBAA1BF00744F18C164FA055AA81DFB9A442CB7A

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 050D15CF Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 499stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?), ref: 050D1901

Part of subcall function 050D60CF: GlobalAlloc.KERNEL32(00000040,?,?,050D140A,050D8060), ref: 050D60E5
Part of subcall function 050D60CF: lstrcpynW.KERNEL32(00000004,?,?,050D140A,050D8060), ref: 050D60FB

Strings

BANNER, xrefs: 050D1779
"DisableDisallowedTrafficAlert"=dword:00000001, xrefs: 050D1ACA, 050D1AE9, 050D1BC6, 050D1BE9, 050D1BFF, 050D1C32
REG_KEY, xrefs: 050D1D2B

Memory Dump Source

Source File: 00000002.00000002.2611660380.00000000050D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 050D0000, based on PE: true

Associated: 00000002.00000002.2611613713.00000000050D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611705494.00000000050D7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611748941.00000000050D8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611799136.0000000005120000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611847122.0000000005132000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_50d0000_PsiphonPortable.jbxd

Similarity

API ID: AllocGloballstrcmpilstrcpyn
String ID: "DisableDisallowedTrafficAlert"=dword:00000001$BANNER$REG_KEY
API String ID: 791246173-3827714242
Opcode ID: 4831736b271707edba949a064fac2ad88d764c1294892ce96f0d046199c1eb1f
Instruction ID: d07aaee6dd5459be72594ece61b78993c68a52df735546c78ceb6fc14f81c543
Opcode Fuzzy Hash: 4831736b271707edba949a064fac2ad88d764c1294892ce96f0d046199c1eb1f
Instruction Fuzzy Hash: BB125F706193009BDB04CB14E897BFEBBA6BF44345F18C129F5059B681DF39A542CB7A

Function 10001DD8 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 69stringwindowCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,0000001E), ref: 10001E12
lstrcmpiW.KERNEL32(?,#32770), ref: 10001E1D
GetDlgItem.USER32(?,00000105), ref: 10001E3B
GetClassNameW.USER32(00000000), ref: 10001E3E
lstrcmpiW.KERNEL32(?,SysCredential), ref: 10001E49
GetDlgItem.USER32(?,00000106), ref: 10001E65
SendMessageW.USER32(00000000), ref: 10001E6E
GetDlgItem.USER32(?,00000104), ref: 10001E82
SendMessageW.USER32(00000000), ref: 10001E85
CallNextHookEx.USER32(00000000,?,?), ref: 10001E94

Strings

SysCredential, xrefs: 10001E43
#32770, xrefs: 10001E17

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: Item$ClassMessageNameSendlstrcmpi$CallHookNext
String ID: #32770$SysCredential
API String ID: 1156005039-2483313885
Opcode ID: 089ab9db27a33d557b0723fcdc9cd5293fa2ba8d2f3fe58a0801f9a03ce5cffb
Instruction ID: 184430e2f011cc33a40a60741d721aa7ca2ac319d4a280f09fdd692187c7b284
Opcode Fuzzy Hash: 089ab9db27a33d557b0723fcdc9cd5293fa2ba8d2f3fe58a0801f9a03ce5cffb
Instruction Fuzzy Hash: 23115171A40359BBFB21EBA5CC89FCE77BCEB04785F114815FB51A60A4DBB0E8448B64

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 00406404: lstrlenW.KERNEL32(Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

Strings

WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 3ae8cee2063955009b0802897bce6cd90532588b84fc30e495d30c60ac9c7f0c
Instruction ID: 5079a85d00332eb89b956210b0bf8ab3b344c965529248026cf182ae6f79859d
Opcode Fuzzy Hash: 3ae8cee2063955009b0802897bce6cd90532588b84fc30e495d30c60ac9c7f0c
Instruction Fuzzy Hash: B741AEB2D00208FFDF11AF91CE46EAEBBB9EB04704F21403BF605721A2D6794B519B59

Function 10002488 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 100024A9

Part of subcall function 10001A46: OpenProcessToken.ADVAPI32(000000FF,00000028,771B2E90,00000000,100024C0,SeDebugPrivilege,00000001,?,?,771B2E90), ref: 10001A5A
Part of subcall function 10001A46: LookupPrivilegeValueW.ADVAPI32(00000000,00000010,?), ref: 10001A73
Part of subcall function 10001A46: AdjustTokenPrivileges.ADVAPI32(771B2E90,00000000,00000001,00000010,00000001,00000010), ref: 10001AA3
Part of subcall function 10001A46: GetLastError.KERNEL32 ref: 10001AAF
Part of subcall function 10001A46: CloseHandle.KERNEL32(771B2E90), ref: 10001AD0

OpenProcess.KERNEL32(00000040,00000000,?,SeDebugPrivilege,00000001,?,?,771B2E90), ref: 100024C6
GetLastError.KERNEL32(?,771B2E90), ref: 100024D3
DuplicateHandle.KERNEL32(000000FF,000000FF,00000000,?,00000040,00000000,00000001,?,771B2E90), ref: 100024EC
SendMessageW.USER32(00008004,00000539,?,SeDebugPrivilege), ref: 10002515

Strings

SeDebugPrivilege, xrefs: 100024B2, 100024BA, 100024F6

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: Process$ErrorHandleLastOpenToken$AdjustCloseDuplicateLookupMessagePrivilegePrivilegesSendThreadValueWindow
String ID: SeDebugPrivilege
API String ID: 3436673191-2896544425
Opcode ID: 3f575ee20474554fa290eb5dc8a05ffa52b684c4e48b86f9c3c8d50086696208
Instruction ID: f28064a67212c5a8eeb97c9990993a0e7589225466916cf5252ee1b79bd4334c
Opcode Fuzzy Hash: 3f575ee20474554fa290eb5dc8a05ffa52b684c4e48b86f9c3c8d50086696208
Instruction Fuzzy Hash: DF21D1B1A00628BFF701DF908CC5FAA3B6EE7043D5F120121F300A20E8DBB04E559B28

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 06e6189e5d07374b733879bc4861fab23cc752c40dce92ef7b4482c5c8a3de7f
Instruction ID: 57b2aa6120a879797d080cb9b9733de2ac9adc2ca39637b5dc0b79c3231e6313
Opcode Fuzzy Hash: 06e6189e5d07374b733879bc4861fab23cc752c40dce92ef7b4482c5c8a3de7f
Instruction Fuzzy Hash: BA31C272800115BBCB11AFA8CE45DAF7FB8EF08324F10023AF655B61E1DB794E419B98

Function 00406248 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406435,00000000), ref: 0040625F
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,00406435,00000000), ref: 0040629D
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 004062D6
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 004062E2
lstrcatW.KERNEL32(Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""),004096A8), ref: 004062FC
lstrlenW.KERNEL32(Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""),?,?,00406435,00000000), ref: 00406303
WriteFile.KERNEL32(Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""),00000000,00406435,00000000,?,?,00406435,00000000), ref: 00406318

Strings

Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""), xrefs: 004062F6, 004062FB, 00406302, 00406311

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"")
API String ID: 3734993849-3283049713
Opcode ID: 9fa50d1adb4a17e963d4e637509519975a2aeadd9521b9408314cb2d14ea49f5
Instruction ID: e74be36d315582b52cf8810fbf669e52dd667146d2b91da865e79faa34e4d15c
Opcode Fuzzy Hash: 9fa50d1adb4a17e963d4e637509519975a2aeadd9521b9408314cb2d14ea49f5
Instruction Fuzzy Hash: 1A21C271500240FBD710AFA4DD88DA73728EB41374B25C33AFA26B61E0E7784995CBAD

Function 100025BA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00008003,00000000,00000000), ref: 10002600
SendMessageW.USER32(00008003,00000001,00000000), ref: 1000260F
PostMessageW.USER32(?,00000408,?,00000000), ref: 1000262A
GetWindowRect.USER32(?,?), ref: 10002633
SetWindowPos.USER32(?,?,?,?,00000000,00000000,00000001), ref: 10002649
PostMessageW.USER32(00008002,?,?), ref: 10002660
CallWindowProcW.USER32(?,00000047,?,?), ref: 10002680

Strings

G, xrefs: 100025C0

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: Message$Window$PostSend$CallProcRect
String ID: G
API String ID: 3451797191-985283518
Opcode ID: 276970862d3a67256e407dc1d8ec7596bd3ebb39545d5d82955e00c61c88e694
Instruction ID: 918a90b7578ccc224bbcf0950e32afede6c57029d1e046dd772ed2f5749f82d9
Opcode Fuzzy Hash: 276970862d3a67256e407dc1d8ec7596bd3ebb39545d5d82955e00c61c88e694
Instruction Fuzzy Hash: 1B215EB550012DBEEF119F94CD85EAE3F79FB04395F014015FA44A50B4C7B24D61EB64

Function 100021B1 Relevance: 13.6, APIs: 9, Instructions: 131windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 1000224C
SetForegroundWindow.USER32(?), ref: 1000225A
ShowWindow.USER32(?,00000000), ref: 10002265
DuplicateHandle.KERNEL32(000000FF,00000000,?,00000006,00000000,00000000), ref: 100022BC
DuplicateHandle.KERNEL32(000000FF,?,?,?,00100002,00000000,00000000), ref: 100022F2
DestroyWindow.USER32(?), ref: 1000231D
PostMessageW.USER32(00000000,00000012,00000000,00000000), ref: 1000232D
DefWindowProcW.USER32(?,?,?,?), ref: 1000233D

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: Window$DuplicateHandle$DestroyForegroundLongMessagePostProcShow
String ID:
API String ID: 947104246-0
Opcode ID: be6f18889104940bc08923d782848733ff92bcea5006720bf1062cb5151e37cd
Instruction ID: 872890f326dd86a1f175bb7553751e41c479adeaadde458f9f7537b73c1eaa25
Opcode Fuzzy Hash: be6f18889104940bc08923d782848733ff92bcea5006720bf1062cb5151e37cd
Instruction Fuzzy Hash: 184157B160421AEBFB50CFA8CC85B9A3BA4FB047C0F118121F955D61ACDBB4EE50DB60

Function 10001FD0 Relevance: 13.5, APIs: 9, Instructions: 30filesynchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 10001FD0
GetCurrentThreadId.KERNEL32 ref: 10001FD6
SendMessageW.USER32(00000010,00000000,00000000), ref: 10001FFE
WaitForSingleObject.KERNEL32(000000FF), ref: 1000200C
CloseHandle.KERNEL32 ref: 10002018
CloseHandle.KERNEL32 ref: 10002020
CloseHandle.KERNEL32 ref: 10002028
UnmapViewOfFile.KERNEL32 ref: 10002030
CloseHandle.KERNEL32 ref: 1000203C

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: CloseHandle$Current$FileMessageObjectProcessSendSingleThreadUnmapViewWait
String ID:
API String ID: 1555270478-0
Opcode ID: 9e60369701609aae8eb9e9b471fbe79b5df2cf09f0236b1b1ba66e4d4f198a8f
Instruction ID: 694c6f7247dcef14e850320db2a395f96bfe1e563e75d3cfc277fa498a93e4c8
Opcode Fuzzy Hash: 9e60369701609aae8eb9e9b471fbe79b5df2cf09f0236b1b1ba66e4d4f198a8f
Instruction Fuzzy Hash: F0F0B7B0801175EFFB116B60CD88B8A3FA5FB043D2B024121F2519107DDF7108A1EF58

Function 00403F2A Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403F44
GetSysColor.USER32(00000000), ref: 00403F60
SetTextColor.GDI32(?,00000000), ref: 00403F6C
SetBkMode.GDI32(?,?), ref: 00403F78
GetSysColor.USER32(?), ref: 00403F8B
SetBkColor.GDI32(?,?), ref: 00403F9B
DeleteObject.GDI32(?), ref: 00403FB5
CreateBrushIndirect.GDI32(?), ref: 00403FBF

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: d1251e89d25211f29e22ed1568f44ff950bb01ff11d0b068515cddd17a3a0421
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 26115171904705ABC7219F78DE08B5BBFF8AF01715B05893DE886E22A0D738EA488B54

Function 004050D2 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0043B238,00000000,00000000,00000000), ref: 0040510A
lstrlenW.KERNEL32(00403361,0043B238,00000000,00000000,00000000), ref: 0040511A
lstrcatW.KERNEL32(0043B238,00403361), ref: 0040512D
SetWindowTextW.USER32(0043B238,0043B238), ref: 0040513F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405165
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040517F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040518D

Part of subcall function 00406966: GetVersion.KERNEL32(0043B238,?,00000000,00405109,0043B238,00000000,00000000,00000000,00000000), ref: 00406A37

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 5e5d700da742a3d6d340dab77f0fdb3d38b9a8a0b9685d170e55f73d5ea00312
Instruction ID: 8b6ba25b3567668a3d709078441474e2f94ee86325c17f48cbe0efe0ef4ad692
Opcode Fuzzy Hash: 5e5d700da742a3d6d340dab77f0fdb3d38b9a8a0b9685d170e55f73d5ea00312
Instruction Fuzzy Hash: 2021AF71C00618BECF129FA5DD84A9FBFB5EF48314F10813AF908BA290D7784A509F99

Function 00406199 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" ,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 004061FC
CharNextW.USER32(?,?,?,00000000), ref: 0040620B
CharNextW.USER32(?,004D70C8,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" ,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 00406210
CharPrevW.USER32(?,?,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" ,004D70C8,00000000,00403920,004D70C8,-00000002,00403B6B), ref: 00406224

Strings

"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" , xrefs: 004061A3
*?|<>/":, xrefs: 004061EB

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" $*?|<>/":
API String ID: 589700163-317551869
Opcode ID: 1d09d8738e5602742b586041446eac83eeb7776b51f76f2679a8714e99ae6001
Instruction ID: 45f9d4f3dcf6299a058aa2101cc88fb20adbc263b608899fab4a560a17f1b311
Opcode Fuzzy Hash: 1d09d8738e5602742b586041446eac83eeb7776b51f76f2679a8714e99ae6001
Instruction Fuzzy Hash: 0E11C82580062195CB307B698C4097B76E8AE55790756443FECC6F72C2EB7C9CA1C2AD

Function 004032E7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00403302
GetTickCount.KERNEL32 ref: 00403320
wsprintfW.USER32 ref: 0040334E

Part of subcall function 004050D2: lstrlenW.KERNEL32(0043B238,00000000,00000000,00000000), ref: 0040510A
Part of subcall function 004050D2: lstrlenW.KERNEL32(00403361,0043B238,00000000,00000000,00000000), ref: 0040511A
Part of subcall function 004050D2: lstrcatW.KERNEL32(0043B238,00403361), ref: 0040512D
Part of subcall function 004050D2: SetWindowTextW.USER32(0043B238,0043B238), ref: 0040513F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405165
Part of subcall function 004050D2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040517F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040518D

CreateDialogParamW.USER32(0000006F,00000000,00403268,00000000), ref: 00403372
ShowWindow.USER32(00000000,00000005), ref: 00403380

Part of subcall function 0040324C: MulDiv.KERNEL32(00000000,00000064,000034B0), ref: 00403261

Strings

... %d%%, xrefs: 00403348

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 96c2a724128113feeb2dba6851438288d590ea99915262e15a0359641590fb8d
Instruction ID: 7cd9398b14f8ade0b0fcf895a8ee56c548843aa05ddcd0bd44aa2535a42f6e46
Opcode Fuzzy Hash: 96c2a724128113feeb2dba6851438288d590ea99915262e15a0359641590fb8d
Instruction Fuzzy Hash: 5C011E30445610EBC721AFA4EE89A9E7E6CEB05706B14413FFE45B11E0CB785A858BAD

Function 004049AE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004049C9
GetMessagePos.USER32 ref: 004049D1
ScreenToClient.USER32(?,?), ref: 004049E9
SendMessageW.USER32(?,00001111,00000000,?), ref: 004049FB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404A21

Strings

f, xrefs: 004049FD

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 27f0785cdc5f68d0066a8e7a1d7e71ccbf55bb55bf6eb3414b3d297d9b41ad7b
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: 81015271A4021CBADB00DB94DD85BEEBBB8AF54711F10412ABA50B61D0D7B45A058BA5

Function 00403268 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00403286
wsprintfW.USER32 ref: 004032BA
SetWindowTextW.USER32(?,?), ref: 004032CA
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032DC

Strings

verifying installer: %d%%, xrefs: 004032AF
unpacking data: %d%%, xrefs: 004032A8, 004032B5

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: dee786f0fd9cdd3f8c0fb31302e7a2050583a55b44ce5b4915f07339fad65024
Instruction ID: bfe6641e6ef7cc7b54ecc28104225e3c2b90f8d7ad59e83b9ab1f1d0914f92a4
Opcode Fuzzy Hash: dee786f0fd9cdd3f8c0fb31302e7a2050583a55b44ce5b4915f07339fad65024
Instruction Fuzzy Hash: CAF0317050010DABDF209F61DD4ABAA3B69EB10349F00807EFA46B91D1CBB986598F99

Function 100014CC Relevance: 9.1, APIs: 6, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E8), ref: 10001501
SendMessageW.USER32(00000000), ref: 1000150A
GetDlgItem.USER32(?,000003E9), ref: 10001523
SendMessageW.USER32(00000000), ref: 10001526
GetDlgItem.USER32(000003EF,000003EC), ref: 10001550
EnableWindow.USER32(00000000), ref: 10001553

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: Item$MessageSend$EnableWindow
String ID:
API String ID: 2158911739-0
Opcode ID: 24ba21cfe8c34813aa998a640d71c42d4387c6654da2b463e93e8f323967fa4b
Instruction ID: e2d2e6678e631a738ddc6b4dee7cc50119bb28f1d5d7ae6152070b5b63b1966e
Opcode Fuzzy Hash: 24ba21cfe8c34813aa998a640d71c42d4387c6654da2b463e93e8f323967fa4b
Instruction Fuzzy Hash: CA117C71900258BFFF02AFA5DC84AEE3FADEB40394F04C466F9149B1A5C6748A51DF90

Function 10002042 Relevance: 9.0, APIs: 6, Instructions: 47windowthreadCOMMON

Download Yara Rule

APIs

IsDialogMessageW.USER32(?,00000006), ref: 10002066
TranslateMessage.USER32(00000006), ref: 10002074
DispatchMessageW.USER32(00000006), ref: 1000207E
PeekMessageW.USER32(00000006,00000000,00000000,00000000,00000001), ref: 1000208D
GetCurrentProcessId.KERNEL32 ref: 10002099
GetCurrentThreadId.KERNEL32 ref: 1000209F

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: Message$Current$DialogDispatchPeekProcessThreadTranslate
String ID:
API String ID: 1591844402-0
Opcode ID: db7d7b526615e9639b7f9b6bf0b22303f1866cf65982a1d94fd2c8c014de09d0
Instruction ID: 331d87cadb7f605eddd9b04f27fcaea5197d82334009f26882172e6f8b3aaa53
Opcode Fuzzy Hash: db7d7b526615e9639b7f9b6bf0b22303f1866cf65982a1d94fd2c8c014de09d0
Instruction Fuzzy Hash: F1018F7290025AEBEB10DFA5CC888DF7BBCEB847C0B104025FA46D301EE7749985CBA0

Function 10001ADD Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,80000000,00000000), ref: 10001AF1
OpenServiceW.ADVAPI32(00000000,?,00000004,00000000,00000000), ref: 10001B05
QueryServiceStatus.ADVAPI32(00000000,?), ref: 10001B1C
CloseServiceHandle.ADVAPI32(00000000), ref: 10001B2F
CloseServiceHandle.ADVAPI32(00000000), ref: 10001B32
GetLastError.KERNEL32 ref: 10001B38

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: Service$CloseHandleOpen$ErrorLastManagerQueryStatus
String ID:
API String ID: 3744063808-0
Opcode ID: d4c2a254ee82679244d82d9af3f9926c066a3018744546f3792a4dc0a2d47459
Instruction ID: 15a920e18fdd7bb7d9efb61c7c743de53b5eda2f3bc62133ff02163150c1d3b6
Opcode Fuzzy Hash: d4c2a254ee82679244d82d9af3f9926c066a3018744546f3792a4dc0a2d47459
Instruction Fuzzy Hash: DDF0283AA083A87BFB1257B18C88FEE7F7CEB482D1F000065FA81A1199D7B4C549C761

Function 050D304E Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 219stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 050D6045: lstrcpyW.KERNEL32(?,?), ref: 050D605E
Part of subcall function 050D6045: GlobalFree.KERNEL32 ref: 050D606F

Part of subcall function 050D4B53: lstrlenW.KERNEL32(?), ref: 050D4B60
Part of subcall function 050D4B53: lstrcpynW.KERNEL32(?,?,?), ref: 050D4C48
Part of subcall function 050D4B53: lstrcpynW.KERNEL32(00000000,?,?), ref: 050D4CD3

Part of subcall function 050D5D1B: RegOpenKeyExW.KERNELBASE(00020019,00000000,00000000,?,050D13BB,?,?,050D13BB,?,?,00000000,00020019,?), ref: 050D5D31

Part of subcall function 050D5E21: RegQueryValueExW.ADVAPI32(05120EC0,?,00000000,?,00000000,050D27E4,?,?,050D27E4,00000000,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg,00000000,?,05120EC0,00010000), ref: 050D5E3B

RegSetValueExW.ADVAPI32(?,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg,00000000,00000003,05120EC0,?), ref: 050D31ED
lstrcatW.KERNEL32(05120EC0,"DisableDisallowedTrafficAlert"=dword:00000001), ref: 050D32F8
lstrlenW.KERNEL32(05120EC0), ref: 050D3303

Strings

"DisableDisallowedTrafficAlert"=dword:00000001, xrefs: 050D3075, 050D30B6, 050D3134, 050D317B, 050D3258, 050D32EE
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg, xrefs: 050D30AC, 050D3114, 050D31E4, 050D32CC, 050D3319

Memory Dump Source

Source File: 00000002.00000002.2611660380.00000000050D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 050D0000, based on PE: true

Associated: 00000002.00000002.2611613713.00000000050D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611705494.00000000050D7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611748941.00000000050D8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611799136.0000000005120000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611847122.0000000005132000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_50d0000_PsiphonPortable.jbxd

Similarity

API ID: Valuelstrcpynlstrlen$FreeGlobalOpenQuerylstrcatlstrcpy
String ID: "DisableDisallowedTrafficAlert"=dword:00000001$C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg
API String ID: 3157898717-1899092919
Opcode ID: 53351db51777ac1252776b8e6cab87a464114de1f5e9963049324956325488e4
Instruction ID: ff33f0296d387e10bf29fe1e5de31ad8bab2ff448085d8905d39738f9c8df99b
Opcode Fuzzy Hash: 53351db51777ac1252776b8e6cab87a464114de1f5e9963049324956325488e4
Instruction Fuzzy Hash: 57914A74E01309DBCB25DF98D84ABEEFBB1FF48700F188598E51567240D7756A84CB62

Function 0040450D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447250,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447250,?), ref: 004045AA
wsprintfW.USER32 ref: 004045B7
SetDlgItemTextW.USER32(?,00447250,000000DF), ref: 004045CA

Strings

PrD, xrefs: 00404562
%u.%u%s%s, xrefs: 004045A4

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$PrD
API String ID: 3540041739-1882686053
Opcode ID: 737b4354604b69ed49da521882824f7eacafb09e8a5ec505cdcd8fffed629745
Instruction ID: 7880dc7fd7a5c0d30aad69498be6142e37c8297d3eb74307a1111cd8f0787a4b
Opcode Fuzzy Hash: 737b4354604b69ed49da521882824f7eacafb09e8a5ec505cdcd8fffed629745
Instruction Fuzzy Hash: B211BD72B002043BCB10AA799D45E9E725EEBC5374F10423BF619F30E0E6788B268669

Function 050D2DD3 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 137stringCOMMON

Download Yara Rule

APIs

Part of subcall function 050D6045: lstrcpyW.KERNEL32(?,?), ref: 050D605E
Part of subcall function 050D6045: GlobalFree.KERNEL32 ref: 050D606F

Part of subcall function 050D4B53: lstrlenW.KERNEL32(?), ref: 050D4B60
Part of subcall function 050D4B53: lstrcpynW.KERNEL32(?,?,?), ref: 050D4C48
Part of subcall function 050D4B53: lstrcpynW.KERNEL32(00000000,?,?), ref: 050D4CD3

Part of subcall function 050D5D1B: RegOpenKeyExW.KERNELBASE(00020019,00000000,00000000,?,050D13BB,?,?,050D13BB,?,?,00000000,00020019,?), ref: 050D5D31

Part of subcall function 050D5E21: RegQueryValueExW.ADVAPI32(05120EC0,?,00000000,?,00000000,050D27E4,?,?,050D27E4,00000000,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg,00000000,?,05120EC0,00010000), ref: 050D5E3B

Part of subcall function 050D5D9F: RegCloseKey.ADVAPI32(050D13D4,?,?,050D13D4,?), ref: 050D5DA7

lstrlenW.KERNEL32("DisableDisallowedTrafficAlert"=dword:00000001), ref: 050D2F07
lstrlenW.KERNEL32("DisableDisallowedTrafficAlert"=dword:00000001), ref: 050D2F3A
lstrlenW.KERNEL32("DisableDisallowedTrafficAlert"=dword:00000001), ref: 050D2F49

Strings

"DisableDisallowedTrafficAlert"=dword:00000001, xrefs: 050D2DF4, 050D2EBD, 050D2F02, 050D2F35, 050D2F44
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg, xrefs: 050D2E28, 050D2E82

Memory Dump Source

Source File: 00000002.00000002.2611660380.00000000050D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 050D0000, based on PE: true

Associated: 00000002.00000002.2611613713.00000000050D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611705494.00000000050D7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611748941.00000000050D8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611799136.0000000005120000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611847122.0000000005132000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_50d0000_PsiphonPortable.jbxd

Similarity

API ID: lstrlen$lstrcpyn$CloseFreeGlobalOpenQueryValuelstrcpy
String ID: "DisableDisallowedTrafficAlert"=dword:00000001$C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg
API String ID: 1616757396-1899092919
Opcode ID: 6d761eff6f10c068248bdbb05a06e9464ed1cabe95c301999d5a6b5a0296b531
Instruction ID: 9a35dc00995bb2da8fc2d858c3e94d9edb548192ff4ca2e55e3770482d1927a4
Opcode Fuzzy Hash: 6d761eff6f10c068248bdbb05a06e9464ed1cabe95c301999d5a6b5a0296b531
Instruction Fuzzy Hash: 3A513774E0030AEBDB14DF98E84ABEEFBB5FF18305F108569E50166280E7755A84CBB1

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: b0e9a248c90bc4b219d82b224dbd9c03938a54c8e2e96de430ad7f277ae3d019
Instruction ID: 926a3fd6ba00d5bb97a34cee5b023bebcb5cad9bd68352020a6bff24d96e3699
Opcode Fuzzy Hash: b0e9a248c90bc4b219d82b224dbd9c03938a54c8e2e96de430ad7f277ae3d019
Instruction Fuzzy Hash: C3114972500008FFDF119F90EE85DAA3B7AFB54348F00403AFA06B5170D7759E549A29

Function 7026194F Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000808,702622A8,?,00000808), ref: 70261967
GlobalAlloc.KERNEL32(00000040,00000000,?,00000808,702622A8,?,00000808), ref: 7026196E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000808,702622A8,?,00000808), ref: 70261982
GetProcAddress.KERNEL32(702622A8,00000000), ref: 70261989
GlobalFree.KERNEL32(00000000), ref: 70261992

Memory Dump Source

Source File: 00000002.00000002.2612156353.0000000070261000.00000020.00000001.01000000.00000006.sdmp, Offset: 70260000, based on PE: true

Associated: 00000002.00000002.2612108950.0000000070260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612237169.0000000070263000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612310355.0000000070265000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_70260000_PsiphonPortable.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: f367c12ec365d9b6862d9e994a76a46aae55daff992b72e6ca67cac7f00a6008
Instruction ID: 37374bae435f386f7d8cb27ec9e35d97638abd43d543e61e878b417d1572e5a5
Opcode Fuzzy Hash: f367c12ec365d9b6862d9e994a76a46aae55daff992b72e6ca67cac7f00a6008
Instruction Fuzzy Hash: A1F0127310A1347BD62017A78C4CE9BFE9CDF4B2F5B114211F218951A0C6615C05D6F1

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e9a18080beffe971bb15df4a8f5444ede2e1f7f3a5df9d200604b6a011215d0a
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 32219171900209ABDF15AFB4D986ABD7BB9AF00348F14413EF602F60E2D6798A80D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 00406404: lstrlenW.KERNEL32(Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: cd7a3895cbf7e5bafa2e80516e790e490515dfbff2c3e86001fc46b126d543a9
Instruction ID: 374c3c3b6278fb1c2beb817405795feef458ca782ed8724690096ffa3588498b
Opcode Fuzzy Hash: cd7a3895cbf7e5bafa2e80516e790e490515dfbff2c3e86001fc46b126d543a9
Instruction Fuzzy Hash: BA11C472A00111ABDB10BFA5DD4AABE3AA4EB00354F10443FF50AB61D2D6788A50869D

Function 00404A2C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404A62
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404AD0

Part of subcall function 00403F0F: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403F21

Strings

PrD, xrefs: 00404A94
, xrefs: 00404A3A

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $PrD
API String ID: 3748168415-683102269
Opcode ID: ce2b7f03bb1297be540aa9391ce969a8123c951ec3d3b567541a8540a2105a5e
Instruction ID: 796ae977d962bd2fb4eacbf10a92dd87c42d9844f52e2d7c2fef9845d3ca3dba
Opcode Fuzzy Hash: ce2b7f03bb1297be540aa9391ce969a8123c951ec3d3b567541a8540a2105a5e
Instruction Fuzzy Hash: 5C118FB1684208ABDF219F61DC40E9B3668BF84369F00803BFA0579192C37C8D519FAD

Function 004021B5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 004050D2: lstrlenW.KERNEL32(0043B238,00000000,00000000,00000000), ref: 0040510A
Part of subcall function 004050D2: lstrlenW.KERNEL32(00403361,0043B238,00000000,00000000,00000000), ref: 0040511A
Part of subcall function 004050D2: lstrcatW.KERNEL32(0043B238,00403361), ref: 0040512D
Part of subcall function 004050D2: SetWindowTextW.USER32(0043B238,0043B238), ref: 0040513F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405165
Part of subcall function 004050D2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040517F
Part of subcall function 004050D2: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040518D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 00406404: lstrlenW.KERNEL32(Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
HideCommandLineWindow, xrefs: 004021D6
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d$HideCommandLineWindow
API String ID: 3156913733-3435373328
Opcode ID: d74c362f720958c7a1ea5317b04e4df155dd8d33f350e4367a20e0d4617c29db
Instruction ID: 385da8b202b2a045014f9446d3cad8c85c99a9e265c35722db0b8e87639932c1
Opcode Fuzzy Hash: d74c362f720958c7a1ea5317b04e4df155dd8d33f350e4367a20e0d4617c29db
Instruction Fuzzy Hash: C5018FB2B40214B6D72077B69C87F7B2A9CDB41758B20443BF642F60E3E5BD8851927D

Function 00406385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004063D9
lstrcatW.KERNEL32(00000000,...), ref: 004063FC

Strings

..., xrefs: 004063F4
%02x%c, xrefs: 004063D1

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: 85df159639746478037a26c2e7b04b1779f54c746bce4477c4c8f2341ae68883
Instruction ID: 49b15afb37c1c3cbf89587828b9fbcb2b479192470e11d1a121134da54663489
Opcode Fuzzy Hash: 85df159639746478037a26c2e7b04b1779f54c746bce4477c4c8f2341ae68883
Instruction Fuzzy Hash: 1201D232510219AFCB01CF58CD85A9EBBB9EB44704F218136F856F3280D6749EA48BA8

Function 004051A7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004051B7

Part of subcall function 00403F0F: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403F21

OleUninitialize.OLE32(00000404,00000000), ref: 00405205

Part of subcall function 00406404: lstrlenW.KERNEL32(Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

Strings

Section: "%s", xrefs: 004051D9
Skipping section: "%s", xrefs: 00405215

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 9faf3df30d8341890c428f77cd47873b5149034e1ce4e1928ca9eebd2d14ad04
Instruction ID: b096c94640e0452ae870d043d7677ea343cceb766e7301fd1a80b39db48c4c93
Opcode Fuzzy Hash: 9faf3df30d8341890c428f77cd47873b5149034e1ce4e1928ca9eebd2d14ad04
Instruction Fuzzy Hash: 54F0D6329047009BE2106754AD02B5777A4DF84714F14003FFE44721E2DAF848418A1D

Function 1000128A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(MyRunAsStrings,000000FF,00000000,?,00000208,?), ref: 100012AC
SendMessageW.USER32(00000000), ref: 100012EC

Part of subcall function 100011A5: GetUserNameW.ADVAPI32(?,?), ref: 100011EC
Part of subcall function 100011A5: wsprintfW.USER32 ref: 1000121C
Part of subcall function 100011A5: GetDlgItem.USER32(?,000003E8), ref: 1000123D
Part of subcall function 100011A5: SendMessageW.USER32(00000000), ref: 10001246
Part of subcall function 100011A5: LoadLibraryA.KERNEL32(SHELL32,00005503,?,00000204), ref: 1000125A
Part of subcall function 100011A5: LoadStringW.USER32(00000000), ref: 10001261
Part of subcall function 100011A5: GetDlgItem.USER32(?,000003EC), ref: 1000127E
Part of subcall function 100011A5: SendMessageW.USER32(00000000), ref: 10001281

Strings

MyRunAsStrings, xrefs: 100012A7

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: MessageSend$ItemLoadString$LibraryNamePrivateProfileUserwsprintf
String ID: MyRunAsStrings
API String ID: 2667165715-2281671616
Opcode ID: c8de4ed148812fc98f465fcd8cdc01c027a7dee28ce45558fe763cb554ad6401
Instruction ID: 2c1487b17c35e209138c33c1b13d63161124646cd3dd881dc6dcb0be1a7f4c85
Opcode Fuzzy Hash: c8de4ed148812fc98f465fcd8cdc01c027a7dee28ce45558fe763cb554ad6401
Instruction Fuzzy Hash: 41F0E27050025AEBFF119F50DC49FCA3A79EB017D5F004625BA20A00E8C7B19AB19A5A

Function 70261904 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25stringCOMMON

Download Yara Rule

APIs

Part of subcall function 70261581: GlobalAlloc.KERNELBASE(00000040,?,702615BA,?,?,7026185F,?,70261017), ref: 7026158B

lstrcpyW.KERNEL32(00000000,error), ref: 70261929
wsprintfW.USER32 ref: 70261942

Strings

error, xrefs: 70261923
callback%d, xrefs: 7026193C

Memory Dump Source

Source File: 00000002.00000002.2612156353.0000000070261000.00000020.00000001.01000000.00000006.sdmp, Offset: 70260000, based on PE: true

Associated: 00000002.00000002.2612108950.0000000070260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612237169.0000000070263000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612310355.0000000070265000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_70260000_PsiphonPortable.jbxd

Similarity

API ID: AllocGloballstrcpywsprintf
String ID: callback%d$error
API String ID: 2689062267-1307476583
Opcode ID: 786d98f1615aa72295d9c3cd9e6cadf5b3f6aaf0a5ecc6dca34e88afebea3d9b
Instruction ID: b5e3f85a35c2281b94234d90c2733b714cf71913e14fb166ed5face83cbb0d00
Opcode Fuzzy Hash: 786d98f1615aa72295d9c3cd9e6cadf5b3f6aaf0a5ecc6dca34e88afebea3d9b
Instruction Fuzzy Hash: E9E0D83370D011E783125A255C58A8D36795F023387284610F95ADAF91C316E9F95682

Function 7026199F Relevance: 6.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

APIs

Part of subcall function 702615A3: lstrcpyW.KERNEL32(00000000,?), ref: 702615C1
Part of subcall function 702615A3: GlobalFree.KERNEL32 ref: 702615D2

GlobalFree.KERNEL32(?), ref: 70261A04
GlobalFree.KERNEL32(?), ref: 70261A9C
GlobalFree.KERNEL32(?), ref: 70261AA1
__alldvrm.LIBCMT ref: 70261ACB

Memory Dump Source

Source File: 00000002.00000002.2612156353.0000000070261000.00000020.00000001.01000000.00000006.sdmp, Offset: 70260000, based on PE: true

Associated: 00000002.00000002.2612108950.0000000070260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612237169.0000000070263000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612310355.0000000070265000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_70260000_PsiphonPortable.jbxd

Similarity

API ID: FreeGlobal$__alldvrmlstrcpy
String ID:
API String ID: 1811517867-0
Opcode ID: b04ac85641ea8886eb22c97759c1611e834f188e40ad711f2ffa1c8a96b9cf93
Instruction ID: 82113a73981242847814d899ec16fa3ea85eefa7141033842156e266238502da
Opcode Fuzzy Hash: b04ac85641ea8886eb22c97759c1611e834f188e40ad711f2ffa1c8a96b9cf93
Instruction Fuzzy Hash: E9510337F011069ACB12DFE4C88566DB77AEF4420872D815AE40693F54E674BFF0DA91

Function 70262800 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 70261C1B: GlobalFree.KERNEL32(?), ref: 70261E69
Part of subcall function 70261C1B: GlobalFree.KERNEL32(?), ref: 70261E6E
Part of subcall function 70261C1B: GlobalFree.KERNELBASE(?), ref: 70261E73

GlobalFree.KERNEL32(00000000), ref: 70262868

Part of subcall function 702615E0: GlobalAlloc.KERNEL32(00000040,?,?,702618AA,?), ref: 702615F6
Part of subcall function 702615E0: lstrcpynW.KERNEL32(00000004,?,?,702618AA,?), ref: 7026160C

Strings

error, xrefs: 7026283D

Memory Dump Source

Source File: 00000002.00000002.2612156353.0000000070261000.00000020.00000001.01000000.00000006.sdmp, Offset: 70260000, based on PE: true

Associated: 00000002.00000002.2612108950.0000000070260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612237169.0000000070263000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2612310355.0000000070265000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_70260000_PsiphonPortable.jbxd

Similarity

API ID: Global$Free$Alloclstrcpyn
String ID: error
API String ID: 4250884139-1574812785
Opcode ID: e8ae5c9445f8e1b792c9be4fae004fccaa41dfed839a5cd2a47c7d6b401898fb
Instruction ID: ddf65d2697e035e5e8ab8cd35672cc6bf38df676175bf81516756c05ba17f506
Opcode Fuzzy Hash: e8ae5c9445f8e1b792c9be4fae004fccaa41dfed839a5cd2a47c7d6b401898fb
Instruction Fuzzy Hash: 40010833A09611AEC3119BA4DC49B4E77E85F40394F14441AF586D7A10DBB4B8E85F73

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406966: GetVersion.KERNEL32(0043B238,?,00000000,00405109,0043B238,00000000,00000000,00000000,00000000), ref: 00406A37

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 004060B2: wsprintfW.USER32 ref: 004060BF

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 600f7a39d98bd087a3fa73ce05d1baab7dfc82f361ba09517c53b02978263ded
Instruction ID: b852d753667c04f7f8403c46551348dceb61737b9063f8de5ee225c6b1b91025
Opcode Fuzzy Hash: 600f7a39d98bd087a3fa73ce05d1baab7dfc82f361ba09517c53b02978263ded
Instruction Fuzzy Hash: B6018472A44650EFE701DBB4ED46BDA3FA4A725315F10C43AF541F61E3C678444A8B2D

Function 00407359 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407033: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00407057

lstrcpynW.KERNEL32(?,?,00000009), ref: 0040739A
lstrcmpW.KERNEL32(?,Version ), ref: 004073AB
lstrcpynW.KERNEL32(?,?,?), ref: 004073C2

Strings

Version , xrefs: 004073A2

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 5b254390c235843b3cd14036e60a35d0405450d943fe7c22a996b54282ed20ac
Instruction ID: be0c1bc54e1f5d3dac358994bef49e147f417753078ca6f75dbba3536d9e97a2
Opcode Fuzzy Hash: 5b254390c235843b3cd14036e60a35d0405450d943fe7c22a996b54282ed20ac
Instruction Fuzzy Hash: 68F08172A0021CABDB109AA49D46EDA777CEB44700F000076FA00F6180E6B5AE058BA5

Function 10001480 Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EC), ref: 100014A7
SendMessageW.USER32(00000000), ref: 100014AA
GetDlgItem.USER32(?,00000001), ref: 100014BF
EnableWindow.USER32(00000000), ref: 100014C2

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: Item$EnableMessageSendWindow
String ID:
API String ID: 3471810782-0
Opcode ID: cdc701835a18efdbc5b32e1473691a6e8baa4da8af65885cbc45cdedd92b3f4c
Instruction ID: 8cb8bfa5ab36a404cc4ceb61c09436c2d8d817dce6776651a9d7fe6f52899f3f
Opcode Fuzzy Hash: cdc701835a18efdbc5b32e1473691a6e8baa4da8af65885cbc45cdedd92b3f4c
Instruction Fuzzy Hash: B8E06D705082206AFA109F308C88AFB7E9DEB44390F004806F940EA0E9C665CC91DA60

Function 004024FB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B54,?,00000001,00409B34,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
HideCommandLineWindow, xrefs: 00402646, 00402659

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d$HideCommandLineWindow
API String ID: 542301482-4244415611
Opcode ID: 72f94041dc772d4d9adb032695cde8a813159a995c234bec806880be495e7e30
Instruction ID: 8d6901ad6a64056badc23f129c971549208a59aeacbb917aec9ee0bd4eb55a7e
Opcode Fuzzy Hash: 72f94041dc772d4d9adb032695cde8a813159a995c234bec806880be495e7e30
Instruction Fuzzy Hash: F9414E74A00205AFCB04EFA0CC99EAE7B79EF48314B20456AF915EB2E1C679A941CB54

Function 00402C8A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000011), ref: 00402CAA
WriteFile.KERNEL32(00000000,?,HideCommandLineWindow,00000000,?,?,00000000,00000011), ref: 00402CCC

Strings

HideCommandLineWindow, xrefs: 00402C97, 00402CC0

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: FileWritelstrlen
String ID: HideCommandLineWindow
API String ID: 427699356-1563606009
Opcode ID: 51da3d6124d797b8f7165eed9bac9ad292a782a8f6b34c2fe15836bcfb95dec3
Instruction ID: 17b6097557221931d6ab36d6d47baa216711e37936d94999af4c5ae25bfb5482
Opcode Fuzzy Hash: 51da3d6124d797b8f7165eed9bac9ad292a782a8f6b34c2fe15836bcfb95dec3
Instruction Fuzzy Hash: 01F08972615204ABDB14EBB1DE45AAF7268DF00319F10443FE143F21D2D67D8645962D

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 00406404: lstrlenW.KERNEL32(Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
Part of subcall function 00406404: wvsprintfW.USER32(00000000,?,?), ref: 00406428

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
Instruction ID: d6a52e45258e13aa606ad2b2b5c1a00533a470e73934100eb5490deb1737a6ec
Opcode Fuzzy Hash: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
Instruction Fuzzy Hash: 02E09232A05111DBCB08BBB5A7495AE76B4EA5532A725007FE243F20D1DA7D8D01C62D

Function 10001BA4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

SHGetValueA.SHLWAPI(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,?,?,?), ref: 10001BCC

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 10001BC2
EnableLUA, xrefs: 10001BBD

Memory Dump Source

Source File: 00000002.00000002.2611971739.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2611924610.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612016933.0000000010004000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2612061033.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PsiphonPortable.jbxd

Similarity

API ID: Value
String ID: EnableLUA$Software\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 3702945584-2158134279
Opcode ID: 09b2d0f02fb7775a930ed96b6b852410dd262c409d82556381042c822823b52e
Instruction ID: 1a8543b653faaba41de9d809f226dd19f5be5b3a25162012483473e9e2a03304
Opcode Fuzzy Hash: 09b2d0f02fb7775a930ed96b6b852410dd262c409d82556381042c822823b52e
Instruction Fuzzy Hash: 39E0E6B5A00108B6EB01DBA1AC45BDFB7FCE7042C8F514165AA02F2044FB70DA04C695

Function 00403DE3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" ,00000000,771B2EE0,004039D5,-00000002,00403C31,?), ref: 00403DFD
GlobalFree.KERNEL32(?), ref: 00403E04

Strings

"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe" , xrefs: 00403DF5

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\PsiphonPortable.exe"
API String ID: 1100898210-3495464675
Opcode ID: 3e6e65f7e0b148a2159587eab1eb2803a36fbd9c76a6a57b41a6511bb26f2982
Instruction ID: 7b5d0e754ab654fd3587ae2081214c4606cb6cc152fa8691e9eece175d85dce4
Opcode Fuzzy Hash: 3e6e65f7e0b148a2159587eab1eb2803a36fbd9c76a6a57b41a6511bb26f2982
Instruction Fuzzy Hash: 29E0C2334141209BD7321F04E904B1B7B68BF45B72F05016EF8C03B2608B345C4286D8

Function 00406404 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""),00406FDA,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00406411
wvsprintfW.USER32(00000000,?,?), ref: 00406428

Part of subcall function 00406248: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406435,00000000), ref: 0040625F

Strings

Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe""), xrefs: 00406406, 0040640B

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: Exec: success (""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\App\Psiphon\psiphon3.exe"")
API String ID: 3509786178-3283049713
Opcode ID: 1d2697fad80eb9d0b70210806a91cde17483bf3f8fbb3d9bc72772a253d3c35e
Instruction ID: 2283ea6708b2d64b9e6789b455a10468216e6ae22039c90fe2b3791cf276606a
Opcode Fuzzy Hash: 1d2697fad80eb9d0b70210806a91cde17483bf3f8fbb3d9bc72772a253d3c35e
Instruction Fuzzy Hash: 3ED05E34060316BACA006BA0DD09A997764FBE0384F50052EF443C2070FA748004C70A

Function 050D5E75 Relevance: 5.1, APIs: 4, Instructions: 62stringCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(050D41C4,007437C0,-050D89A1,?,?,050D41C4,"DisableDisallowedTrafficAlert"=dword:00000001,?,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg), ref: 050D5ED1
lstrlenW.KERNEL32(050D41C4,?,?,050D41C4,"DisableDisallowedTrafficAlert"=dword:00000001,?,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg), ref: 050D5EDB
lstrcpynW.KERNEL32(050D41C4,007437C0,00010000,050D41C4,"DisableDisallowedTrafficAlert"=dword:00000001,?,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg), ref: 050D5F1F
lstrlenW.KERNEL32(050D41C4,?,?,050D41C4,"DisableDisallowedTrafficAlert"=dword:00000001,?,C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Data\settings\Psiphon.reg), ref: 050D5F30

Memory Dump Source

Source File: 00000002.00000002.2611660380.00000000050D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 050D0000, based on PE: true

Associated: 00000002.00000002.2611613713.00000000050D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611705494.00000000050D7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611748941.00000000050D8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611799136.0000000005120000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.2611847122.0000000005132000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_50d0000_PsiphonPortable.jbxd

Similarity

API ID: lstrcpynlstrlen
String ID:
API String ID: 2914866366-0
Opcode ID: 622482a14d26770258d59f65da299a20ac37f032d79a546cf74f06001e53571f
Instruction ID: a6a30bf588e6b81db97c6fd8c4c715ad45697c7e7726020f6b7358457f0e2ebd
Opcode Fuzzy Hash: 622482a14d26770258d59f65da299a20ac37f032d79a546cf74f06001e53571f
Instruction Fuzzy Hash: 6411FE71622204DFC718DF68EC56A6EBBAAFF48210B888015FD45CB244DB39D442CB73

Function 00405F16 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406D34,00000000,[Rename]), ref: 00405F26
lstrcmpiA.KERNEL32(?,?), ref: 00405F3E
CharNextA.USER32(?,?,00000000,00406D34,00000000,[Rename]), ref: 00405F4F
lstrlenA.KERNEL32(?,?,00000000,00406D34,00000000,[Rename]), ref: 00405F58

Memory Dump Source

Source File: 00000002.00000002.2598050819.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2597624770.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598347908.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000040F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000413000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000041F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000427000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000461000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000483000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000048F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.00000000004C3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000513000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2598668262.0000000000557000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2604623380.00000000005B8000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PsiphonPortable.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 1c7a2535a4787e8fd3488feaed5d2e4763c3f1a0d20cb74bb0a69d7059b13449
Instruction ID: 33cf2896678c50374ca0d6f3786bc4b10779684cabbb7c7083e1740f3960db9f
Opcode Fuzzy Hash: 1c7a2535a4787e8fd3488feaed5d2e4763c3f1a0d20cb74bb0a69d7059b13449
Instruction Fuzzy Hash: E5F0C231105944AFCB019FA4CD04D9F7BA8EF5A350B2540AAE840E7210D634DE01DBA4

Analysis Process: psiphon3.exePID: 7536, Parent PID: 7408COMMON

Executed Functions

Function 0E806823 Relevance: 7.0, Strings: 5, Instructions: 717COMMON

Download Yara Rule

Strings

"psicash#modal-psicash-logout-offline-logout-anyway-button": "Log toch uit", "psicash#modal-psicash-logou, xrefs: 0E806C41, 0E807370
2|, xrefs: 0E8067C3
"psicash#modal-psicash-logout-offline-logout-anyway-button": "Log toch uit", "psicash#modal-psicash-logout-offlin, xrefs: 0E8067E1, 0E80719E
|!yk, xrefs: 0E8066FA
|!yk, xrefs: 0E806A55

Memory Dump Source

Source File: 00000004.00000003.1629001132.000000000E806000.00000004.00000800.00020000.00000000.sdmp, Offset: 0E806000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_e806000_psiphon3.jbxd

Similarity

API ID:
String ID: "psicash#modal-psicash-logout-offline-logout-anyway-button": "Log toch uit", "psicash#modal-psicash-logou$ "psicash#modal-psicash-logout-offline-logout-anyway-button": "Log toch uit", "psicash#modal-psicash-logout-offlin$2|$|!yk$|!yk
API String ID: 0-4105545856
Opcode ID: 51acaf3421835a01d9474d8a9de0c5a48ee7a422248845a43e5598f04cd8f7d3
Instruction ID: 6a954674f4397d99d276d25a9d760d8a9ea55f7c9b9421d31e70388b80e51979
Opcode Fuzzy Hash: 51acaf3421835a01d9474d8a9de0c5a48ee7a422248845a43e5598f04cd8f7d3
Instruction Fuzzy Hash: EF52DD70A40304DFEBA4CF68C981B6AB3E1BF88314F54451AE906EBBD1D375AC51CBA1

Function 0E972BA2 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.1462945420.000000000E972000.00000004.00000800.00020000.00000000.sdmp, Offset: 0E972000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_e972000_psiphon3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c143ee51d8a651d312a44353240b1456bd027ae57384b1f50b7cc8288971e737
Instruction ID: 9f0557f6c883352b07fb3603b7d2ebf16c43aa724cc3549b8f49212953709e7e
Opcode Fuzzy Hash: c143ee51d8a651d312a44353240b1456bd027ae57384b1f50b7cc8288971e737
Instruction Fuzzy Hash: 77213A70758200AFFB14CF58CC91A7DB3ADEB85210F148D59E98597654D231DC4ADF51

Analysis Process: psiphon-tunnel-core.exePID: 8156, Parent PID: 7536COMMON

Non-executed Functions

Function 00446E00 Relevance: 12.7, Strings: 10, Instructions: 172COMMON

Download Yara Rule

Strings

bad g0 stackbad key sizebad rdlengthbad recoverybad value %dc ap trafficc hs trafficcaller errorcan't happencas64 failedchan receivecheck fail: client_authzclient_helloclose notifyclose_notifyconjure_stuncontent-typecontext.TODOdata_on_idledebug_redactdecode_e, xrefs: 0044700A
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sendSocks5Response: Failed write response: %ssending payload data in non-established statesending reset packet in non-establi, xrefs: 004470E7
%, xrefs: 00447124
runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sendSocks5Response: Failed write response: %ssending payload data in non-established statesending reset packet in non-established statessh: only handshakeTransport can se, xrefs: 0044708C
runtime: g0 stack [runtime: heapInUse=runtime: pcdata is runtime: preempt g0runtime: totalFree=sampling period=%dsemaRoot rotateLeftserver_entry_regionserver_entry_sourceserver_key_exchangeskip this directoryssh: pty-req failedstart cpu profilingstopm holding, xrefs: 00446F9B
CreateWaitableTimerEx when creating timer failedCryptoSetupClient: no encryption level specifiedDNSResolverCacheExtensionVerifiedTTLMillisecondsInt.GobDecode: encoding version %d not supportedReceived %d bytes on stream %d, allowed %d bytesRecordRemoteServerLi, xrefs: 004470C0
VirtualQuery for stack base failed[ServerStateStart] Cookie mismatch[handshake] clean old session : %s" is anonymous but has PkgPath seta stream with ID %d already existsabort chunk, with following errorsadding nil Certificate to CertPoolall registration attem, xrefs: 00447065
runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setslice of unknown type in field %d: %Tssh: StderrPipe after process startedssh: StdoutPipe after process starteds, xrefs: 0044711B
)*.*=+++-+=, ---=->.1///=/i00010X0b0o0s0x11131425535556586263657072808385879699: :=::]; <-<<<==#==="> >=>>??A3A4CHCNCSCcCfCoCsDHDSHSIDINKXLPLlLmLoLtLuMBMDMFMGMRMXMcMeMnNONSNdNlNoOKOUPXPcPdPePfPiPoPsRPRTSTScSkSmSoTATeToV1V2V3V5V6YiZlZpZs[ [][^" ")":">"\*\.\:, xrefs: 00446FEF
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00447031

Memory Dump Source

Source File: 0000000C.00000002.2598354940.0000000000411000.00000020.00000001.01000000.00000017.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000C.00000002.2598081473.0000000000410000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2608457403.0000000000C95000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2608457403.0000000000F82000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613191373.00000000014E7000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613267345.00000000014F3000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613339771.00000000014F4000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613412691.00000000014F5000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613588387.0000000001575000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613634336.000000000157A000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613713982.000000000157B000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613765660.000000000157C000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613839776.000000000157D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613914863.000000000157F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613996022.0000000001580000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613996022.000000000158C000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613996022.00000000015AC000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613996022.00000000015B0000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2614309302.00000000015C0000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2614381124.00000000015C1000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_410000_psiphon-tunnel-core.jbxd

Similarity

API ID:
String ID: %$)*.*=+++-+=, ---=->.1///=/i00010X0b0o0s0x11131425535556586263657072808385879699: :=::]; <-<<<==#==="> >=>>??A3A4CHCNCSCcCfCoCsDHDSHSIDINKXLPLlLmLoLtLuMBMDMFMGMRMXMcMeMnNONSNdNlNoOKOUPXPcPdPePfPiPoPsRPRTSTScSkSmSoTATeToV1V2V3V5V6YiZlZpZs[ [][^" ")":">"\*\.\:$CreateWaitableTimerEx when creating timer failedCryptoSetupClient: no encryption level specifiedDNSResolverCacheExtensionVerifiedTTLMillisecondsInt.GobDecode: encoding version %d not supportedReceived %d bytes on stream %d, allowed %d bytesRecordRemoteServerLi$VirtualQuery for stack base failed[ServerStateStart] Cookie mismatch[handshake] clean old session : %s" is anonymous but has PkgPath seta stream with ID %d already existsabort chunk, with following errorsadding nil Certificate to CertPoolall registration attem$bad g0 stackbad key sizebad rdlengthbad recoverybad value %dc ap trafficc hs trafficcaller errorcan't happencas64 failedchan receivecheck fail: client_authzclient_helloclose notifyclose_notifyconjure_stuncontent-typecontext.TODOdata_on_idledebug_redactdecode_e$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sendSocks5Response: Failed write response: %ssending payload data in non-established statesending reset packet in non-establi$runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setslice of unknown type in field %d: %Tssh: StderrPipe after process startedssh: StdoutPipe after process starteds$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sendSocks5Response: Failed write response: %ssending payload data in non-established statesending reset packet in non-established statessh: only handshakeTransport can se$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: heapInUse=runtime: pcdata is runtime: preempt g0runtime: totalFree=sampling period=%dsemaRoot rotateLeftserver_entry_regionserver_entry_sourceserver_key_exchangeskip this directoryssh: pty-req failedstart cpu profilingstopm holding
API String ID: 0-513651817
Opcode ID: 2ea05ce083bc68afbbae2dc362491bc6fd34ecdb372936e59c18e5054fcfe2da
Instruction ID: ed5480e22aee70535fea2887c8931f75a6090d884a89b4938b0cc388233ab9f8
Opcode Fuzzy Hash: 2ea05ce083bc68afbbae2dc362491bc6fd34ecdb372936e59c18e5054fcfe2da
Instruction Fuzzy Hash: 5A8101B450A3059FE340EF66C18575ABBE4BF88708F05892EF48897342D7B8D849CF5A

Function 00457A50 Relevance: 5.1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

Strings

p->status= s.nelems= schedtick= span.list= timerslen=# Sys = %d#EXT-X-KEY:#EXT-X-MAP:%!(BADPREC)%s Op: %s%s Sub: [%s %s,%d,%d%s (%d): %s%s-%s-%s-%s%s=%s %s=%d) at entry++[redacted], elemsize=, npages = , settings:,BANDWIDTH=,BYTERANGE=,GROUP-ID=",LANGUA, xrefs: 00457B57
m->p= max= min= next= p->m= prev= span=#%#x% util%.0fm %.1f%c%.2fm %0.16X%0.16x%d %s%s ]%s: %s%v: %v%w: %d%w: %s%w: %t%w: %v' for (...), i = , id: , not , val ,%d-%d,TIME=,URI=".local.onion.proto0.%02d0x%04X390625::/128:https<-chan</a>.ACPKIXAcceptAn, xrefs: 00457B0B
releasep: invalid argrequest_connection_idrotatingSyncFrequencyruntime: confused by runtime: mappedReady=runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: totalMapped=runtime: work.nwait= secretbox.Open failedsequence tag mismatchset bit , xrefs: 00457BA1
releasep: m=remote errorrsa-sha2-256rsa-sha2-512rsa_fixed_dhruby_packageruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptserver_authzserver_hellosetupapi.dllshort bufferspanSetSpinesplit_tunnelssh-userauthstatus code string_valuesweepWaitersswift_pr, xrefs: 00457AE9

Memory Dump Source

Source File: 0000000C.00000002.2598354940.0000000000411000.00000020.00000001.01000000.00000017.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000C.00000002.2598081473.0000000000410000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2608457403.0000000000C95000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2608457403.0000000000F82000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613191373.00000000014E7000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613267345.00000000014F3000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613339771.00000000014F4000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613412691.00000000014F5000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613588387.0000000001575000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613634336.000000000157A000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613713982.000000000157B000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613765660.000000000157C000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613839776.000000000157D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613914863.000000000157F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613996022.0000000001580000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613996022.000000000158C000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613996022.00000000015AC000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2613996022.00000000015B0000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2614309302.00000000015C0000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000C.00000002.2614381124.00000000015C1000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_410000_psiphon-tunnel-core.jbxd

Similarity

API ID:
String ID: m->p= max= min= next= p->m= prev= span=#%#x% util%.0fm %.1f%c%.2fm %0.16X%0.16x%d %s%s ]%s: %s%v: %v%w: %d%w: %s%w: %t%w: %v' for (...), i = , id: , not , val ,%d-%d,TIME=,URI=".local.onion.proto0.%02d0x%04X390625::/128:https<-chan</a>.ACPKIXAcceptAn$ p->status= s.nelems= schedtick= span.list= timerslen=# Sys = %d#EXT-X-KEY:#EXT-X-MAP:%!(BADPREC)%s Op: %s%s Sub: [%s %s,%d,%d%s (%d): %s%s-%s-%s-%s%s=%s %s=%d) at entry++[redacted], elemsize=, npages = , settings:,BANDWIDTH=,BYTERANGE=,GROUP-ID=",LANGUA$releasep: invalid argrequest_connection_idrotatingSyncFrequencyruntime: confused by runtime: mappedReady=runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: totalMapped=runtime: work.nwait= secretbox.Open failedsequence tag mismatchset bit $releasep: m=remote errorrsa-sha2-256rsa-sha2-512rsa_fixed_dhruby_packageruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptserver_authzserver_hellosetupapi.dllshort bufferspanSetSpinesplit_tunnelssh-userauthstatus code string_valuesweepWaitersswift_pr
API String ID: 0-3870917423
Opcode ID: 77ee2ae002edfec4ba69424a74fd418fd7b8ec1d6efdff4c80eeff82d8621ece
Instruction ID: a6849ef70b9f48b947dd40933684af522c62dfe52fa8f84c50bba747e1a44c85
Opcode Fuzzy Hash: 77ee2ae002edfec4ba69424a74fd418fd7b8ec1d6efdff4c80eeff82d8621ece
Instruction Fuzzy Hash: 2031F4B4509744DFE340EF25C18575EBBE4BF88708F05896EE88887312D7789988CFA6

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sVfXReO3QI.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user~1\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit (copy)

C:\Users\user~1\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.commit (copy)

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\banner[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\speed-boost-button-1-week[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\turtle[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\flags32[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\icomoon[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\main[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\speed-boost-button-1-month[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\logo[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\psicash_coin[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\rocket[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\speed-boost-button-1-day[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\flag_unknown_64[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\logo-bw[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\psicash_coin_grey[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\speed-boost-button-1-hour[1]

C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb

Windows Analysis Report
sVfXReO3QI.exe

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre